APIs have quietly become the most critical attack surface in enterprise environments. Every mobile application, single-page web app, microservice architecture, third-party integration, and IoT device communicates through APIs. When Gartner predicted that API abuses would become the most frequent attack vector for enterprise web applications, they were not speculating — they were observing a trend that penetration testers had been documenting for years. The surface area of the average enterprise API footprint has expanded faster than most security teams can inventory it, let alone test it.
Yet API security testing remains poorly understood by many organizations. Traditional web application security assessments focus on browser-rendered interfaces — forms, session cookies, rendered HTML. API testing requires a fundamentally different approach because there is no user interface to guide the tester. The attack surface is the API contract itself: endpoints, parameters, authentication mechanisms, authorization logic, and the business rules encoded in request-response flows. This guide presents the methodology we use at Fortress MSSP when conducting API security assessments for enterprise clients.
Why APIs Are the Primary Attack Surface
The shift toward API-first architectures has created an asymmetry between the attack surface organizations expose and the security controls they apply. Consider a typical enterprise environment: a customer-facing web application might expose 30 pages to users, but the APIs backing that application expose 200 or more endpoints — many of which accept complex JSON payloads with dozens of parameters. Internal microservice APIs add hundreds more. Partner and B2B integrations add another layer. Each endpoint is a potential entry point.
Three factors make APIs particularly attractive to attackers:
- APIs are designed for programmatic access. Unlike web applications that rate-limit through UX friction (page loads, CAPTCHAs, human interaction speed), APIs are built to handle high-volume automated requests. This makes brute-force, credential stuffing, and enumeration attacks trivially scalable.
- APIs expose business logic directly. A web application might hide a discount calculation behind a "Submit Order" button. The API endpoint that processes that order exposes every parameter — including the discount field that the frontend never renders but the backend accepts.
- API documentation is often incomplete or stale. Organizations maintain Swagger/OpenAPI specs for developer onboarding but rarely update them as endpoints evolve. Undocumented endpoints — debug routes, deprecated versions, internal-only paths accidentally exposed — are common findings in every engagement.
OWASP API Security Top 10 (2023): The Framework
The OWASP API Security Top 10 provides the authoritative classification of API-specific risks. The 2023 edition reflects the vulnerabilities that practitioners encounter most frequently in real-world assessments. Understanding each category is essential for structured testing.
API1:2023 — Broken Object Level Authorization (BOLA)
BOLA is the single most common and most impactful API vulnerability we encounter. It occurs when an API endpoint accepts an object identifier (user ID, account number, order ID) and returns or modifies that object without verifying that the authenticated user is authorized to access it. An attacker changes /api/v1/accounts/1234 to /api/v1/accounts/1235 and receives another user's account data. This is not a theoretical risk — it is present in a significant percentage of the APIs we test.
API2:2023 — Broken Authentication
Weak authentication mechanisms in APIs include tokens that never expire, API keys transmitted in URLs (logged in server access logs, proxy logs, and browser history), JWT tokens with weak signing algorithms (or none at all), and password reset flows that leak tokens in response bodies. Authentication failures in APIs tend to be more severe than in web applications because API tokens often grant broader access than session cookies.
API3:2023 — Broken Object Property Level Authorization
This category covers mass assignment and excessive data exposure. Mass assignment occurs when an API accepts and processes properties that the client should not be able to set — for example, a user profile update endpoint that accepts a role or isAdmin property because the backend model binds request parameters directly to the data model without filtering. Excessive data exposure occurs when an API returns more data than the client needs, relying on the frontend to filter what is displayed. The API returns the full user object including password hashes, internal IDs, and PII — the frontend shows only the name and email.
API4:2023 — Unrestricted Resource Consumption
APIs that do not enforce rate limiting, payload size limits, or pagination boundaries enable denial-of-service attacks and resource exhaustion. An endpoint that accepts a page_size=999999 parameter and attempts to return a million records will exhaust database connections and memory. An upload endpoint with no file size limit enables storage exhaustion.
API5:2023 — Broken Function Level Authorization
This occurs when administrative API endpoints are accessible to regular users. A common pattern: the frontend only renders admin navigation for admin users, but the API endpoints behind those admin functions do not enforce role-based access control. Regular users who discover the endpoint paths (through JavaScript source maps, API documentation, or enumeration) can execute administrative operations.
API6:2023 through API10:2023
The remaining categories — Unrestricted Access to Sensitive Business Flows, Server Side Request Forgery, Security Misconfiguration, Improper Inventory Management, and Unsafe Consumption of APIs — round out the framework. Each addresses specific patterns of API abuse that require targeted testing techniques. Security misconfiguration and improper inventory management are particularly common in organizations running microservice architectures where the number of deployed API endpoints exceeds what any single team can track.
The Testing Methodology: Phase by Phase
Phase 1: Reconnaissance and API Discovery
Before testing a single endpoint, you need a complete inventory. API discovery involves multiple techniques applied in parallel:
- Documentation review: Collect Swagger/OpenAPI specifications, Postman collections, developer portal documentation, and any API reference material. These are the starting point, not the complete picture.
- Traffic analysis: Proxy the target application through Burp Suite or mitmproxy and exercise every feature. Map every API call the application makes, including calls to endpoints not documented in official specs. Pay particular attention to requests made during authentication flows, error conditions, and edge-case user interactions.
- JavaScript source analysis: Modern SPAs embed API endpoint paths, parameter names, and sometimes authentication logic in their JavaScript bundles. Source maps (when available) make this trivial. Even minified code reveals endpoint patterns through string analysis.
- Version enumeration: If the current API version is
/api/v3/, test for/api/v1/and/api/v2/. Deprecated API versions frequently lack security controls that were added in later versions but remain accessible because nobody decommissioned the old endpoints. - Endpoint brute-forcing: Use wordlists tailored to API patterns —
/admin,/internal,/debug,/graphql,/health,/metrics,/swagger.json,/.well-known— to discover undocumented paths. Tools like ffuf and feroxbuster are effective for this when configured with appropriate wordlists and response filtering.
Phase 2: Authentication Testing
Authentication testing for APIs goes beyond testing login forms. The assessment covers:
- Token lifecycle: How are tokens issued, refreshed, and revoked? Do access tokens expire within a reasonable timeframe? Do refresh tokens rotate on use? Can a revoked token still be used for API calls? Token expiration values of 24 hours or longer are common findings.
- JWT analysis: If the API uses JSON Web Tokens, examine the signing algorithm (HS256, RS256, or — alarmingly — "none"), test for algorithm confusion attacks, verify that the secret is not guessable (HS256 with "secret" or "password" as the key is more common than you would expect), and test whether the API validates the signature at all.
- API key security: Where are API keys transmitted? Keys in URL query parameters are logged everywhere — web server access logs, CDN logs, proxy logs, browser history, analytics platforms. Keys should be transmitted in headers and rotated on a defined schedule.
- Multi-factor authentication bypass: If MFA is enforced on the web login, is it also enforced on the API authentication endpoint? Many implementations enforce MFA in the web UI layer but not in the underlying API, allowing attackers to authenticate directly through the API and bypass MFA entirely.
Phase 3: Authorization Testing (BOLA/IDOR)
This is the phase that consistently produces the highest-severity findings. Authorization testing is methodical: for every endpoint that accepts an object identifier, test whether the API enforces access control by substituting identifiers belonging to other users, other tenants, or other authorization contexts.
The testing pattern is straightforward but labor-intensive:
- Authenticate as User A and record the object IDs returned in API responses (account IDs, order IDs, document IDs, user IDs).
- Authenticate as User B (a separate test account with different permissions).
- Using User B's authentication token, attempt to access every object ID belonging to User A by replaying the requests with modified identifiers.
- Test both read operations (GET) and write operations (PUT, PATCH, DELETE). An API might correctly prevent User B from reading User A's data but allow User B to delete it.
- Test horizontal authorization (same role, different user) and vertical authorization (lower-privilege role accessing higher-privilege resources).
Identifier patterns matter. Sequential integer IDs (/users/1001, /users/1002) make enumeration trivial. UUIDs provide obscurity but not security — if any endpoint leaks UUIDs in its response (a common excessive data exposure finding), the obscurity is eliminated. Authorization must be enforced regardless of identifier predictability.
Phase 4: Input Validation and Injection
API input validation testing covers the traditional injection categories — SQL injection, NoSQL injection, command injection, XML external entity processing, server-side request forgery — applied to API-specific contexts. JSON payloads, GraphQL queries, and XML request bodies each have unique injection patterns.
GraphQL APIs deserve special attention. A single GraphQL endpoint accepts arbitrarily complex queries, enabling introspection attacks (querying the schema to discover all types and fields), nested query depth attacks (deeply nested queries that consume exponential server resources), and batch query attacks (submitting hundreds of operations in a single request to bypass rate limiting).
Parameter pollution is another API-specific technique: sending the same parameter multiple times with different values to test how the backend handles ambiguity. Does role=user&role=admin result in the API processing the first value, the last value, or an array? Each behavior can be exploitable depending on the backend implementation.
Phase 5: Rate Limiting and Business Logic
Rate limiting testing verifies that the API enforces limits on request volume, payload size, and resource consumption. Test whether limits apply per-user, per-IP, per-API-key, or globally. Test whether limits can be bypassed by rotating headers (X-Forwarded-For), using different authentication tokens, or splitting requests across API versions.
Business logic testing is the most nuanced phase and the one that automated tools cannot perform. It requires understanding the application's business rules and testing whether the API enforces them. Examples from real engagements:
- An e-commerce API that applies a coupon code via
POST /api/cart/couponbut does not check whether the coupon was already used — sending the same coupon request 50 times applies a 10% discount 50 times. - A financial API that validates transaction amounts on the frontend but accepts negative values through the API, enabling an attacker to "transfer" a negative amount and increase their balance.
- A healthcare API that enforces appointment scheduling rules in the UI but allows direct booking of any time slot through the API, bypassing availability checks and provider-patient assignment rules.
API Security Testing vs. Traditional Web Application Testing
Organizations that treat API testing as a subset of web application security testing consistently miss critical vulnerabilities. The differences are structural:
- No UI to guide testing: Web application testers follow the UI flow. API testers must construct requests from documentation, traffic analysis, and code review. This requires deeper technical skill and more preparation time.
- Authorization is the primary concern: In web applications, cross-site scripting and injection dominate findings. In APIs, broken authorization (BOLA) is the most prevalent high-severity finding by a significant margin.
- Authentication is token-based: Web applications use cookies with browser-enforced security attributes (HttpOnly, Secure, SameSite). APIs use bearer tokens, API keys, and JWTs that require explicit security controls at the application level.
- The attack surface is larger: APIs expose every parameter the backend accepts, not just the fields rendered in a form. Hidden parameters, undocumented endpoints, and deprecated versions expand the surface beyond what any UI-based assessment would discover.
- Automated scanning is less effective: Web application scanners can crawl links and submit forms. API scanners require schema definitions and authentication configuration to function, and they still miss business logic flaws, complex authorization issues, and chained vulnerabilities that require multi-step exploitation.
Tools and Techniques
Effective API security testing combines manual analysis with targeted automation. No tool replaces a skilled tester, but the right tools dramatically improve efficiency.
Manual testing tools:
- Burp Suite Professional: The core platform for intercepting, modifying, and replaying API requests. Extensions like Autorize (for automated authorization testing), JSON Beautifier, and JWT Editor are essential for API work.
- Postman/Insomnia: Useful for organizing API collections, managing environments, and scripting multi-step test sequences. Postman's pre-request scripts enable automated token refresh during long testing sessions.
- jwt.io and jwt_tool: For decoding, analyzing, and attacking JWT implementations. jwt_tool automates common JWT attacks including algorithm confusion, key brute-forcing, and claim manipulation.
Automated and semi-automated tools:
- Nuclei with API templates: Fast, template-based scanning for known API misconfigurations, default credentials, and exposed documentation endpoints.
- ffuf/feroxbuster: Content discovery tools configured with API-specific wordlists for endpoint enumeration.
- sqlmap: For confirming and exploiting SQL injection findings in API parameters, with JSON payload support.
- GraphQL Voyager and InQL: Specialized tools for GraphQL schema visualization, introspection testing, and query generation.
The most effective approach is to use automated tools for coverage and efficiency — scanning for known vulnerabilities, enumerating endpoints, testing for common misconfigurations — and manual testing for depth: authorization logic, business rule enforcement, chained attack scenarios, and the nuanced findings that define a comprehensive penetration test.
What We Find in Real Engagements
After conducting API security assessments across financial services, healthcare, legal technology, and SaaS platforms, certain patterns recur consistently:
- BOLA in at least one endpoint is present in the majority of assessments. The most common pattern is a data retrieval endpoint that accepts an ID parameter and returns the object without checking ownership. Organizations that use an ORM without mandatory tenant-scoping filters are particularly susceptible.
- Excessive data exposure appears in nearly every assessment. APIs return full database objects — including fields like password hashes, internal flags, creation timestamps, and associated records — where the frontend only uses a subset. The excess data is visible to anyone inspecting network traffic.
- Missing rate limiting on authentication endpoints enables credential stuffing and brute-force attacks. Even when the web login is protected by rate limiting and account lockout, the underlying API authentication endpoint often lacks equivalent controls.
- Deprecated API versions still accessible is a finding that appears in most organizations running versioned APIs. The v1 API that was "replaced" two years ago is still routable, still accepts requests, and still has the SQL injection vulnerability that was fixed in v2 but never backported.
- Mass assignment in update endpoints allows users to modify fields they should not have access to. A profile update endpoint that accepts arbitrary JSON properties and maps them to the database model without an allowlist is exploitable whenever a sensitive field exists on the same model — role, permissions, billing status, account tier.
Building an API Security Testing Program
A single assessment provides a point-in-time snapshot. Organizations deploying APIs continuously need a testing program that keeps pace with development:
- Integrate API security into CI/CD: Automated schema validation, authentication testing, and known-vulnerability scanning should run on every build. This catches regressions and obvious misconfigurations before deployment.
- Conduct manual assessments quarterly or with major releases: Automated tools do not find business logic flaws, complex authorization issues, or chained vulnerabilities. Manual testing by experienced practitioners is required for depth.
- Maintain an API inventory: You cannot secure what you do not know exists. API gateway logs, service mesh telemetry, and network traffic analysis should feed a continuously updated inventory of all API endpoints in production.
- Enforce authentication and authorization at the gateway level: Centralized enforcement through an API gateway reduces the risk of individual endpoints missing access control checks. Defense in depth still requires application-level authorization, but the gateway provides a consistent baseline.
Start With a Comprehensive Assessment
If your organization exposes APIs — and it almost certainly does, whether you have formally cataloged them or not — API security testing should be a priority. The vulnerabilities are prevalent, the impact of exploitation is severe (direct data access, no UI friction for attackers, scalable abuse), and the gap between API deployment velocity and API security maturity continues to widen across most industries.
Fortress MSSP conducts API security assessments as part of our web application security testing and network penetration testing engagements. Our methodology covers the complete OWASP API Security Top 10, with particular depth in authorization testing and business logic analysis — the areas where automated tools fail and practitioner expertise makes the difference.
Schedule an API security assessment to identify the vulnerabilities in your API footprint before an attacker does.