From 2220ccfef231eccd83133fe641f4b404412467b0 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sat, 4 Oct 2025 11:08:00 +0200 Subject: [PATCH] Update web-api-pentesting.md --- .../pentesting-web/web-api-pentesting.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md index 0ff6690ff..00497a50f 100644 --- a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md +++ b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md @@ -75,17 +75,6 @@ Impact to assess - Data corruption via non-idempotent restarts: Forcing concurrent runs of migrations/workers can create race conditions and inconsistent partial states (silent data loss, broken analytics). - DoS via worker/DB starvation: Repeatedly triggering heavy jobs can exhaust worker pools and database connections, causing tenant-wide outages. -Detection heuristics - -- Look for sensitive semantics in procedure names: `*migrations*`, `*admin*`, `*status*`, `*retry*`, `*featureFlags*`, `*tenants*`, `*jobs*`. -- Compare responses across roles: If a basic user can successfully call state-changing admin endpoints, you likely have BFLA/BOLA. -- Check for missing server-side RBAC/ABAC in middleware. Input validation with Zod is orthogonal to authorization. - -Notes for remediation (for dev teams you report to) - -- Introduce an explicit `adminProcedure` or equivalent middleware that enforces role/permission checks on all sensitive routers (`list`/`all`, `status`, `retry`, etc.). -- Add rate limiting and idempotency/locking around maintenance endpoints to limit blast radius. - ### **Tools and Resources for API Pentesting** - [**kiterunner**](https://github.com/assetnote/kiterunner): Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs.