What is API penetration testing?

API penetration testing is security testing specifically focused on APIs (Application Programming Interfaces). It involves testing for vulnerabilities like broken authentication, authorization flaws, data exposure, and rate limiting issues that are unique to API architectures.

What is BOLA (Broken Object Level Authorization)?

BOLA is the #1 API vulnerability in the OWASP API Top 10. It occurs when APIs expose endpoints with object identifiers (like user IDs or order IDs) and attackers can manipulate these IDs to access resources belonging to other users. Example: GET /api/orders/12345 returns any order, not just the requester's orders.

What is the OWASP API Security Top 10?

The OWASP API Security Top 10 is the industry standard list of the most critical API security risks. It includes: Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, Broken Function Level Authorization, SSRF, Security Misconfiguration, and more.

How do you test API rate limiting?

Test API rate limiting by: sending rapid requests to endpoints and checking for 429 responses, testing authentication endpoints for brute force protection, verifying rate limits apply per-user not just per-IP, checking if rate limits can be bypassed with header manipulation, and testing resource-intensive endpoints for DoS vulnerabilities.

API Penetration Testing: Common Vulnerabilities & How to Find Them

APIs are the backbone of modern applications. They power mobile apps, connect microservices, and enable third-party integrations. They're also one of the most attacked surfaces—and one of the least tested.

This guide covers the essential vulnerabilities in API security, the OWASP API Security Top 10, and a practical methodology for finding issues before attackers do.

OWASP API Security Top 10 (2023)

The OWASP API Security Top 10 is the industry standard for understanding API risks. Here's the current list with real-world context:

Broken Object Level Authorization (BOLA)

APIs expose endpoints that handle object identifiers. Attackers manipulate IDs to access resources belonging to other users.

Example: GET /api/orders/12345 returns any order, not just the requester's orders.

Broken Authentication

Weak authentication mechanisms allow attackers to compromise tokens, keys, or session identifiers.

Example: JWT tokens with weak secrets, no token expiration, or predictable session IDs.

Broken Object Property Level Authorization

Users can read or modify object properties they shouldn't have access to.

Example: User updates their profile but includes "role": "admin" in the request body.

Unrestricted Resource Consumption

APIs don't limit requests, allowing denial of service or resource exhaustion.

Example: No rate limiting on login attempts enables credential stuffing attacks.

Broken Function Level Authorization

Attackers access administrative endpoints by changing HTTP methods or URL paths.

Example: Regular user accesses /api/admin/users directly.

Unrestricted Access to Sensitive Business Flows

APIs don't prevent automated abuse of business functions (scalping, spam, fraud).

Example: Bot automatically purchases limited inventory before humans can.

Server Side Request Forgery (SSRF)

API fetches remote resources based on user input without validation.

Example: POST /api/fetch-url with url=http://169.254.169.254/ accesses cloud metadata.

Security Misconfiguration

Insecure default configurations, verbose error messages, unnecessary features enabled.

Example: Stack traces in production responses reveal internal structure.

Improper Inventory Management

Organizations don't track API versions, leaving old/deprecated endpoints exposed.

Example: /api/v1/ still active with known vulnerabilities after v2 deployment.

Unsafe Consumption of APIs

API trusts data from third-party APIs without validation.

Example: Webhook data from payment processor processed without signature verification.

Authentication & Authorization Flaws

Authentication and authorization issues account for the majority of critical API vulnerabilities. Here's what to test:

Authentication Testing

Token SecurityWeak JWT secrets, missing expiration, algorithm confusion (none, HS256→RS256)

Session ManagementSession fixation, concurrent sessions, session after password change

Credential PoliciesWeak password requirements, account lockout bypass, credential recovery flaws

MFA ImplementationMFA bypass, backup code reuse, MFA not enforced on sensitive operations

Authorization Testing

BOLA/IDORAccess resources by ID manipulation across all endpoints

Privilege EscalationAccess admin functions, modify role parameters, method manipulation

Mass AssignmentModify protected fields by including them in request bodies

Scope ViolationsOAuth scope bypass, access beyond granted permissions

Rate Limiting & Resource Exhaustion

APIs without proper rate limiting are vulnerable to abuse, from credential stuffing to denial of service:

Credential Stuffing

Attackers test thousands of stolen credential pairs against login endpoints. Without rate limiting, they can validate credentials at scale.

Test: Submit 1000 login attempts. Are they blocked? At what threshold?

Data Enumeration

Iterating through IDs or usernames to enumerate valid resources. Common with user lookup, password reset, and search endpoints.

Test: Can you enumerate all user emails via /api/check-email?email=test@...?

Resource Exhaustion

Expensive operations (complex queries, large file processing, report generation) can be abused to consume server resources.

Test: Can you trigger expensive operations in parallel without limits?

Financial Abuse

APIs that charge per request (SMS, email, payment processing) can be exploited for financial damage.

Test: Can you trigger unlimited SMS/email sends to drain account credits?

Data Exposure Vulnerabilities

APIs often return more data than the client needs, exposing sensitive information:

Excessive Data Exposure

API returns full user objects including password hashes, internal IDs, and private fields. Client filters what to display, but full data is in the response.

{"user": {"name": "John", "email": "...", "password_hash": "...", "ssn": "..."}}

Verbose Error Messages

Stack traces, SQL errors, and internal paths revealed in error responses. Provides reconnaissance value for attackers.

{"error": "MySQL Error: Unknown column 'admin' in users table at /var/www/api/..."}

Unprotected Debug Endpoints

Debug or development endpoints left active in production, exposing internal state or bypassing security.

/api/debug/config, /api/test/bypass-auth, /_debug/routes

Response Header Leakage

Server version, framework details, and internal infrastructure information in response headers.

X-Powered-By: Express, Server: nginx/1.14.0, X-Debug-Token: abc123

API Penetration Testing Methodology

A structured approach to API testing ensures comprehensive coverage:

API Discovery & Documentation

Gather API documentation (OpenAPI/Swagger, GraphQL schemas). Discover undocumented endpoints through traffic analysis, JavaScript files, and fuzzing. Build a complete endpoint inventory.

Authentication Analysis

Map authentication mechanisms (JWT, OAuth, API keys). Test token generation, validation, expiration, and revocation. Attempt authentication bypass techniques.

Authorization Testing

Test every endpoint with different user roles. Attempt BOLA/IDOR on all ID parameters. Test horizontal and vertical privilege escalation.

Input Validation

Test for injection vulnerabilities (SQL, NoSQL, command, LDAP). Test boundary conditions, type confusion, and parameter pollution.

Understand the business purpose of each endpoint. Test for workflow bypasses, state manipulation, and race conditions in multi-step processes.

Rate Limiting & Abuse

Test rate limits on authentication, sensitive operations, and resource-intensive endpoints. Attempt bypass techniques (IP rotation, header manipulation).

Essential API Testing Tools

The right tools make API testing efficient and thorough:

Burp Suite

Industry standard for API interception and testing. Extensions like Autorize automate authorization testing.

Postman

API development platform with testing capabilities. Great for building request collections and automation.

OWASP ZAP

Open-source alternative to Burp. API scanning with OpenAPI support and scripting capabilities.

ffuf/wfuzz

Fast fuzzing tools for endpoint discovery, parameter testing, and brute force attacks.

JWT.io / jwt_tool

Decode, test, and attack JWT implementations. Essential for modern API authentication testing.

sqlmap

Automated SQL injection detection and exploitation. Works with API endpoints via request files.

ManticoreAI API Security Testing

ManticoreAI's ShieldProbe provides comprehensive API security testing with AI-powered analysis:

OpenAPI Auto-Discovery

Upload Swagger/OpenAPI specs for instant attack surface mapping. Every endpoint, parameter, and authentication method identified.

BOLA/IDOR Detection

Automated testing for broken object-level authorization across all endpoints and HTTP methods.

Business Logic Testing

AI understands API workflows and tests for logic bypasses that pattern-based tools miss.

CI/CD Integration

Trigger API security tests from your pipeline. Get results before vulnerable code deploys.

Securing Your APIs

API security requires more than scanning—it requires understanding how APIs work and how attackers abuse them. Key takeaways:

Authorization is critical—BOLA/IDOR is the #1 API vulnerability for a reason
Authentication isn't authorization—valid tokens don't mean valid access
Rate limiting matters—APIs without limits enable credential stuffing and abuse
Inventory your APIs—you can't secure what you don't know exists
Test continuously—APIs evolve rapidly; annual testing isn't sufficient

Secure Your APIs with AI-Powered Testing

ManticoreAI provides comprehensive API penetration testing that covers the OWASP API Top 10 and beyond. Find vulnerabilities before attackers do.