API: Security (megatask)
- install/configure drupal/jsonapi_extras - make sure to turn off any routes/entities/fields that are not to be publicly available as by default jsonapi exposes ALL routes (users, nodes, taxonomies)
Penetration testing will be assessed on the following items API Security: https://owasp.org/www-project-api-security/
-
API1:2019 Broken Object Level Authorization -
API2:2019 Broken User Authentication -
API3:2019 Excessive Data Exposure -
#9 API4:2019 Lack of Resources & Rate Limiting -
API5:2019 Broken Function Level Authorization -
API6:2019 Mass Assignment -
#8 API7:2019 Security Misconfiguration -
API8:2019 Injection -
API9:2019 Improper Assets Management -
API10:2019 Insufficient Logging & Monitoring
Review cheat sheets to create additional tasks for API security:
Edited by Janna