Intesar Mohammed
Posted on May 10, 2022
I tweet once in a while about product/organization updates. I've built a couple of Twitter integrations in the past.
As part of security research, I look for vulnerabilities in public APIs and mobile/web backend APIs. I often use the free API security testing tool to run basic tests. These tests are safe and non-intrusive; they detect OAuth 2.0/JWT/Authentication flaws in APIs. Twitter and similar organizations wouldn't mind or see these tests.
https://apisec-inc.github.io/pentest/
I used this Twitter API OpenAPI Specification file URL for testing:
https://api.twitter.com/labs/2/openapi.json
Here is the simple process I followed. I pointed the tool to the Twitter OpenAPI Spec file and just ran the basic tests to see what it returns.
The result came back with one endpoint being open to the public. Upon further investigation, I realized the endpoint was returning the API scheme, so it wasn't a big deal.
Conclusion: All Twitter API endpoints are secure, and no issues were found.
Posted on May 10, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.