🐐

REST API Security Testing Guide

OWASP API GOAT Project - Comprehensive Penetration Testing Manual

📋 Table of Contents

🎯 Introduction

The REST API GOAT project is a deliberately vulnerable API application designed for security professionals to practice identifying and exploiting common API security vulnerabilities. This comprehensive guide will walk you through installation, configuration, and exploitation techniques.

🎓 Learning Objectives:
  • Understand REST API architecture and common vulnerabilities
  • Master tools like Postman and Burp Suite for API testing
  • Identify and exploit OWASP API Security Top 10 vulnerabilities
  • Practice real-world API penetration testing scenarios

⚙️ Installation & Setup

System Requirements

🐳 Docker Installation & Configuration

Step 1: Remove Old Docker Installations

sudo apt-get remove docker docker-engine docker.io

Step 2: Install Docker

sudo apt install docker.io

Step 3: Start Docker Service

sudo systemctl start docker

Step 4: Enable Docker on System Boot

sudo systemctl enable docker
✅ Docker is now installed and configured! You can verify the installation by running docker --version

Download REST API GOAT Project

wget https://github.com/optiv/rest-api-goat/archive/refs/heads/master.zip unzip master.zip cd rest-api-goat-master

Build Docker Container

docker build -t rest-api-goat:latest .

Run the Container

docker run -d -p 6000:5000 rest-api-goat
📝 Docker Flags Explanation:
  • -d - Run container in detached mode (background)
  • -p 6000:5000 - Map host port 6000 to container port 5000
  • rest-api-goat - Name of the container image

Verify Installation

Navigate to http://localhost:6000 in your browser to access the API.

Docker Deployment Flow

Download REST API GOAT from GitHub
Extract and Navigate to Directory
Build Docker Image
Run Container on Port 6000
Access API at localhost:6000

Alternative: Cheese Store Practice Lab

For additional practice, you can also deploy the Cheese Store API:

docker rm practice-apis docker build -t practice-apis-full . docker run -d -p 3000-3004:3000-3004 --name practice-apis practice-apis-full
🧀 Cheese Store API Ports:
  • Port 3000-3004: Multiple API endpoints
  • Port 5107: Main Cheese Inventory API
  • Access Swagger docs at: /apidocs

📮 Postman Configuration

Step 1: Create a Workspace

Open Postman and create a new workspace with a descriptive name (e.g., "REST-API-GOAT-Testing").

Step 2: Import Collection

The REST API GOAT project includes a Postman collection JSON file that needs to be modified before importing.

⚠️ Important Configuration Change:

The default JSON file uses localhost:5000. Since we're running on port 6000, we need to update this.

Step 3: Modify JSON Configuration

Question: Can you change localhost to {{server}} and 5000 to {{port}} using any tools?

Solution using sed (Linux/Mac): sed -i 's/localhost/{{server}}/g' postman-collection.json sed -i 's/5000/{{port}}/g' postman-collection.json

Step 4: Set Environment Variables

In Postman, create environment variables:

✅ Benefits of Using Variables:
  • Easy switching between environments (dev, staging, prod)
  • Centralized configuration management
  • Simplified collection sharing with team members

Step 5: Import and Test

  1. Click "Import" in Postman
  2. Select the modified JSON file
  3. Execute the "Login" request to test connectivity
  4. Verify you receive a JWT token in the response

Postman Setup Workflow

Create Workspace
Modify JSON (localhost → {{server}})
Import Collection
Configure Environment Variables
Test API Endpoints

🔒 Burp Suite Integration

Why Chain Postman to Burp Suite?

While Postman is excellent for API documentation and basic testing, Burp Suite provides advanced security testing capabilities:

Configuration Steps

1. Start Burp Suite

Launch Burp Suite and ensure the proxy listener is active (default: 127.0.0.1:8080).

2. Configure Postman Proxy

In Postman:

  1. Go to SettingsProxy
  2. Enable "Add a custom proxy configuration"
  3. Set Proxy Type: HTTP
  4. Proxy Server: 127.0.0.1
  5. Port: 8080
💡 Pro Tip: This same technique works with OWASP ZAP or any other proxy tool. Simply adjust the port number accordingly.

3. Test the Connection

Verification Steps: 1. Send a request from Postman 2. Check Burp Suite HTTP History tab 3. Confirm the request appears in Burp's traffic log

Traffic Flow Architecture

Postman Client
↓ (Request)
Burp Suite Proxy (127.0.0.1:8080)
↓ (Intercept & Analyze)
REST API GOAT (localhost:6000)
↓ (Response)
Burp Suite Proxy
↓ (Display)
Postman Client

🚨 Common API Vulnerabilities

OWASP API Security Top 10

The REST API GOAT project contains examples of critical vulnerabilities from the OWASP API Security Top 10:

🔓Broken Object Level Authorization (BOLA)

Attackers can access objects belonging to other users by manipulating object IDs in API requests.

🔑Broken Authentication

Weak JWT implementation, missing token validation, or exposed authentication endpoints.

📊Excessive Data Exposure

APIs returning more data than necessary, exposing sensitive information.

Lack of Resources & Rate Limiting

No restrictions on API calls, leading to DoS or brute force attacks.

🛡️Broken Function Level Authorization

Users can access administrative functions without proper authorization checks.

💉Mass Assignment

API accepts all object properties without validation, allowing privilege escalation.

🔐Security Misconfiguration

Default credentials, verbose error messages, CORS misconfiguration.

💾Injection Attacks

SQL, NoSQL, Command injection vulnerabilities in API endpoints.

Insecure Direct Object References (IDOR)

One of the most common vulnerabilities found in REST APIs. Let's examine a practical example:

⚠️ Vulnerable Endpoint Example:

The REST API GOAT contains two versions of the user details endpoint:

  • /api/v1/customer/{id} - VULNERABLE (returns any user)
  • /api/v2/customer/{id} - SECURE (validates company_id)

Testing for IDOR

Step 1: Login and note your user ID POST /login → Returns JWT token and user_id: 2 Step 2: Request your own data (baseline) GET /api/v1/customer/2 → Success: Returns your data Step 3: Try accessing another user's data GET /api/v1/customer/1 → Success: Returns user 1's data (VULNERABILITY!) GET /api/v1/customer/4 → Success: Returns user 4's data (VULNERABILITY!) Step 4: Test the secure endpoint GET /api/v2/customer/1 → Error: Unauthorized (Properly secured)
🔍 What to Look For:
  • Sequential IDs (1, 2, 3...) - easy to enumerate
  • Missing authorization checks on GET requests
  • Different responses for existing vs. non-existing resources
  • Company_id or tenant_id not properly validated

Business Logic Vulnerabilities

The REST API GOAT includes a money transfer feature with a critical race condition vulnerability.

The Double-Spend Attack

🎯 Exploitation Scenario:
  1. User has $1000 in their account
  2. Create Transfer #1: Send $1000 to external account
  3. Create Transfer #2: Send $1000 to external account (before processing #1)
  4. Process both transfers before balance check
  5. Result: $2000 transferred from $1000 balance!
Testing the Vulnerability: PUT /api/transfer → Create first transfer (amount: 1000) PUT /api/transfer → Create second transfer (amount: 1000) QUICKLY! POST /api/transfer/1/process → Process first transfer POST /api/transfer/2/process → Process second transfer GET /api/balance → Check final balance (negative or zero)

SQL Injection in APIs

SQL injection can occur in unexpected places within REST APIs.

📍 Common Injection Points:
  • Search parameters: GET /api/products?search=';DROP TABLE--
  • Sorting parameters: GET /api/users?sort=name' OR '1'='1
  • Filter parameters: GET /api/orders?status=pending' UNION SELECT
  • PUT/PATCH request bodies with insufficient validation
Testing for SQL Injection: GET /api/search?q=' OR '1'='1 → Test for boolean-based SQLi GET /api/search?q=' UNION SELECT NULL-- → Test for union-based SQLi GET /api/search?q=' AND SLEEP(5)-- → Test for time-based SQLi

🎓 Practice Exam Overview

Cheese Store API Exam Scenario

In the practice exam, you'll receive a Cheese Inventory Management API with deliberately planted vulnerabilities. Your task is to identify and document at least 7 out of 10 critical security flaws.

🧀 Cheese Store API Features:
  • User registration and JWT-based authentication
  • Cheese inventory management (CRUD operations)
  • Sales processing system
  • Purchase history tracking
  • Multiple user roles and permissions

API Endpoints Overview

Endpoint Method Description Auth Required
/register POST Create new user account No
/login POST Authenticate and receive JWT No
/cheeses GET List all cheeses in inventory Yes
/cheeses POST Add new cheese to inventory Yes
/cheeses/{id} GET Get specific cheese details Yes
/cheeses/{id} PUT Update cheese information Yes
/cheeses/{id}/sell POST Process cheese sale Yes

What You'll Receive

📦 Exam Package Contents:
  • Tkinter-based GUI application for testing the API
  • Complete Python source code (Flask API implementation)
  • SQLite database with sample data
  • Instructions for running the application

Finding API Documentation

The first step is discovering how to access the API documentation:

Common Documentation Endpoints: http://localhost:5107/apidocs http://localhost:5107/api-docs http://localhost:5107/swagger http://localhost:5107/docs

Expected Vulnerability Types

Missing Authorization

Endpoints that should require authentication but don't validate JWT tokens.

IDOR Vulnerabilities

Access other users' data by manipulating resource IDs in requests.

SQL Injection

Unsanitized inputs in search, filter, or update operations.

Weak JWT Implementation

Insecure token generation, missing expiration, or weak secrets.

Broken Access Control

Users accessing admin functions or bypassing role restrictions.

Business Logic Flaws

Race conditions, negative quantities, or insufficient validation.

🔬 Testing Methodology

Step-by-Step Testing Approach

API Security Testing Workflow

1. Reconnaissance & Documentation Discovery
2. Authentication Testing
3. Authorization & Access Control Testing
4. Input Validation Testing
5. Business Logic Testing
6. Documentation & Reporting

Phase 1: Reconnaissance

Discovery Commands: curl http://localhost:5107/ → Check for index page or API info curl http://localhost:5107/apidocs → Look for Swagger/OpenAPI docs curl -X OPTIONS http://localhost:5107/cheeses → Check allowed methods curl -I http://localhost:5107/ → Examine response headers

Phase 2: Authentication Testing

  1. Test User Registration
    POST /register Body: {"username": "testuser", "password": "Test123!"}
  2. Test Login Mechanism
    POST /login Body: {"username": "testuser", "password": "Test123!"}
  3. Analyze JWT Token
    • Decode token at jwt.io
    • Check algorithm (HS256 vs none)
    • Verify expiration time
    • Look for sensitive data in payload

Phase 3: Authorization Testing

🎯 Test Scenarios:
  • Access endpoints without authentication token
  • Use expired or invalid tokens
  • Modify token payload (user_id, role)
  • Access resources belonging to other users
  • Attempt privilege escalation to admin role

Phase 4: Input Validation

Test Type Payload Example Expected Behavior
SQL Injection ' OR '1'='1 Should be sanitized
XSS <script>alert(1)</script> Should be escaped
Command Injection ; ls -la Should be rejected
Negative Numbers {"quantity": -10} Should be validated
Oversized Input "A" * 10000 Should have limits

Phase 5: Business Logic Testing

Race Condition Testing: # Terminal 1: Create transfer curl -X POST http://localhost:5107/transfer -H "Authorization: Bearer TOKEN" -d '{"amount":1000}' # Terminal 2: Create another transfer simultaneously curl -X POST http://localhost:5107/transfer -H "Authorization: Bearer TOKEN" -d '{"amount":1000}' # Process both before balance check curl -X POST http://localhost:5107/transfer/1/confirm curl -X POST http://localhost:5107/transfer/2/confirm

Documentation Template

📝 Vulnerability Report Structure:
  1. Vulnerability Name: e.g., "SQL Injection in Search Endpoint"
  2. Severity: Critical / High / Medium / Low
  3. Affected Endpoint: GET /api/search
  4. Description: Brief explanation of the vulnerability
  5. Steps to Reproduce: Detailed reproduction steps
  6. Proof of Concept: Request/response examples
  7. Impact: What an attacker could achieve
  8. Remediation: How to fix the vulnerability

Tools Checklist

Tool Purpose Key Features
Postman API Testing Collection management, environment variables
Burp Suite Intercepting Proxy Request modification, scanning, repeater
curl Command-line Requests Scripting, automation, quick testing
jwt.io JWT Analysis Token decoding, verification
sqlmap SQL Injection Automated SQLi detection and exploitation

🎯 Key Takeaways

  • Always start with reconnaissance - Find documentation, understand endpoints
  • Test authentication thoroughly - Weak JWT implementation is common
  • Look for IDOR vulnerabilities - Test access to other users' resources
  • Don't forget business logic - Race conditions and validation bypasses
  • Document everything - Clear, reproducible proof of concepts
  • Think like an attacker - What's the worst that could happen?

📚 Additional Resources