OWASP API Security - Professional Guide

1Introduction to API Security

What is an API?

API (Application Programming Interface) is a software intermediary that allows applications to communicate with each other. In modern web development, approximately 70-80% of the surface web is built on API communication between internal and third-party services.

Key Concepts

Consumers: Applications or users that interact with your API
Endpoints: Specific paths that define API functionality (e.g., /api/users, /api/products)
Request Methods: GET, POST, PUT, DELETE, PATCH
Stateless vs Stateful: APIs are typically stateless - no session memory between requests

Types of Web APIs

API Type	Description	Data Format
REST	Representational State Transfer - most common	JSON, XML
SOAP	Simple Object Access Protocol - enterprise standard	XML only
GraphQL	Query language for APIs - flexible data fetching	JSON

2API Components

Essential API Elements

Endpoints: URL paths that represent resources (e.g., /api/v1/users)
Request Methods: HTTP verbs defining the action
Parameters: Data passed in URL, body, or headers
Headers: Metadata including authentication tokens
Response Codes: Status indicators (200, 404, 500, etc.)

POST /api/v1/products HTTP/1.1
Host: api.example.com
Content-Type: application/json
X-API-Key: abc123def456

{
    "name": "Product Name",
    "price": 29.99,
    "category": "electronics"
}
            

3Authentication Mechanisms

💡 Key Principle: Authentication is ALWAYS the first step in API testing. You cannot effectively test endpoints without understanding how to authenticate properly.

1. API Keys

Simple authentication method where a unique key is passed in headers or URL parameters.

curl -H "X-API-Key: your_api_key_here" https://api.example.com/data

Example: The API validates your key against a database table:

User: Adam
API Key: ABC123
Permissions: Read-only

2. OAuth 2.0

Authorization framework enabling third-party applications to access user data without exposing credentials.

User Request

→

Authorization Server

→

Access Token

→

Resource Server

3. JWT (JSON Web Tokens)

Self-contained tokens that carry user information and claims, commonly used in modern APIs.

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

4. Basic Authentication

Simple username:password encoded in Base64, sent in the Authorization header.

curl -u username:password https://api.example.com/endpoint

4Tools for API Testing

1. Swagger/OpenAPI Documentation

Interactive API documentation that allows you to test endpoints directly in the browser. Look for swagger.json or openapi.json files.

GET /api-docs
GET /swagger.json
GET /openapi.json
GET /api/swagger.json
            

2. Postman

Popular API testing tool with GUI interface. Features include:

Import OpenAPI specifications
Create collections of requests
Set environment variables
Automated testing capabilities

💡 Pro Tip: Always save your variables and collections in Postman after making changes!

3. cURL

Command-line tool for transferring data with URLs. Essential for quick API testing.

curl -X POST https://api.example.com/login -H "Content-Type: application/json" -d '{"username":"admin","password":"secret"}'

4. Burp Suite

Intercept and modify HTTP/HTTPS traffic. Essential for security testing.

Proxy all API requests
Use Repeater for manual testing
Use Intruder for fuzzing
Analyze request/response patterns

5. Custom Python Scripts

Create tailored tools for specific APIs using libraries like requests and urllib.

import requests

url = "https://api.example.com/endpoint"
headers = {"X-API-Key": "your_key"}
response = requests.get(url, headers=headers)
print(response.json())
            

5Content Discovery & Enumeration

Finding Hidden Endpoints

Developers often leave endpoints undocumented or hidden. These can be discovered through:

Tools for Fuzzing

ffuf: Fast web fuzzer
wfuzz: Web application fuzzer
dirbuster: Directory brute-forcing
feroxbuster: Recursive content discovery

ffuf -w wordlist.txt -u https://api.example.com/FUZZ -H "X-API-Key: your_key"

wfuzz -w api-endpoints.txt --hc 404 https://api.example.com/api/FUZZ

⚠️ Important: Always test with authentication headers when fuzzing! Test both authenticated AND unauthenticated states.

API Versioning

APIs often have multiple versions. Always check for older versions that may have vulnerabilities:

/api/v1/users
/api/v2/users
/api/v3/users
            

💡 Discovery Tip: Use the Wayback Machine (web.archive.org) to find old API documentation and endpoints!

6Common API Vulnerabilities

1. SQL Injection

Test every parameter that might interact with a database. APIs often have less input sanitization than web interfaces.

Testing Strategy:

Test each parameter independently
Never fuzz all parameters simultaneously
Test authenticated and unauthenticated
Use payload lists specific to SQL injection

Common SQL Injection Payloads:

'
"
`
' OR '1'='1
' OR '1'='1'--
' OR '1'='1'#
1' UNION SELECT NULL--
            

curl "https://api.example.com/users?id=1'" -H "X-API-Key: key"

2. Broken Object Level Authorization (BOLA/IDOR)

One of the most common API vulnerabilities. Test if you can access resources belonging to other users.

# Your user ID: 123
GET /api/users/123/profile

# Try other user IDs
GET /api/users/124/profile
GET /api/users/125/profile
            

3. Insecure File Upload

Test file upload endpoints without authentication and with malicious files.

⚠️ Test Cases:

Upload without authentication
Upload with different user roles
Test file type validation
Test file size limits
Attempt path traversal in filenames

4. Command Injection

Test parameters that might be used in system commands.

# Common command injection payloads
; ls
| whoami
& ping -c 4 127.0.0.1
`cat /etc/passwd`
$(id)
            

5. Path Traversal

Attempt to access files outside the intended directory structure.

# Linux path traversal
../../../etc/passwd
....//....//....//etc/passwd

# Windows path traversal
..\..\..\windows\system32\config\sam

# URL encoded
%2e%2e%2f%2e%2e%2f%2e%2e%2f
            

curl "https://api.example.com/files?name=../../../etc/passwd"

6. XXE (XML External Entities)

Primarily affects SOAP APIs that use XML. Test EVERY parameter in XML requests.

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <name>&xxe;</name>
</root>
            

⚠️ Important: Modern frameworks have XXE disabled by default, but developers sometimes enable it for specific functionality. Test all XML parameters independently!

7. Mass Assignment

Attempt to modify fields that shouldn't be user-modifiable.

# Normal update request PUT /api/users/123 { "name": "John Doe", "email": "[email protected]" } # Mass assignment attack PUT /api/users/123 { "name": "John Doe", "email": "[email protected]", "role": "admin", "isVerified": true, "credits": 99999 }

8. Server-Side Request Forgery (SSRF)

Test parameters that accept URLs or make external requests.

# Test internal network access
{"url": "http://127.0.0.1:8080"}
{"url": "http://localhost/admin"}
{"url": "http://169.254.169.254/latest/meta-data/"}

# Cloud metadata endpoints
{"url": "http://metadata.google.internal/"}
            

7Testing Methodology

The CRUD Testing Approach

For every resource object, test all CRUD operations:

Create (POST): Can you create resources?
Read (GET): Can you read single/multiple resources?
Update (PUT/PATCH): Can you modify resources?
Delete (DELETE): Can you remove resources?

Complete Testing Checklist

Authentication Testing
- Identify authentication mechanism
- Test with valid credentials
- Test with invalid credentials
- Test without authentication
Authorization Testing
- Test with different user roles
- Attempt horizontal privilege escalation
- Attempt vertical privilege escalation
Input Validation
- Test each parameter independently
- Use appropriate payload wordlists
- Test both authenticated and unauthenticated
Business Logic Testing
- Understand the intended workflow
- Attempt to bypass workflow steps
- Test rate limiting and quotas

💡 Pro Methodology: Spend weeks or even months understanding an API before attempting to hack it. The more you understand the business logic, the better vulnerabilities you'll find.

8Best Practices

Do's

✅ Read all documentation thoroughly before testing
✅ Test each parameter independently
✅ Test both authenticated and unauthenticated states
✅ Use the API as intended first, then abuse it
✅ Build your own wordlists based on experience
✅ Check for old API versions using Wayback Machine
✅ Look for GitHub repositories using the API
✅ Test all HTTP methods on each endpoint
✅ Follow redirects during fuzzing
✅ Save all findings and organize your testing

Don'ts

❌ Don't test all parameters simultaneously
❌ Don't skip authentication understanding
❌ Don't assume documented endpoints are all that exist
❌ Don't ignore older API versions
❌ Don't send excessive requests (respect rate limits)
❌ Don't test out of scope targets
❌ Don't overlook business logic flaws
❌ Don't rush - take time to understand the API

9Example Attack Workflow

Complete API Hacking Flow

1. Discovery

↓ Find API documentation, endpoints

2. Authentication

↓ Understand and implement auth mechanism

3. Exploration

↓ Use API as intended, map all functionality

4. Enumeration

↓ Discover hidden endpoints, parameters

5. Vulnerability Testing

↓ Test for common vulnerabilities systematically

6. Exploitation

↓ Develop proof of concepts

7. Reporting

10Real-World Example: Testing a File API

# 1. List files (authenticated)
curl -H "X-API-Key: your_key" https://api.example.com/files

# 2. Create a file (authenticated)
curl -X POST -H "X-API-Key: your_key" \
  -H "Content-Type: application/json" \
  -d '{"filename":"test.txt","content":"Hello World"}' \
  https://api.example.com/files

# 3. Test without authentication
curl https://api.example.com/files

# 4. Test path traversal in filename
curl -X POST -H "X-API-Key: your_key" \
  -H "Content-Type: application/json" \
  -d '{"filename":"../../../etc/passwd","content":"test"}' \
  https://api.example.com/files

# 5. Test command injection in filename
curl -X POST -H "X-API-Key: your_key" \
  -H "Content-Type: application/json" \
  -d '{"filename":"test; whoami","content":"test"}' \
  https://api.example.com/files

# 6. Test SQL injection in file listing
curl -H "X-API-Key: your_key" \
  "https://api.example.com/files?id=1' OR '1'='1"
            

11Resources & Lab Environment

Practice Targets

OpenAI API: Excellent for learning API interaction with just an API key
Stripe API: Has test and production environments
GitHub REST API: Well-documented with multiple versions
Internal Labs: Custom-built vulnerable APIs for practice

⚠️ Ethical Considerations:

Only test APIs you have permission to test
Respect rate limits and quotas
Don't cause service disruption
Report vulnerabilities responsibly
Never test production systems without authorization

Recommended Wordlists

SecLists: Comprehensive collection for all attack types
API-specific wordlists for endpoint discovery
Custom wordlists built from experience
SQL injection payloads
XXE attack vectors

12Advanced Concepts

Microservices Architecture

Modern applications often use microservices - multiple smaller services working together. Each service may have different security measures.

Testing Microservices:

Map all microservices and their interactions
Test authentication/authorization per service
Look for inconsistent security implementations
Test inter-service communication

GraphQL Specifics

GraphQL has unique attack vectors:

Introspection queries to discover schema
Nested query attacks (DoS)
Batch query attacks
Field suggestion attacks

curl -X POST https://api.example.com/graphql -H "Content-Type: application/json" -d '{"query": "{__schema{types{name}}}"}'

Rate Limiting Bypass

Techniques to test rate limiting effectiveness:

Change IP address (X-Forwarded-For header)
Use different user agents
Distribute requests across multiple endpoints
Test during different time periods

13Key Takeaways

                Critical Success Factors
                Understanding Before Exploitation: You cannot effectively hack what you don't understand. Spend time learning the API's purpose and functionality.
Authentication is Priority #1: Master authentication before attempting any other tests.
Systematic Testing: Test each parameter independently, each endpoint thoroughly, with all possible states (authenticated/unauthenticated, different roles).
Business Logic Matters: Technical vulnerabilities are important, but business logic flaws are often more impactful.
Patience and Persistence: API testing takes time - weeks or months for complex applications is normal and expected.
Documentation is Gold: Read everything - API docs, terms of use, blog posts, GitHub repos using the API.

            

💡 Final Wisdom: Hacking APIs is not about finding vulnerabilities quickly. It's about deeply understanding the application, its business logic, and then systematically testing every component. Quality over quantity always wins.