This is the Linux app named APIthet whose latest release can be downloaded as APIthet.zip. It can be run online in the free hosting provider OnWorks for workstations.
Download and run online this app named APIthet with OnWorks for free.
Follow these instructions in order to run this app:
- 1. Downloaded this application in your PC.
- 2. Enter in our file manager https://www.onworks.net/myfiles.php?username=XXXXX with the username that you want.
- 3. Upload this application in such filemanager.
- 4. Start the OnWorks Linux online or Windows online emulator or MACOS online emulator from this website.
- 5. From the OnWorks Linux OS you have just started, goto our file manager https://www.onworks.net/myfiles.php?username=XXXXX with the username that you want.
- 6. Download the application, install it and run it.
APIthet is an application to security test RESTful web APIs. Assessing APIs help in detecting security vulnerabilities at an early stage of the SDLC.
Compare this with assessing an Android application that uses APIs on a backend server. This kind of assessment happens at a much later phase of the SDLC. Even worse, it does not necessarily touch all the APIs.
That's not all. You specify one of the JSON parameters as random. This helps set a unique value for a specific JSON parameter in an API.
The application is available as a Windows exe file..
In progress and planned features:
-More test cases to attack target API.
-Add APIs and define sequence.
-Read APIs from doc link.
-Business Logic test.
TODO: Build for Linux (and may be OS X).
- XSS - Reflected, Stored and Blind (for JSON payloads in POST calls)
- XSS - Reflected, Stored and Blind (for URL parameters in GET calls)
- SQLI - URL based blind SQLI
- SQLI - Error based
- CSRF detection
- CORS detection
- Unauthorised Access and Privilege Escalation Scenario warnings
- Warns against Clickjacking
- Warns against XSS protection header miss
- Warns if the application is not HSTS enabled
- HTML injection detection
- Open Redirect vulnerability detection
- Warns against server footprint
- Set a unique/random JSON parameter
- Reports issues with OWASP and CWE categories
This is an application that can also be fetched from https://sourceforge.net/projects/apithet/. It has been hosted in OnWorks in order to be run online in an easiest way from one of our free Operative Systems.