API Penetration Testing Methodology
A comprehensive guide to testing REST APIs, GraphQL endpoints, and gRPC services. This guide covers the OWASP API Security Top 10, advanced attack vectors, and remediation strategies.
Why API Security Matters
OWASP API Security Top 10 (2023)
APIs expose endpoints handling object identifiers. Attackers can manipulate IDs to access unauthorized data.
Weak authentication mechanisms allow attackers to compromise authentication tokens or exploit flaws.
Lack of or improper authorization validation at object property level. Excessive data exposure and mass assignment.
APIs don't restrict the size or number of resources that can be requested, enabling DoS and financial damage.
Complex access control policies with different hierarchies and roles. Flaws allow attackers to access admin functions.
Excessive access to business flows like purchasing, commenting, or reservations without rate limiting.
APIs fetch remote resources based on user input without proper validation. Enables internal scanning.
Missing security hardening, excessive permissions, unnecessary features enabled, verbose errors.
Exposed non-production APIs, outdated documentation, missing API inventory, deprecated endpoints.
Developers trust third-party APIs too much. Insufficient validation of data from external services.
Prerequisites
- ✓ Basic understanding of HTTP/HTTPS
- ✓ Familiarity with JSON and XML
- ✓ Experience with Burp Suite or Postman
- ✓ Command line proficiency
Lab Setup
Practice these techniques safely using vulnerable API applications. Do not test on production systems without authorization.
Guide Sections
Reconnaissance
API discovery, documentation analysis, endpoint enumeration → ffuf, Kiterunner, Arjun, LinkFinder
Authentication
JWT attacks, OAuth flaws, API key exploitation → jwt_tool, hashcat mode 16500, Burp Repeater
Authorization
BOLA, BFLA, and broken access control testing → Burp Autorize, manual ID swapping, role tampering
Mass Assignment
Property-level authorization and data exposure → Postman, Burp Intruder, response field analysis
Rate Limiting
Resource consumption and business logic abuse → header spoofing, IP rotation, GraphQL batching
Injection
SQL, NoSQL, command, and SSRF injection in APIs → sqlmap, NoSQLMap, cloud metadata SSRF
GraphQL
Introspection, batching, nested queries, and DoS attacks → InQL, graphql-cop, clairvoyance
gRPC
Protocol buffer testing, reflection, and interception → grpcurl, grpcui, protoc, Burp blackboxprotobuf
Tools
Essential API testing tools, Postman, Burp extensions, automation → 40+ tools with quick-ref cheatsheet
WebSocket APIs
WebSocket auth bypass, message injection, CSRF, and hijacking → Burp WebSocket history, wscat, ws-fuzzer
⚠️ Legal Disclaimer
Always obtain proper written authorization before testing APIs. Unauthorized testing of APIs you don't own or have permission to test is illegal and unethical.