Security Research Engineer at Holm Security • Lead at OWASP Nagpur • Spoken at Blackhat , HITB, OWASP Appsecdays etc. • Like to play CTFs in my Free Time
sure you have docker and docker-compose - Go to the root of the project and run docker-compose up -d Manually - Prerequisites include PHP, MySQL - Configure the MySQL credentials and Server port in the .env file of the project - You can run php artisan serve command to start the Laravel Server
API - Postman - We currently have Postman collection and Environment which store the API calls - Thinking of providing it also in OpenAPI - MITM Proxy (OWASP ZAP/Burpsuite) - Not entirely necessary but may help some users if they have more familiarity with MITM tools.
Automatically Adding User supplied parameters into Object Properties • Permission-related properties: user.is_admin, user.is_vip should only be set by admins. • Process-dependent properties: user.cash should only be set internally after payment verification. • Internal properties: article.created_time should only be set internally by the application.
Monitoring • It does not produce any logs, the logging level is not set correctly, or log messages do not include enough detail. • Log integrity is not guaranteed (e.g., Log Injection). • Logs are not continuously monitored. • API infrastructure is not continuously monitored.
API Security Weekly: Issue #132 OWASP Vulnerable Web Applications Directory (VWAD) arainho/awesome-api-security: A collection of awesome API Security tools and resources.