mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.3 KiB
2.3 KiB
API Reference: Testing API Security with OWASP Top 10
requests Library
Installation
pip install requests
Key Methods
| Method | Description |
|---|---|
requests.get(url, headers=, params=, timeout=) |
Send GET request |
requests.post(url, json=, headers=, timeout=) |
Send POST request |
requests.put(url, json=, headers=) |
Send PUT request |
requests.patch(url, json=, headers=) |
Send PATCH request |
requests.delete(url, headers=) |
Send DELETE request |
requests.options(url, headers=) |
Send OPTIONS preflight |
Response Object
| Attribute | Description |
|---|---|
resp.status_code |
HTTP status code (200, 401, 403, 429) |
resp.headers |
Response headers dict |
resp.json() |
Parse response body as JSON |
resp.text |
Response body as string |
resp.elapsed |
Response time as timedelta |
OWASP API Security Top 10 (2023)
| ID | Risk | Test Approach |
|---|---|---|
| API1 | Broken Object Level Auth | Iterate object IDs with another user's token |
| API2 | Broken Authentication | Brute-force login, test JWT weaknesses |
| API3 | Broken Object Property Level Auth | Check excessive data + mass assignment |
| API4 | Unrestricted Resource Consumption | Test pagination limits, rate limiting |
| API5 | Broken Function Level Auth | Access admin endpoints as regular user |
| API6 | Unrestricted Access to Sensitive Flows | Abuse OTP, reset, registration flows |
| API7 | Server-Side Request Forgery | Inject internal URLs in URL parameters |
| API8 | Security Misconfiguration | Check headers, CORS, error verbosity |
| API9 | Improper Inventory Management | Find deprecated API versions |
| API10 | Unsafe Consumption of APIs | Test trust boundaries with third-party data |
Security Header Checks
| Header | Expected Value |
|---|---|
Strict-Transport-Security |
max-age=31536000; includeSubDomains |
X-Content-Type-Options |
nosniff |
X-Frame-Options |
DENY or SAMEORIGIN |
Content-Security-Policy |
Restrictive policy |
References
- OWASP API Security Top 10: https://owasp.org/API-Security/
- OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
- requests docs: https://docs.python-requests.org/