API Penetration Testing
Comprehensive testing of REST, GraphQL, SOAP and other APIs according to OWASP API Security Top 10 and industry best practices.
REST API
Testing RESTful services - authentication, authorization, input validation, rate limiting.
GraphQL
Specific GraphQL vulnerabilities - introspection, nested queries, batching attacks.
SOAP/gRPC
Testing SOAP web services and gRPC communication security.
OWASP API Security Top 10
Most common API vulnerabilities
API1:2023 – Broken Object Level Authorization
Insufficient object-level access control - attacker can manipulate object IDs to access unauthorized data.
IDOR in API endpoints, missing ownership validation
API2:2023 – Broken Authentication
Weak authentication mechanisms, improper JWT implementation, missing token expiration.
JWT without signature verification, credential stuffing
API3:2023 – Broken Object Property Level Authorization
Excessive data exposure or mass assignment - API returns or accepts more data than it should.
Mass assignment vulnerabilities, sensitive data leakage
API4:2023 – Unrestricted Resource Consumption
Lack of rate limiting and resource restrictions - possibility of DoS attacks or resource exhaustion.
No rate limiting, unlimited payload size, GraphQL depth attacks
API5:2023 – Broken Function Level Authorization
Insufficient authorization checks at function level - regular users can call admin endpoints.
Privilege escalation, admin endpoints without auth check
API6:2023 – Unrestricted Access to Sensitive Business Flows
Lack of protection against automated attacks on critical business flows.
Scalping, inventory hoarding, automated abuse
API7:2023 – Server Side Request Forgery (SSRF)
API accepts URLs as input and insufficiently validates request target.
Internal service enumeration, cloud metadata access
API8:2023 – Security Misconfiguration
Improper security headers, verbose error messages, CORS misconfiguration.
Missing CORS policy, stack traces, debug mode enabled
API9:2023 – Improper Inventory Management
Undocumented endpoints, old API versions, shadow APIs.
Deprecated endpoints, zombie APIs, missing documentation
API10:2023 – Unsafe Consumption of APIs
Insufficient validation of data from third-party APIs or integrations.
Blind trust in external APIs, no input sanitization
Specific Tests by API Type
REST API Testing
- → HTTP method tampering
- → Parameter pollution
- → Content-Type validation
- → Accept header manipulation
- → API versioning issues
- → Pagination vulnerabilities
GraphQL Testing
- → Introspection abuse
- → Depth limit bypass
- → Query batching attacks
- → Field suggestions disclosure
- → Circular query DoS
- → Alias-based bypass
SOAP Testing
- → XML injection
- → XXE (XML External Entity)
- → WSDL enumeration
- → WS-Security bypass
- → SOAP action spoofing
gRPC/WebSocket
- → Protocol buffer manipulation
- → Metadata injection
- → Stream hijacking
- → WebSocket origin validation
- → Message tampering
Testing Output
API Security Report
- → OWASP API Top 10 mapping
- → Endpoint inventory
- → Authentication/Authorization analysis
- → Risk-based prioritization
Technical Details
- → Request/Response examples
- → Burp/Postman collections
- → Exploit PoCs
- → CVSS v3.1 scores
Remediation Guide
- → Secure coding examples
- → Framework-specific fixes
- → Security middleware recommendations
- → Testing methodology
API Documentation Review
- → OpenAPI/Swagger analysis
- → Undocumented endpoints
- → Schema validation gaps
Process
API Discovery
Gathering API documentation, endpoint enumeration, schema analysis, version identification.
Authentication Testing
JWT analysis, OAuth flows, API key security, token lifecycle testing.
Authorization Testing
BOLA/BFLA testing, horizontal/vertical privilege escalation, IDOR analysis.
Business Logic Testing
Rate limiting, resource consumption, workflow bypass, business constraints validation.
Input Validation
Injection testing (SQL, NoSQL, command), XXE, SSRF, deserialization vulnerabilities.
Reporting
Report compilation with OWASP API Top 10 mapping, PoCs and remediation recommendations.