CtrlK
BlogDocsLog inGet started
Tessl Logo

jbvc/api-patterns

API design principles and decision-making. REST vs GraphQL vs tRPC selection, response formats, versioning, pagination.

67

Quality

67%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

security-testing.md

API Security Testing

Principles for testing API security. OWASP API Top 10, authentication, authorization testing.

OWASP API Security Top 10

VulnerabilityTest Focus
API1: BOLAAccess other users' resources
API2: Broken AuthJWT, session, credentials
API3: Property AuthMass assignment, data exposure
API4: Resource ConsumptionRate limiting, DoS
API5: Function AuthAdmin endpoints, role bypass
API6: Business FlowLogic abuse, automation
API7: SSRFInternal network access
API8: MisconfigurationDebug endpoints, CORS
API9: InventoryShadow APIs, old versions
API10: Unsafe ConsumptionThird-party API trust

Authentication Testing

JWT Testing

CheckWhat to Test
AlgorithmNone, algorithm confusion
SecretWeak secrets, brute force
ClaimsExpiration, issuer, audience
SignatureManipulation, key injection

Session Testing

CheckWhat to Test
GenerationPredictability
StorageClient-side security
ExpirationTimeout enforcement
InvalidationLogout effectiveness

Authorization Testing

Test TypeApproach
HorizontalAccess peer users' data
VerticalAccess higher privilege functions
ContextAccess outside allowed scope

BOLA/IDOR Testing

  1. Identify resource IDs in requests
  2. Capture request with user A's session
  3. Replay with user B's session
  4. Check for unauthorized access

Input Validation Testing

Injection TypeTest Focus
SQLQuery manipulation
NoSQLDocument queries
CommandSystem commands
LDAPDirectory queries

Approach: Test all parameters, try type coercion, test boundaries, check error messages.

Rate Limiting Testing

AspectCheck
ExistenceIs there any limit?
BypassHeaders, IP rotation
ScopePer-user, per-IP, global

Bypass techniques: X-Forwarded-For, different HTTP methods, case variations, API versioning.

GraphQL Security

TestFocus
IntrospectionSchema disclosure
BatchingQuery DoS
NestingDepth-based DoS
AuthorizationField-level access

Security Testing Checklist

Authentication:

  • Test for bypass
  • Check credential strength
  • Verify token security

Authorization:

  • Test BOLA/IDOR
  • Check privilege escalation
  • Verify function access

Input:

  • Test all parameters
  • Check for injection

Config:

  • Check CORS
  • Verify headers
  • Test error handling

Remember: APIs are the backbone of modern apps. Test them like attackers will.

api-style.md

auth.md

documentation.md

graphql.md

rate-limiting.md

response.md

rest.md

security-testing.md

SKILL.md

tile.json

trpc.md

versioning.md