api安全测试工具_API安全测试

api安全测试工具

API测试的最佳做法 (Best Practices for API Testing)

RESTful APIs have become a fundamental part of modern web application development in recent years. The RESTful approach is far more simple and scalable than the legacy variants of web API that preceded it — such as SOAP (Simple Object Access Protocol).

近年来，RESTful API已成为现代Web应用程序开发的基本部分。 RESTful方法比它之前的Web API的遗留变体(例如SOAP(简单对象访问协议))简单得多且可扩展。

The only implementation of REST is on top of HTTP — the protocol that powers the web. This means that vulnerable REST APIs expose similar risks to traditional web sites and applications, while being more challenging to test with automated web security scanners.

REST的唯一实现是在HTTP之上-HTTP是为Web供电的协议。 这意味着易受攻击的REST API向传统的网站和应用程序暴露了类似的风险，同时使用自动Web安全扫描程序进行测试更具挑战性。

什么是REST API？ (What is a REST API?)

Before we discuss the challenges of effective security testing of REST APIs, we should clarify what we’re talking about.

在讨论有效的REST API安全测试所面临的挑战之前，我们应该弄清楚我们在说什么。

An API is a mechanism of transferring information between two computer systems. An API can be implemented either at the code level or at the network level, depending on whether or not the two systems are running on the same machine.

API是在两个计算机系统之间传输信息的机制。 可以在代码级别或在网络级别实现API，具体取决于两个系统是否在同一台计算机上运行。

In a commercial context, an API almost always refers to an interface across the web, which is the most common way of connecting disparate computer systems.

在商业环境中，API几乎总是指Web上的接口，这是连接不同计算机系统的最常用方法。

Modern Web APIs are usually implemented using REST (REpresentational State Transfer). REST is an architectural style in which all of the information necessary to access or change the ‘state’ of a web service can be made in a single API call — such as getting a data record or updating a database.

现代Web API通常使用REST (表示状态传输)来实现。 REST是一种体系结构样式，其中访问或更改Web服务的“状态”所需的所有信息都可以在单个API调用中完成，例如获取数据记录或更新数据库。

RESTful APIs offer a clean separation of concerns between the front-end (presentation layer) and the back-end (data-access layer). The RESTful style has been recognised as the international standard because a single REST API can be consumed simultaneously by mobile devices, web applications and IoT devices without any alterations, making it the cheapest and most flexible way to build modern applications.

RESTful API在前端(表示层)和后端(数据访问层)之间提供了清晰的关注点分离。 RESTful样式已被公认为国际标准，因为移动设备，Web应用程序和IoT设备可以同时使用单个REST API，而无需进行任何更改，这使其成为构建现代应用程序的最便宜，最灵活的方式。

RESTful API安全性测试原理 (Principles of RESTful API Security Testing)

There are only four core principles to performing security tests on RESTful APIs. As is often the case howev