creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/testing-api-security-with-owasp-top-10/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

55 lines
2.3 KiB
Markdown
Raw Blame History

# API Reference: Testing API Security with OWASP Top 10
## requests Library
### Installation
```bash
pip install requests
```
### Key Methods
| Method | Description |
|--------|-------------|
| `requests.get(url, headers=, params=, timeout=)` | Send GET request |
| `requests.post(url, json=, headers=, timeout=)` | Send POST request |
| `requests.put(url, json=, headers=)` | Send PUT request |
| `requests.patch(url, json=, headers=)` | Send PATCH request |
| `requests.delete(url, headers=)` | Send DELETE request |
| `requests.options(url, headers=)` | Send OPTIONS preflight |
### Response Object
| Attribute | Description |
|-----------|-------------|
| `resp.status_code` | HTTP status code (200, 401, 403, 429) |
| `resp.headers` | Response headers dict |
| `resp.json()` | Parse response body as JSON |
| `resp.text` | Response body as string |
| `resp.elapsed` | Response time as timedelta |
## OWASP API Security Top 10 (2023)
| ID | Risk | Test Approach |
|----|------|---------------|
| API1 | Broken Object Level Auth | Iterate object IDs with another user's token |
| API2 | Broken Authentication | Brute-force login, test JWT weaknesses |
| API3 | Broken Object Property Level Auth | Check excessive data + mass assignment |
| API4 | Unrestricted Resource Consumption | Test pagination limits, rate limiting |
| API5 | Broken Function Level Auth | Access admin endpoints as regular user |
| API6 | Unrestricted Access to Sensitive Flows | Abuse OTP, reset, registration flows |
| API7 | Server-Side Request Forgery | Inject internal URLs in URL parameters |
| API8 | Security Misconfiguration | Check headers, CORS, error verbosity |
| API9 | Improper Inventory Management | Find deprecated API versions |
| API10 | Unsafe Consumption of APIs | Test trust boundaries with third-party data |
## Security Header Checks
| Header | Expected Value |
|--------|---------------|
| `Strict-Transport-Security` | `max-age=31536000; includeSubDomains` |
| `X-Content-Type-Options` | `nosniff` |
| `X-Frame-Options` | `DENY` or `SAMEORIGIN` |
| `Content-Security-Policy` | Restrictive policy |
## References
- OWASP API Security Top 10: https://owasp.org/API-Security/
- OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
- requests docs: https://docs.python-requests.org/
Reference in New Issue View Git Blame Copy Permalink