Restful booker API Restful-booker an API that you can use to learn more about API Testing or try out API testing tools against. Restful-booker is a Create Read Update Delete Web API that comes with authentication features and loaded with a bunch of bugs for you to explore. The API comes pre-loaded with 10 records for you to work with and resets itself every 10 minutes back to that default state. Restful-booker also comes with detailed API documentation to help get you started with your API testing straight away. More on reddit.com

There are plenty of free APIs you can use for learning - https://github.com/toddmotto/public-apis/ More on reddit.com

One of the options I've found is python requests module (allows for sending http requests) in combination with pytest (test runner and assertions) and I kind of like this approach since it feels like i can do things my way rather than conform to the tool like Postman [emphasis added] You've hit the nail on the head. Once you start to do more complex testing, you will hit the limitations of postman very quickly (and spend a lot of time trying to figure out how to work around them). Using a real programming language and rest client library for automation gives you all kinds of flexibility, but of course, the knowledge requirements are higher--you have to know how to program. Edit: this same issue is true for a lot of no-code and low-code automated testing tools in my experience. To answer your question: here's the situation at my employer, manual testing: Postman load testing: gatling (with Java, not scala) AND postman, but we're phasing out postman for the reason mentioned above; it was great to get some tests up and running quickly but we're already hitting its limitations automated functional testing: Java with RestAssured More on reddit.com

Overview

REST API penetration testing is complex due to continuous changes in existing APIs and addition of new APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities in the initial phase of the development cycle. Astra can automatically detect and test login & logout (Authentication API), which makes it easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing APIs in stand-alone mode.

Attacks Performed

• SQL Injection

• Cross-site Scripting

• Information Leakage

• Broken Authentication and Session Management

• CSRF (including Blind CSRF)

• Rate limit

• CORS misconfiguration (including CORS bypass techniques)

• JWT attack

• Open redirection

Usage

Once you have set up astra, you can use either CLI or web interface to start a scan.

You can use the arguments described in the README as per your need.

Example 1: In order to start a scan for GET api, use the following command.

$python astra.py -u http://localhost

Example 2: In order to start a scan for POST api with request headers, use the following command.

$python astra.py -u http://localhost -m POST --headers '{"token" : "123456789"}' --body '{"name" : "astra"}'

Example 3: Astra also provides a feature to scan all the apis using

Postman collection. Astra automatically detects login and logout apis and prompts the user to verify the apis.

More on reddit.com