web-pentest

API Security — OWASP API Top 10

REST API penetration testing mapped to the OWASP API Security Top 10 — endpoint/spec discovery, BOLA/BFLA, broken auth, mass assignment & data exposure, resource consumption, SSRF, CORS/misconfig, shadow versions and tooling.

1 views Jun 2026 lazyhackers

Recon & Discovery (5)

/swagger.json /openapi.json /api-docs /swagger-ui /v2/api-docs

Hunt API docs that map the entire attack surface

recon swagger

ffuf -w api-routes.txt -u https://target.com/api/FUZZ -mc 200,401,403

Brute API routes — 401/403 still reveal hidden endpoints

recon ffuf

kr scan https://target.com/ -w routes-large.kite -A=apiroutes

Kiterunner — content discovery tuned for API routes

recon kiterunner

katana -u https://target.com -jc | grep -Ei '/api/|/v[0-9]'

Crawl and extract API endpoints from JavaScript

recon katana

try /api/v1 /api/v2 /api/internal /api/private

Version & shadow-API discovery (API9)

recon inventory

API1 / API5 — BOLA & BFLA (3)

swap object IDs across accounts (see the IDOR sheet)

API1 BOLA — read/modify others' objects by changing IDs

bola api1

call /api/admin/* as a normal user

API5 BFLA — invoke admin-only functions

bfla api5

Burp Autorize to diff low-priv vs high-priv responses

Automate authorization testing across the whole API

tooling authz

API2 — Broken Authentication (4)

no rate-limit on POST /login -> credential stuffing

API2 — brute/stuff when login isn't throttled

api2 bruteforce

hydra -L users.txt -P pass.txt target.com http-post-form "/login:user=^USER^&pass=^PASS^:F=invalid"

Brute the login endpoint

api2 hydra

API key in the URL / weak or never-expiring JWT (see JWT sheet)

Token and key weaknesses

api2 jwt

password-reset token is guessable or reusable

Account takeover via a weak reset flow

api2 ato

API3 — Mass Assignment & Data Exposure (3)

{"email":"[email protected]","is_admin":true}

API3 BOPLA — inject privileged fields the API binds blindly

api3 massassign

diff the JSON response for extra fields (tokens, roles, PII)

Excessive data exposure — the server over-returns

api3 dataexposure

PATCH /api/users/me {"role":"admin"}

Object property-level authorization bypass

api3 privesc

API4 — Resource Consumption (3)

?limit=99999999 / ?page_size=1000000

API4 — melt the DB/memory with huge page sizes

api4 dos

no rate-limit on search / export / OTP endpoints

Cost & DoS via unbounded operations

api4

huge JSON body or a deeply nested object

Parser resource exhaustion

api4 dos

API7 / API8 / API9 — SSRF, Misconfig, Inventory (4)

webhook / import-from-URL field -> http://169.254.169.254/ (see SSRF sheet)

API7 SSRF via URL-accepting fields

api7 ssrf

Origin: https://evil.com -> check Access-Control-Allow-Origin + Allow-Credentials

API8 — permissive CORS leaking authenticated data

api8 cors

OPTIONS / TRACE / verbose stack traces / debug routes

API8 misconfiguration probes

api8 misconfig

old /api/v1 still live after /api/v2 ships

API9 — deprecated/shadow versions skip new controls

api9 inventory

Tooling (3)

nuclei -u https://target.com -tags api,exposure,misconfig

Automated API misconfig/exposure checks

tooling nuclei

arjun -u https://target.com/api/endpoint -m JSON

Discover hidden JSON parameters

tooling arjun

mitmproxy / Postman / Burp to capture and replay the mobile/SPA API

Build the request corpus to fuzz

tooling

API Security — OWASP API Top 10

Related Articles

JSON and YAML Unsafe Deserialization

Supply Chain Attacks

Cross-Site Scripting Mastery

File Upload to RCE

Advanced SSRF

Related Courses

Web Application Penetration Testing

Bug Bounty Hunting — From Recon to Bounty