How do you pen test a REST API?
We have a server that is running a REST API on port 443. I'd like to make sure it's secure by doing various pen tests on it. I'm used to doing offensive testing on a webpage where I can see code, and URLs, and find forms to test. But I'm completely blind when testing an API. I don't even know what are valid URLs to test against. Is there any good documentation on how to do this, perhaps using Kali Linux?
Astra is one which I came across: > Astra can be used by security engineers or developers as an integral > part of their process, so they can detect and patch vulnerabilities > early during development cycle. Astra can automatically detect and > test login & logout (Authentication API), so it's easy for anyone to > integrate this into CICD pipeline. Astra can take API collection as an > input so this can also be used for testing apis in standalone mode. https://github.com/flipkart-incubator/Astra
This question and the answers provide good starting points to find great tools and techniques to test these interfaces -- API Security Testing Methodologies