API Security Testing: A Practical Guide

APIs have become the primary attack surface for modern applications. While organizations invest heavily in securing web frontends, APIs often receive far less scrutiny during security assessments. APIs expose business logic directly, handle sensitive data, and frequently lack the input validation and access controls that web interfaces enjoy. In my penetration testing engagements, API-related findings consistently rank among the most critical vulnerabilities.

Why API Security Matters

APIs expose raw business logic without the abstraction layer a frontend provides. An attacker interacting directly with an API can craft requests the frontend would never generate, testing developer assumptions about usage patterns. APIs also frequently return more data than the frontend displays, creating data leakage invisible through normal usage. Mobile apps, SPAs, third-party integrations, and partner systems all communicate through APIs, each introducing distinct authentication and authorization challenges.

Reconnaissance: Mapping the API Surface

Effective testing begins with thorough reconnaissance to discover every endpoint and understand the authentication model.

• Documentation sources - Look for Swagger UI (commonly at /swagger, /api-docs, /swagger-ui.html), OpenAPI specs, and developer portals left accessible in production.
• JavaScript analysis - SPAs embed API endpoints in JavaScript bundles. LinkFinder and webpack bundle review reveal endpoint paths and parameter names.
• Mobile app reversing - Decompile apps using jadx (Android) or class-dump (iOS) to extract hardcoded endpoints and tokens.
• Version discovery - Test older API versions (v1, v2) that may lack current security controls. Check both path-based (/api/v1/) and header-based versioning.
• Endpoint fuzzing - Use ffuf with API-specific wordlists to discover undocumented endpoints like /api/admin, /api/internal, and /api/debug.

OWASP API Security Top 10

The OWASP API Security Top 10 provides a structured framework for the most critical API vulnerabilities.

• BOLA (API1) - The most prevalent API flaw. Access resources using IDs belonging to other users while authenticated as a different user. Iterate through ID ranges to detect authorization gaps.
• Broken Authentication (API2) - Weak token generation, missing rate limiting on login endpoints, and JWT flaws. Test credential stuffing protection and token entropy.
• Excessive Data Exposure (API3) - APIs return complete data objects, relying on the frontend to filter. Compare API responses against frontend display to find leaked fields like emails, internal IDs, or roles.
• Rate Limiting (API4) - Test for missing rate limits on authentication, expensive operations, and data exports.
• Broken Function Authorization (API5) - Test admin endpoints with regular user tokens. Switch HTTP methods (GET to PUT/DELETE) to access management functions.
• Mass Assignment (API6) - Add extra parameters like role, isAdmin, or permissions to request bodies. Many frameworks auto-bind JSON properties without filtering.
• Security Misconfiguration (API7) - Check for stack traces in errors, CORS misconfigurations, unnecessary HTTP methods, and missing security headers.
• Injection (API8) - Test all parameters for SQL, NoSQL, command, and LDAP injection. JSON/XML payloads may enable deserialization attacks or XXE.
• Improper Assets Management (API9) - Find deprecated API versions still accessible in production, often lacking patches and monitoring.
• Insufficient Logging (API10) - Verify whether auth failures and authorization violations generate alerts.

Testing Methodology

1. Set up your proxy - Configure Burp Suite or OWASP ZAP to intercept API traffic. Import OpenAPI specs to populate the sitemap automatically.
2. Authenticate as multiple users - Create accounts at different privilege levels and capture valid tokens for each.
3. Replay across contexts - Use the Autorize extension to replay every request with a different user's token, detecting BOLA and authorization flaws systematically.
4. Fuzz parameters - Test unexpected data types, boundary values, and injection payloads using Burp Intruder or Postman collections.
5. Test business logic - Bypass workflow restrictions, reuse one-time tokens, manipulate prices, and skip required steps in multi-stage processes.
6. Analyze responses - Examine response bodies for information disclosure and compare response sizes across authorization levels.

Essential Tools

• Burp Suite Professional - Primary API testing tool. Extensions like Autorize, JSON Web Tokens, and InQL extend its capabilities.
• Postman - Build request collections, manage environments with different auth tokens, and run automated test suites.
• OWASP ZAP - Free alternative with OpenAPI import and automated API scanning profiles.
• ffuf - Fast fuzzer for endpoint discovery using SecLists API-specific wordlists.
• Arjun - Discovers hidden HTTP parameters by testing common parameter name wordlists.

Remediation Recommendations

Implement object-level authorization checks at the data access layer rather than relying on endpoint-level controls. Define input validation schemas that specify allowed parameters, types, and ranges for each endpoint. Adopt API gateways that enforce rate limiting, authentication, and schema validation across all services. Ensure API logging captures enough context for incident detection without recording sensitive data like credentials.