🚀 Turbo Intruder: Unleashing High-Speed Race Condition Testing with Burp Suite

When it comes to identifying race conditions and testing concurrency issues in APIs, Turbo Intruder is a must-have weapon in your offensive security toolkit. This powerful Burp Suite extension is built to launch blazing-fast HTTP requests—ideal for race condition exploits that require precise timing and volume.

Here’s a quick guide to getting started:

---

🛠️ Setting Up Turbo Intruder in Burp Suite

Step 1: Launch Burp Suite and go to the top menu → Extensions.

Step 2: In the Extensions tab, click BApp Store.

Step 3: Search for Turbo Intruder, then click Install.

---

⚙️ Running Your First Attack

Once installed, it’s time to get hands-on:

• Select any API request in Burp’s HTTP history or Repeater.

• Right-click the request → Navigate to Extensions > Turbo Intruder > Send to Turbo Intruder.

🧩 Customize the Request

• Insert a %s token into any part of the request (e.g., a header or query parameter) where you want to inject payloads.

• Scroll down to the scripting panel and modify the Python script to control how the payloads are fired—sequentially, concurrently, or in bursts.

 💥 Launch the Attack

• Click Attack to fire off the customized payloads at high speed.

• Analyze the results to detect anomalies that signal race conditions or concurrency flaws.

🔍 Why Turbo Intruder?

• Speed: It outpaces traditional Burp tools with asynchronous, multi-threaded requests.

• Control: Fine-grained scripting lets you simulate real-world race conditions.

• Visibility: Detailed results make it easier to identify timing-related bugs.

🧠 Pro Tip

Race conditions often result in subtle, non-deterministic behavior. Run attacks multiple times and compare response patterns. Look out for HTTP 409, duplicated resources, or unauthorized access anomalies.

---

Try it out and take your API security testing to the next level!

Let me know your experience with Turbo Intruder or drop your favorite race condition use case in the comments 👇

🛡️ How to Test Security and Fraud Scenarios for Digital Payments

In a world where digital payments power everything from daily groceries to global remittances, ensuring security and fraud prevention is no longer a luxury—it’s mission-critical.

Whether you’re working on PayPal, Stripe, Razorpay, or GrabPay, your role as a QA or automation engineer is to make sure payments are secure, resilient, and abuse-proof.

In this post, we’ll walk through the strategies, techniques, and tools to test security and fraud detection in modern payment systems.

---

🔐 Security Testing in Digital Payments

1. Authentication & Authorization

Ensure that only the right users can initiate and complete payments.

• Verify OTP, PIN, password, and biometric flows.

• Test token/session expiry and renewal.

• Simulate brute-force attacks to ensure rate-limiting and lockout work.

• Ensure role-based permissions are enforced across all endpoints.

🧠 Tip: Use tools like Postman (with JWT plugin) or Burp Suite to test token manipulation and expiry.

---

2. Secure Transmission (SSL/TLS)

Payment data must be encrypted in transit.

• Confirm HTTPS is enforced across all endpoints.

• Reject weak cipher suites and expired/invalid SSL certificates.

• Validate mobile apps implement certificate pinning.

Try capturing requests using Wireshark or Burp Proxy to verify encrypted transport.

---

3. Input Validation & Injection

Test every field involved in the transaction process.

• Simulate SQL injection attacks in billing/payment address fields.

• Test for XSS in saved cards or transaction summaries.

• Use fuzzing tools to detect unhandled payloads in backend APIs.

---

4. Tokenization & PCI Compliance

Ensure sensitive card or bank data is never stored or displayed.

• Check logs for PANs or CVVs—none should exist.

• Confirm that tokens are used in place of actual card data.

• Ensure your system complies with PCI DSS standards.

---

⚠️ Fraud Testing Scenarios

1. Business Logic Abuse

Fraud doesn’t always come from security holes—sometimes it’s clever users exploiting loopholes.

• Test coupon abuse by simulating multiple users on a single device.

• Attempt to game referral systems using parallel devices or emulators.

• Try multiple cashback-eligible transactions under abnormal timelines.

---

2. Anomaly Detection & Geo Abuse

Your backend should detect and respond to abnormal behavior.

• Simulate transactions from:

  • Blocked countries

  • VPN/tor networks

  • Inconsistent IP-device combinations

• Trigger alerts for large amounts with unusual metadata.

---

3. Replay & Duplicate Payment Attacks

Ensure the system can handle re-sent or duplicate payment requests.

• Test by refreshing the payment page and resubmitting the request.

• Reuse expired OTPs and check if validation is still enforced.

• Test if the system honors idempotency keys to avoid double charges.

---

🧪 Penetration & Automation Tools

Here are some of the tools commonly used in payment system security testing:

• 🛠️ OWASP ZAP: Passive scanning and basic fuzzing

• 🧪 Burp Suite: Full web/API pentesting and token tampering

• 🔄 JMeter: Load testing and flood-simulation

• 🕵️ WireMock: Simulate gateway failure/response delays

• ⚙️ Postman + Scripting: Token lifecycle and header replay testing

✅ Sample Test Scenarios

Here are critical test scenarios every QA or SDET should include when testing digital payment security and fraud systems:

• 🔁 Carding Attack Simulation

  Try performing hundreds of small transactions rapidly using random or stolen card numbers.

  ➤ Expected: System blocks the IP, triggers rate limiting, or requires CAPTCHA.

• 🔢 Brute Force OTP Attempts

  Continuously try random OTPs during checkout or login.

  ➤ Expected: User account gets locked or temporary timeout is enforced after a threshold.

• 🧾 Duplicate Payment Requests

  Submit the same payment request multiple times by refreshing or resending it.

  ➤ Expected: Only one transaction should succeed (idempotency should be enforced).

• 🌍 Payments from Blocked Locations

  Try initiating payments using VPNs or from geographies that are disallowed.

  ➤ Expected: Gateway or system blocks the request based on geo or IP reputation.

• 🔄 Session Replay by Refreshing Payment Page

  Refresh the payment page or use the back button and attempt a resubmission.

  ➤ Expected: Token/session should be invalidated, and user should be redirected to start fresh.

• 🏷️ Coupon or Promo Abuse

  Apply the same promo or referral code across multiple user accounts/devices.

  ➤ Expected: Backend should detect abuse and flag or restrict suspicious users.

• 🔁 Expired OTP or Token Reuse

  Reuse expired authorization codes or payment tokens.

  ➤ Expected: Server rejects the request with an appropriate error message.

---

📊 Monitoring & Alerting (Post-release)

Don’t stop after testing. Monitor live systems for:

• Unusual transaction spikes by IP or card BIN

• High failure rates on certain gateways or banks

• Repeated coupon or referral attempts

Use tools like ELK Stack, Grafana, Prometheus, and Splunk for visibility.

---

🎯 Final Thoughts

Security and fraud testing is not just about using tools—it’s about thinking like an attacker while keeping the business context in mind.

You need to:

• Blend white-box + black-box testing.

• Automate what’s repetitive.

• Update your threat models regularly.

• Work closely with product, dev, and security teams.

As testers, we’re not just validating features — we’re guarding the gates of trust in the digital economy.

🔧 Intercepting Android API Traffic with Burp Suite and a Rooted Emulator

Testing the security and behavior of Android apps often requires intercepting and analyzing API requests and responses. In this guide, we’ll walk through setting up an Android emulator to work with Burp Suite, enabling interception of HTTPS traffic and performing advanced manipulations like brute-force attacks.

⚠️ Requirements:

• Android Emulator (AVD)

• Root access (via Magisk)

• Burp Suite (Community or Professional Edition)

---

🛠 Step-by-Step Setup Guide

✅ 1. Install Burp Suite

• Download Burp Suite Community Edition (2023.6.2) from PortSwigger.

• Launch the app and navigate to:

  Proxy → Options → Proxy Listeners → Import/Export CA Certificate

✅ 2. Export and Install Burp CA Certificate

1. Export the CA Certificate in DER format and save it with a .crt extension.

2. Transfer this .crt file to your emulator (drag and drop works fine).

3. On the emulator:

   • Open Settings → Security → Encryption & Credentials

   • Tap Install from SD card

   • Choose the transferred certificate.

4. Confirm installation:

   • Go to Trusted Credentials → User and verify the certificate is listed.

---

🔓 3. Root the Emulator

To trust user-installed certificates at the system level (bypassing Android’s certificate pinning), you must root the emulator.

Tools You’ll Need:

• Magisk APK (v26.1 or later)

  👉 Download from Magisk Releases

• AlwaysTrustUserCerts.zip

  👉 Download from NVISOsecurity GitHub

• rootAVD tool

  👉 Download from rootAVD GitHub

Rooting Process:

1. Ensure your AVD is running before executing the root script.

2. Unzip rootAVD and run the following command in terminal:

./rootAVD.sh ~/Library/Android/sdk/system-images/android-33/google_apis/arm64-v8a/ramdisk.img

2. ✅ For Play Store-enabled AVDs, use google_apis_playstore in the path.

3. Your emulator will shut down automatically after patching.

---

⚙️ 4. Install Magisk & Trust Certificates

1. Restart your emulator and open the Magisk app.

2. Navigate to Modules → Install from Storage → Select AlwaysTrustUserCerts.zip

3. The emulator will restart again.

4. Verify the certificate now appears under System certificates, not just User.

---

🌐 5. Connect Emulator to Burp Suite

In Burp Suite:

1. Go to Proxy → Options → Add Listener

2. Choose an IP from the 172.x.x.x range.

3. Set port to 8080 and click OK.

On the Emulator:

1. Connect to Wi-Fi.

2. Long press the connected Wi-Fi → Modify Network → Proxy: Manual

3. Set:

   • Host: Burp Suite IP (e.g., 172.x.x.x)

   • Port: 8080

   • Save the changes.

---

🚀 6. Intercept Traffic

• Launch your Android debug app.

• Open HTTP History in Burp Suite to monitor incoming requests/responses.

---

🎯 Conclusion

You now have a fully configured Android emulator that allows you to:

• Intercept and inspect HTTPS API traffic

• Analyze request/response headers and payloads

• Perform manual or automated security tests (e.g., brute force attacks)

This setup is ideal for mobile QA, security testing, or reverse engineering Android applications in a safe, isolated environment.

---

💬 Feel free to bookmark or share this guide with fellow testers or developers diving into mobile app traffic inspection.

Happy hacking!

NFR Template/Checklist for JIRA

To make NFR as predefined template/checklist, we came up with few critical points to start with and it would be auto-populated as and when someone creates any story to the project.

Idea is to pushing NFR in initial phase discussion like designing and developing and as a cross check goes to QA. Apart from predefined template/checklist, anyone can work on other points too for which checklist already been published in Confluence under Guidelines and having predefined checklist in each story would ensure we are having NFR discussions too along with functional towards any deliverables to production.

NFR List	Checklist_Points	Comments if any
Logging	Have we ensured we are not logging access logs?	Access logs represent the request logs containing the API Path, status code, latencies & and any information about the request. We can avoid logging this since we already have this information in the istio-proxy logs
	Have we ensured we didn't add any sort of secrets in logs (DB passwords, keys, etc) ?
	Have we ensured that payload gets logged in the event of an error ?
	Have we ensured that logging level can be dyanamic configured ?
	Have we ensured that entire sequence of events in particular flow can be identified using an identifier like orderId or anything	- The logs added should be meaningful enough such that anyone looking at the logs, regardless of whether they have context on the code should be able to understand the flow. - For new features, it maybe important that the logs are logged as info to help ensure the feature is working is expected in production. Once we have confidence that the feature is working as expected, we could change these logs to debug unless required. Devs could take a call based on the requirement.
	Have we ensured that we are using logging levels diligently ?
Timeouts	Have we ensured that we have set a timeout for database calls ?
	Have we ensured that we have set a timeout for API call ?
	Have we ensured that timeouts are derived from dependent component timeouts ?	An API might have dependencies on few other components (APIs, DB queries, etc) internally. It is important the overall API timeout is considered after careful consideration of the dependent component timeouts.
	Have we ensured that we have set a HTTP timeout ?	Today, in most of our services we set timeouts at the client (caller). But we should also start looking at setting timeouts for requests on the server (callee). This way we ensure we kill the request in the server if it exceeds a timeout regardless of whether the client closes the connection or not.
Response Codes	Have we ensured that we are sending 2xx only for successfull scenarios ?
	Have we ensured that we are sending 500 only for unexpected errors (excluding timeouts) ?
	Have we ensured that we are sending 504 for a timeout error ?
Perf	Have we ensured that we did perf testing of any new API we build to get benchmark of the same we can go as per the expectations and can track accordingly going forward ?	We should identify below parameters as part of the perf test & any other additional info as per need: - Max number of requests a pod can handle with the allocated resources - CPU usage - Memory usage - Response times
	Have we ensured we did perf testing of existing APIs if there are changes around it to make sure we didn’t impact existing benchmark results ?
Feature Toggle	Have we ensured that we have feature toggle for new features to be able to go back to the old state at any given point until we are confident of the new changes. We may need to have toggles like feature will be enabled for specific users or city ?
Resiliency	Have we ensured that we are resilient to failures of dependent components (database, services ) ?
Metrics	Have we ensured that we are capturing the right metrics in prometheous ?	Below are some of the metrics that could be captured based on need or criticality: - Business metrics (example: number of payment gateway failures) - Business logic failures (example: number of rider prioritization requests that failed) - Or any other errors which would be important to help assess the impact in a critical flow could be captured as metrics.
Security	Have we ensured that right authentication scheme is active at the gateway level ?	This is applicable when we are adding any end point on Kong(Gateway).  - any of the authentication plugins (jwt,key-auth/basic-auth) must be defined either at the route level or on the service level - for gateway kong end points, acl plugin must be added and same group must be present on the consumer definition.
	Have we ensured that proper rate limiting applied at the gateway level ?	This is applicable when we are adding any end point on Kong(Gateway).Team leads are the code owners, so one of them have to check this when approving the PR.  - rate limiting plugin needs to be enabled on the route / service level on the PR raised against kong-config.
	Have we ensured that we are retreiving the userId from JWT ?	if requests is coming from kong, userid in requestbody should be matched with headers. Or for fetching any user related information, we have to read the userId only from the header populated by kong (x-consumer-username).

 

It would be populated in all Jira stories across projects as a predefined NFR checklist as given below screenshot.

Security Test Checklist - Cheatsheet

As part of engineering team, when specially we are dealing with scale and playing a role towards quality of end product we ship to outside world, it becomes quite important to make sure we looked into from security perspective for all the deliverables.

Please follow below checklist as part of your regular deliverables

• Broken Object Level Authorization

  • Let’s say a user generates a document with ID=322. They should only be allowed access to that document. If you specify ID=109 or some other ID, the service should return the 403 (Forbidden) error. To test this issue, what parameters can you experiment with? You could pass any ID in the URL or as part of Query parameters or Body (in XML or JSON). Try changing them to see what the service returns to you.

• Broken User Authentication

  • Here, you can test whether session token gets reassigned after each successful login procedure or after the access level gets escalated in the application. In case your application removes or somehow changes the session token, check to see whether it returns a 401 error. We must not allow the possibility of predicting the session token for each next session. It should be as random as possible.

• Excessive Data Exposure

  • For example, you have an interface that displays three fields: First Name, Position, Email Address, and Photo. However, if you look at the API response, you may find more data, including some sensitive data like Birth Date or Home Address. The second type of Excessive Data Exposure occurs when UI data and API data are both returned correctly, but parameters are filtered on the front end and are not verified in any way on the back end. You may be able to specify in the request what data you need, but the back-end does not check whether you really have permission to access that data.

• Lack of Resources & Rate Limiting

  • API should not send more than N requests per second. However, this strategy is not quite correct. If your client generates more traffic than another client, your API should be stable for all clients.

    This can be resolved using special status codes, for example, 429 (Too Many Requests). Using this status code, you can implement some form of Rate Limiting. There are also special proprietary headers. For example, GitHub uses its X-RateLimit-*. These headers help regulate how many requests the client can send during a specific unit of time.

  • The second scenario is related to the fact that you may not have enough parameter checks in the request. Suppose you have an application that returns a list of user types like size=10. What happens if an attacker changes this to 200000? Can the application cope with such a large request?

• Broken Function Level Authorization

  • This is concerned with vertical levels of authorization —the user attempting to gain more access rights than allowed. For example, a regular user trying to become an admin. To find this vulnerability, you must first understand how various roles and objects in the application are connected. Secondly, you must clearly understand the access matrix implemented in the application.

• Mass Assignment

  • Avoid providing convenient mass assignment functions (when assigning parameters in bulk).

• Security Misconfiguration

  • What can you test here? First of all, unnecessary HTTP methods must be disabled on the server. Do not show any unnecessary user errors at all. Do not pass technical details of the error to the client. If your application uses Cross-Origin Resource Sharing (CORS), that is, if it allows another application from a different domain to access your application’s cookies, then these headers must be appropriately configured to avoid additional vulnerabilities. Any access to internal files must also be disabled.

• Injections

  • In my opinion, modern frameworks, modern development methods, and architectural patterns block us from the most primitive SQL or XSS injections. For example, you can use the object-relational mapping model to avoid SQL injection. This does not mean that you need to forget about injections at all. Such problems are still possible throughout a huge number of old sites and systems. Besides XSS and SQL, you should look for XML injections, JSON injections, and so on.

• Improper Assets Management

  • CI/CD pipelines have access to various secrets and confidential data, such as accounts used to sign the code. Ensure you do not leave hard-coded secrets in the code and don’t “commit” them to the repository, no matter whether it is public or private.

• Insufficient Logging & Monitoring

  • The main idea here is that whatever happens to your application, you must be sure that you can track it. You should always have logs that show precisely what the attacker was trying to do. Also, have systems in place to identify suspicious traffic, and so on.Also we must check for secrets/credentials/confidential info in log. Have seen this in some cases where we log username/password of databases.

NFR Checklist - Cheatsheet

As a test engineer, our core responsibility to make sure we go through NFR checklist for each and every ticket we test and we ship any feature or change to production. Resiliency testing play a key role in microservice architecture. Let’s work towards that actively and build our system resilient.

Software resilience testing is a method of software testing that focuses on ensuring that applications will perform well in real-life or chaotic conditions. In other words, it tests an application’s resiliency, or ability to withstand stressful or challenging factors. Resilience testing is one part of non-functional software testing that also includes compliance, endurance, load and recovery testing. This form of testing is sometimes also referred to as software resilience engineering, application resilience testing or chaos engineering.

Since failures can never be avoided, resilience testing ensures that software can continue performing core functions and avoid data loss even when under stress. Especially as customer expectations are becoming higher and downtime can be detrimental to the success of an organization, it is crucial to minimize disruptions and be prepared for unwanted scenarios. Resilience testing can be considered one part of an organization’s business continuity plan.

 

Please follow below checklist as part of your regular testing

• Logging

  • Add appropriate logging towards any feature and any changes so we can debug any issue anytime later.

  • At the same time avoid adding unnecessary logging which are not needed for the changes.

  • Use INFO, WARNING, DEBUG and ERROR cautiously in the logging.

• Events in CT

  • Add CT events wherever it’s quite necessary to collect actions about users so we can take appropriate action based on user actions.

• SPOF (Single Point of Failure)

  • While building feature get an overall understanding of e2e flow and figure it out if this component or service fails, whole system or flow will go down along with it.

• Security (Credential Mgmt)

• Error Handling

  • Add appropriate logging for any kind of error which can happen towards feature or any change.

  • Test it out with diff set of data and how error handled at the API end apart from expected set of data.

• Timeouts

  • Timeouts will help you fail fast if any of your downstream services does not reply back within, say 1ms.

  • It helps to prevent Cascading failures.

• Retries

  • Retries can help reduce recovery time. They are very effective when
    dealing with intermittent failures.

  • Retries works well in conjunction with timeouts, when you timeout you
    retry the request.

• Fallbacks

  • When there are faults in your systems, choose to use alternative
    mechanisms to respond with a degraded response instead of failing
    completely.

• Circuit Breaker

  • Circuit breakers are used in households to prevent sudden surge in current
    preventing house from burning down. These trip the circuit and stop flow of current.

  • This same concept could be applied to our distributed systems wherein you stop making calls to downstream services when you know that the system is unhealthy and failing and allow it to recover.

  • Circuit breakers are required at integration points, help preventing cascading
    failures allowing the failing service to recover.

• Performance testing

  • Do perf testing of any new API we build to get benchmark of the same we can go as per the expectations and can track accordingly going forward.

  • Do perf testing of existing APIs if there are changes around it to make sure we didn’t impact existing benchmark results.

• Failure injection testing

  • Test your services via inject faults at integration points to verify how resilient is your service and entire system along with it.

• Health Check

  • Add health check for all the services and make sure it’s up all the time.

API Security Testing - How we can do/stop hacking to the APIs : Part-3

 

The first two parts in this series have set us well on our path to API security/intrusion nirvana; we first got to grips with current API technology basics, moved on to API Attack surface detection and then looked at a series of common and potent vulnerability attacks – all sharing the fact that they are pretty simple to perform using a little wit and available tools. Let’s dig a little more in our arsenal before concluding with some hands on tips on how to work with API Security Testing.

Cross Site Request Forgery (CSRF)

The last vulnerabilities we looked at in the previous installment were related to cross-site scripting attacks (XSS). Now, let’s have a look at another vulnerability / attack that plays with similar cards; cross-site request forgery. Just like XSS, this is an attack that originates from a web-browser – but since it often follows through with an API call it is definitely something you should be aware of:

Let’s walk through this so to provide an understanding of how this type of attack works:

• A user logs in to his/her bank account – which sets a session cookie on the client
• The bank shows a (malicious) ad for the latest vitamin pills, which the user clicks on without first logging out of the bank
• The page selling vitamin pills also contains a hidden form performing a bank-transfer, which is submitted automatically without the user noticing
• Since the user is still logged in to the bank the “forged request” succeeds and makes the transfer without the user noticing.

While this example may seem somewhat contrived (what bank shows vitamin ads?), I’m sure you get the idea, and I’m also sure I’m not the only one that has navigated away from an authenticated site without logging out first.

A common way to attempt to prevent these attacks is to look for specific http headers related to request referral, but headers can easily be spoofed using various techniques described online. The much better way to guard for these attacks from a development point-of-view is therefore to require a unique request token to be added to each incoming request to an API – either as an HTTP header or as a query parameter. The value is generated by the server when preparing the underlying webpage using a secret algorithm - which the attacker presumably won’t know – and thus won’t be able to.

Testing this becomes straightforward; are tokens enforced and validated correctly? What if you use one of the previously discussed techniques for the token itself; fuzzing, injection, etc.? Is this all handled gracefully or does an error message give away a little too much about how things are being done on the server side?

Insufficient SSL Configuration

Let’s shift our focus a little and have a look at some common vulnerabilities and attack opportunities that relate to the security stack of your API itself.

Using a self-signed SSL certificate is an easy mistake to make – the convenience of generating your own certificate is high – but the dangers are lurking, especially when it comes to APIs; if your app is the only one consuming your API your developers might even have hard-coded the client to accept the certificate – and then forgot all about it. Unfortunately, using a self-signed certificate leaves your API wide open for man-in-the-middle attacks – where an attacker inserts him/herself between the API and its client by replacing the client-facing certificate – allowing them to listen in on (and modify) traffic that was meant to be encrypted.

Testing for insufficient SSL configurations is straightforward – make sure your tests accept only valid certificates. Taking an extra precaution for MITM attacks is also advisable – for example by adding signatures to a message, which makes it impossible (well, almost) for a eavesdropper to modify messages on the wire, even if they manage to insert themselves in the communication pipeline. Testing with signatures, that they are enforced, correctly validated, etc. – is equally possible.

Insecure Direct Object References (IDOR)

Including object references as arguments to an API call is common practice – and consequently a very common API vulnerability is that access rights are not enforced for objects a user does not have access to. Identifying id parameters and sequentially looping through possible values can be an easy way to access data that isn’t meant for a user – once again API metadata can be a natural source for more information in this regard, making it easy for both hackers and tester to find possible attack surfaces within an API topology.

As a tester you need to validate that security is correctly enforced for objects one should not have access to – which is easily done by automating requests to resource not accessible and validating that the correct error messages are shown. At a higher level – you should perhaps also question the usage of identifier values that can easily be guessed – especially if the data is sensitive. Perhaps using GUID identifiers could be a better solution as identifiers in applicable cases.

Bad Session / Authentication Handling

The previous vulnerability is a specific example of whole slew of vulnerabilities related to bad session, security and authentication handling. Consider some more examples:

• Are session tokens re-used or sequential?
• Do session tokens timeout correctly?
• Are tokens exposed in unencrypted traffic?
• Are tokens added to URLs when sending links?
• Are login endpoints restricted?

All of these will be obvious attack points for a hacker – and should be as such for you as a Security Tester. Make sure that the described situations are correctly handled, do not give “bad” error messages if charged with invalid / unexpected input (using the arsenal of tests we have been looking at) – and do not provide an entry point for a hacker to start prying away at the walls of your APIs defense mechanisms!

Recap – and some tips to go!

Some hands-on tips to ensure that your APIs are fully security tested before we say our goodbyes:

• Automate: Most of the testing approaches for security vulnerabilities that we have covered can be automated and should definitely be done so – preferably against your production environment in some way. A system upgrade or server reconfiguration could be just as much a cause for a security vulnerability as bad development in the code of your APIs – and you definitely want to find out if such changes open up for unexpected vulnerabilities before anyone else.
• Stay on top: OWASP provides invaluable services and information on Internet related security vulnerabilities – and how to work against them. Make it a habit to check out their website and match their recommendations and findings against your APIs and infrastructure. Follow their guidelines – specifically those geared at APIs - and make sure you are doing what you can base on their resources.
• Finally - It’s your problem: Security is probably not going to be fixed or worried by anyone else than you, – make sure you give it the same attention and focus as you do to functional, performance, usability, A/B testing, etc. The price to pay for leaked passwords or erased user data is too high to pay for you not to care (which I know you do).

And there you have it - that’s it for the last part of the series. Hopefully you have learned plenty; basic underpinnings of API security vulnerabilities, how easy it is too perform common API attacks and how equally easy it is in most cases to test for corresponding vulnerabilities. Now get out there and hack an API!