BSG Blog Berezha Security Group

API Security Testing: OWASP API Top 10 Walkthrough

Penetration Testing January 14, 2026

Introduction

APIs (Application Programming Interfaces) have become the backbone of modern software architecture. From mobile apps to microservices, organisations rely on APIs to connect systems, share data, and deliver functionality. But this connectivity comes with risk.

In 2026, APIs represent one of the most common attack vectors in web applications. According to Traceable AI’s 2025 Global State of API Security Report, 57% of organisations experienced an API-related data breach over the past two years, and 73% of those breached organisations faced three or more separate incidents. Major breaches continue to be traced back to insecure API endpoints.

This guide covers everything you need to know about API security testing in 2026, from basic concepts to advanced penetration testing techniques. Whether you’re a developer implementing APIs or a security professional assessing them, you’ll learn how to identify and fix common API vulnerabilities before attackers exploit them.

Why API Security Testing Matters in 2026

APIs expose business logic and data access in ways that traditional web applications don’t. A single misconfigured endpoint can expose:

  • Customer data: Personal information, payment details, account credentials
  • Business logic flaws: Price manipulation, privilege escalation, unauthorised actions
  • Internal systems: Database access, admin functions, backend services
  • Third-party integrations: Partner systems, payment gateways, cloud services

The shift to microservices architecture and API-first development has expanded the attack surface dramatically. Modern applications may expose dozens or hundreds of API endpoints, each requiring proper security controls.

Types of APIs and Their Security Challenges

REST APIs

REST (Representational State Transfer) remains the most popular API architecture in 2026. REST APIs use HTTP methods (GET, POST, PUT, DELETE) to perform operations on resources identified by URLs.

Common security challenges:

  • Broken object level authorisation (BOLA/IDOR)
  • Excessive data exposure in responses
  • Missing rate limiting
  • Mass assignment vulnerabilities
  • Insecure HTTP methods (TRACE, OPTIONS exposing information)

GraphQL APIs

GraphQL has grown significantly, offering clients flexible query capabilities. This flexibility creates unique security challenges.

Common security challenges:

  • Query depth and complexity attacks (DoS)
  • Introspection enabled in production
  • Authorisation logic at field level (easy to miss)
  • Batch query attacks
  • Information disclosure through error messages

SOAP and XML-Based APIs

While less common in new projects, SOAP APIs remain prevalent in enterprise and legacy systems.

Common security challenges:

  • XML external entity (XXE) injection
  • XML bomb attacks
  • WSDL information disclosure
  • WS-Security implementation flaws

gRPC and Modern Protocols

gRPC and similar modern protocols are gaining adoption for high-performance scenarios.

Common security challenges:

  • Limited security tooling compared to REST
  • Binary protocol obscurity doesn’t equal security
  • Authentication and authorisation implementation complexity
  • Streaming endpoint vulnerabilities

The OWASP API Security Top 10

The OWASP API Security Project maintains the industry’s most recognised list of API vulnerabilities. The current edition is the OWASP API Security Top 10 (2023), which remains the authoritative reference as of 2026 — no newer version has been released. Understanding these categories is essential for effective API security testing. (Don’t confuse it with the separate OWASP Top 10 for web applications, which is a different project on its own release cadence.)

API1:2023 – Broken Object Level Authorisation (BOLA)

This is the most common and impactful API vulnerability. It occurs when an API doesn’t properly verify that the authenticated user should have access to the specific object being requested.

Example scenario:

GET /api/users/123/transactions

If the API only checks that the user is authenticated but not whether they own user ID 123, any logged-in user could access any other user’s transactions by changing the ID.

Testing approach: 1. Identify object references in endpoints (IDs, GUIDs, slugs) 2. Test with multiple user accounts 3. Attempt to access objects belonging to other users 4. Try sequential ID enumeration 5. Test both read and write operations

API2:2023 – Broken Authentication

Authentication flaws allow attackers to compromise tokens, passwords, or session identifiers to assume other users’ identities.

Common issues:

  • Weak password policies
  • Credential stuffing vulnerabilities (no rate limiting)
  • Predictable or weak tokens
  • Tokens that don’t expire
  • Insecure token storage
  • Missing multi-factor authentication

Testing approach: 1. Analyse authentication mechanisms (JWT, OAuth, API keys, sessions) 2. Test password reset workflows for account takeover 3. Attempt credential stuffing with rate limit testing 4. Decode and analyse tokens (JWT structure, claims, signatures) 5. Test token lifecycle (expiration, refresh, revocation)

API3:2023 – Broken Object Property Level Authorisation

This occurs when APIs expose more object properties than intended, either through excessive data exposure (reading) or mass assignment (writing).

Reading example – Excessive data exposure:

GET /api/users/me
Response:
{
  "id": 123,
  "name": "John Smith",
  "email": "john@example.com",
  "internal_notes": "VIP customer, discount approved",
  "credit_score": 750
}

Writing example – Mass assignment:

PUT /api/users/me
Request:
{
  "name": "John Smith",
  "is_admin": true  // User shouldn't be able to set this
}

Testing approach: 1. Compare API responses with UI display (extra fields?) 2. Capture and analyse full response objects 3. Test PATCH/PUT with additional parameters 4. Try setting admin flags, pricing fields, status fields 5. Fuzz parameter names based on naming conventions

API4:2023 – Unrestricted Resource Consumption

APIs without proper rate limiting or resource constraints can be abused for denial of service or cost exploitation.

Testing approach: 1. Test rate limiting on authentication endpoints 2. Attempt large batch requests 3. For GraphQL, test query depth and breadth limits 4. Test file upload size limits 5. Measure response times for complex queries

API5:2023 – Broken Function Level Authorisation

Similar to BOLA but at the function level. Users can access administrative or privileged functions they shouldn’t have access to.

Example:

POST /api/admin/users/delete

A standard user might be able to call this endpoint if the API doesn’t verify administrative privileges.

Testing approach: 1. Identify admin or privileged endpoints 2. Test with low-privilege accounts 3. Try guessing admin endpoint patterns 4. Test HTTP method switching (GET to POST, etc.) 5. Analyse API documentation for privileged functions

API6:2023 – Unrestricted Access to Sensitive Business Flows

This category is about abuse of legitimate functionality rather than a technical bug. A sensitive business flow — buying a limited-stock product, creating an account, posting a comment, redeeming a reward — is exposed without considering how automation could harm the business if the flow is used at scale. The individual requests are valid; the harm comes from volume and intent.

Example scenario:

POST /api/orders
{
  "product_id": "limited-edition-sku",
  "quantity": 1
}

If nothing stops a single actor from scripting thousands of these requests, a bot can buy out limited inventory in seconds (the classic scalping flow), exhaust promotional budgets, or flood a platform with spam accounts.

Testing approach: 1. Map the business flows that matter to the customer (checkout, signup, referral, reward redemption, content posting) 2. Determine whether each flow has automation defences (rate limits, device fingerprinting, CAPTCHA, anomaly detection) 3. Script the flow end-to-end and measure how many times it can be replayed from one identity 4. Test parallel execution from multiple accounts or sessions 5. Assess whether the controls degrade gracefully or fail open under load

API7:2023 – Server Side Request Forgery (SSRF)

SSRF occurs when an API fetches a remote resource from a user-supplied URL without validating it. The attacker coerces the server into making requests on their behalf — reaching internal services, cloud metadata endpoints, or other systems the attacker can’t touch directly.

Example scenario:

POST /api/import
{
  "source_url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
}

An endpoint that imports data, fetches a webhook, generates a thumbnail from a URL, or validates a callback is a prime SSRF candidate. Cloud metadata services are a frequent target because they can leak temporary IAM credentials.

Testing approach: 1. Identify every parameter that accepts a URL, hostname, or file path 2. Point it at internal-only addresses (localhost, RFC 1918 ranges, cloud metadata IPs) 3. Test alternate encodings and redirect chains to bypass weak allow-lists 4. Try non-HTTP schemes (file://, gopher://, dict://) where the fetch library permits them 5. Use an out-of-band collaborator to confirm blind SSRF where no response is reflected

API8:2023 – Security Misconfiguration

APIs and the stack underneath them are configured across many layers — the application, the framework, the web server, the container, the cloud platform. A weakness in any of them can compromise the whole API. Misconfiguration is common because secure defaults are not universal and configuration drifts over time.

Common issues:

  • Missing or permissive CORS policies
  • Unnecessary HTTP methods enabled
  • Verbose error messages leaking stack traces or versions
  • Missing security headers
  • Default credentials or sample endpoints left in production
  • Unpatched components and out-of-date dependencies

Testing approach: 1. Probe CORS behaviour with crafted Origin headers 2. Enumerate enabled HTTP methods per endpoint (OPTIONS, TRACE, PUT, DELETE) 3. Trigger errors deliberately and inspect responses for stack traces and version banners 4. Check for missing transport and content security headers 5. Look for default, debug, or sample endpoints (/actuator, /debug, /swagger) that should not be exposed

API9:2023 – Improper Inventory Management

You cannot secure what you don’t know exists. Organisations lose track of deprecated API versions, undocumented endpoints, and hosts spun up for testing. These forgotten endpoints often run older code, skip current security controls, or expose data the documented API would never return.

Common issues:

  • Old API versions (/api/v1) left running after /api/v2 ships
  • Staging, dev, and debug hosts reachable from the internet
  • Undocumented endpoints absent from the OpenAPI/Swagger spec
  • No clear data-flow documentation showing which endpoints touch sensitive data

Testing approach: 1. Enumerate versions and environments (v1/v2/v3, staging, dev, internal) 2. Diff the live attack surface against the documented spec to find undocumented endpoints 3. Compare security controls across versions — old versions frequently lack current authorisation or rate-limiting logic 4. Probe deprecated endpoints for data and functionality removed from the current version 5. Cross-reference DNS, certificate transparency logs, and historical data to surface forgotten hosts

API10:2023 – Unsafe Consumption of APIs

Developers tend to trust data from third-party APIs more than data from end users — and apply weaker validation to it as a result. If a downstream or partner API is compromised or returns malicious data, that trust becomes the attacker’s path into your system.

Common issues:

  • Following redirects from third-party APIs without validation
  • No input validation or sanitisation on data received from upstream services
  • Unencrypted channels to third-party services
  • Insufficient resource limits when consuming external APIs (timeouts, response size)

Testing approach: 1. Map every third-party or partner API the application consumes 2. Test how the application handles malformed, oversized, or malicious responses from those services 3. Check whether redirects from upstream APIs are followed blindly 4. Verify that data ingested from third parties is validated and sanitised before use or storage 5. Confirm channels to third-party services are encrypted and authenticated

REST API Security Testing: A Worked Example

The methodology above is easier to follow with a concrete target. Here’s how a REST API security test progresses on one example endpoint set — a fictional api.shopdemo.example — moving from enumeration through authentication to BOLA and mass assignment. The point isn’t the specific bugs; it’s the order in which a tester uncovers them and how one finding feeds the next.

Step 1 – Enumerate the endpoints. Proxy the mobile and web clients through Burp Suite, then pull the OpenAPI spec from /api/v2/openapi.json. The documented surface is small:

GET  /api/v2/products
GET  /api/v2/products/{id}
POST /api/v2/orders
GET  /api/v2/users/{id}
PUT  /api/v2/users/{id}

Cross-referencing against captured traffic surfaces an endpoint missing from the spec — GET /api/v2/users/{id}/invoices — a reminder that the documented surface is rarely the whole surface (see API9, Improper Inventory Management).

Step 2 – Test authentication. The API issues a JWT on login. Decoding it shows the algorithm, claims, and expiry. The tester checks whether the signature is actually verified, whether alg: none is accepted, whether the token expires when it should, and whether a token from a deleted account is still honoured. The level of access available at this stage — black-box guessing versus credentialed testing with valid tokens for several roles — directly shapes how deep the rest of the test can go. We unpack that trade-off in our guide to black-box, white-box, and grey-box penetration testing.

Step 3 – Test for BOLA. Logged in as user 1001, the tester requests their own record, then swaps the ID:

GET /api/v2/users/1001          # 200 OK — own record
GET /api/v2/users/1002          # 200 OK — someone else's record
GET /api/v2/users/1002/invoices # 200 OK — and their invoices

The API authenticates the caller but never checks ownership of the requested object — textbook API1 BOLA. Sequential numeric IDs make the whole user table enumerable.

Step 4 – Test for mass assignment. The profile-update endpoint accepts a JSON body. The documented fields are name and email, but the tester adds properties the UI never sends:

PUT /api/v2/users/1001
{
  "name": "Test User",
  "role": "admin",
  "account_balance": 999999
}

The API binds the request body straight onto the user model, so role and account_balance are accepted — API3, Broken Object Property Level Authorisation, on the write path. Chained with the BOLA finding from step 3, a single low-privilege account can now rewrite any other user’s role.

This is the value of structured testing: enumeration revealed an undocumented endpoint, authentication testing established the access model, and the authorisation findings combined into a far more serious privilege-escalation chain than any one of them in isolation.

API Security Testing vs Application Security Testing

While API security testing focuses specifically on endpoints, authentication, and data exchange, application security (appsec) testing takes a comprehensive view of your entire application stack.

What is Application Security (AppSec) Testing?

AppSec testing encompasses multiple testing approaches to identify vulnerabilities across your entire application:

  • Static Application Security Testing (SAST) – Analysing source code for security flaws
  • Dynamic Application Security Testing (DAST) – Testing running applications including API endpoints
  • Interactive Application Security Testing (IAST) – Real-time analysis during automated testing
  • Software Composition Analysis (SCA) – Identifying vulnerabilities in third-party dependencies
  • API penetration testing – Deep security assessment of REST, GraphQL, and other API protocols
  • Business logic testing – Verifying authorisation rules and workflow security
  • Infrastructure security review – Evaluating hosting, containers, and cloud configurations

A comprehensive appsec testing programme combines these approaches to provide complete coverage. API security testing is a critical component, but represents just one layer of defence.

How API Testing Fits Into AppSec Testing Programmes

When you engage professional appsec testing services, API security testing becomes part of a broader assessment that includes:

Code-level review: SAST tools and manual code review identify vulnerabilities before code reaches production. This catches issues like hardcoded secrets, unsafe cryptography, and injection flaws at the source.

Runtime testing: DAST and API penetration testing evaluate your application’s behaviour under attack conditions. Pentesters test authentication bypass, authorisation failures, and business logic flaws.

Dependency analysis: Modern applications rely on dozens of third-party libraries and APIs. Comprehensive appsec testing includes scanning for known vulnerabilities in dependencies.

For organisations with API-heavy architectures (microservices, mobile backends, SaaS platforms), API security testing receives extra focus within the broader appsec testing scope.

Choosing the Right Testing Approach for Your Needs

Choose API-focused testing when:

  • You’re launching a new API or major API update
  • You have specific API security concerns (authentication, rate limiting, data exposure)
  • You need rapid assessment of specific endpoints
  • Your application is primarily API-driven

Choose comprehensive appsec testing when:

  • You need complete security assessment (code, runtime, dependencies, infrastructure)
  • You’re preparing for compliance audits (ISO 27001, SOC 2, PCI DSS)
  • You haven’t had professional security testing in 12+ months
  • You’re handling sensitive data requiring defence-in-depth

BSG offers both focused API penetration testing and comprehensive application security testing services. Our security engineers assess your specific risk profile and recommend the right testing scope to protect your applications effectively.

API Security Testing Methodology

This API security testing methodology runs in five phases — discovery and reconnaissance, authentication and authorisation, input validation and injection, business logic, and data exposure — each building on what the previous one uncovered. Following the phases in order is what turns a scattered list of checks into a repeatable engagement that finds the high-impact, chained vulnerabilities automated scanners miss.

Phase 1: Discovery and Reconnaissance

Identify API endpoints:

  • Review client-side code (mobile apps, web apps)
  • Analyse JavaScript files for API calls
  • Check robots.txt, sitemap.xml
  • Use browser developer tools to capture requests
  • Review API documentation (Swagger, OpenAPI specs)
  • Check subdomain enumeration (api.example.com, api-dev.example.com)

Map API structure:

  • List all endpoints and HTTP methods
  • Identify authentication mechanisms
  • Note request/response formats (JSON, XML, etc.)
  • Document parameter types and expected values
  • Identify rate limiting behaviour

Hunting Shadow and Zombie APIs

The endpoints in your documentation are rarely the whole picture, and a thorough API security assessment has to account for the ones nobody wrote down. Two categories matter most:

  • Shadow APIs – endpoints that exist but were never documented or formally approved: a quick integration added under deadline pressure, an internal admin endpoint, a partner-only route. Security review never saw them, so they often skip current authentication and authorisation controls.
  • Zombie APIs – older versions (/api/v1) left running after a newer version shipped. They keep serving traffic, run frozen code that misses recent fixes, and frequently lack the controls added to the current version.

Both map directly to API9: Improper Inventory Management — you cannot secure or even rate-limit an endpoint you don’t know is live. Surface them with:

  • Version and environment guessing – walk /api/v1, /api/v2, /api/v3, plus staging, dev, uat, and internal host prefixes
  • Spec-vs-reality diffing – compare the live attack surface against the OpenAPI/Swagger spec and flag anything that answers but isn’t documented
  • Passive sources – certificate transparency logs, DNS history, the Wayback Machine, and JavaScript bundles often reveal hostnames and routes that active scanning misses
  • Content discovery – brute-force endpoint paths with an API-oriented wordlist (more on tooling below)

Every shadow or zombie endpoint you find then runs through the same authentication, authorisation, and input-validation phases as the documented surface. They are not lower priority — historically they are where the worst findings live.

Phase 2: Authentication and Authorisation Testing

This is typically where the highest-impact vulnerabilities are found.

The depth of this phase depends heavily on the access you’re granted. Black-box testing with no credentials mirrors an external attacker but leaves authenticated logic untouched; credentialed (grey-box) testing with valid tokens for several roles is what actually exercises authorisation. Our breakdown of black-box, white-box, and grey-box penetration testing explains which model fits which API engagement.

Authentication testing: 1. Test credential validation (weak passwords, account lockout) 2. Analyse token generation and structure 3. Test token expiration and refresh mechanisms 4. Attempt token replay attacks 5. Test for hardcoded or default credentials 6. Check for authentication bypass techniques

Authorisation testing: 1. Create test users with different privilege levels 2. Test horizontal privilege escalation (user A accessing user B’s data) 3. Test vertical privilege escalation (regular user performing admin actions) 4. Test each endpoint with multiple user contexts 5. Test unauthenticated access to “authenticated” endpoints

Phase 3: Input Validation and Injection Testing

APIs often lack the input validation present in traditional web forms.

Test for:

  • SQL injection in query parameters
  • NoSQL injection (MongoDB, etc.)
  • Command injection in file processing endpoints
  • XML injection (XXE, XPath)
  • LDAP injection
  • Template injection
  • Server-side request forgery (SSRF)

Testing approach: 1. Identify all input points (path, query, headers, body) 2. Fuzz with injection payloads 3. Observe error messages for information disclosure 4. Test different encoding methods 5. Try multiple injection contexts

Phase 4: Business Logic Testing

Business logic flaws are unique to each API and require understanding the application’s intended behaviour.

Common scenarios:

  • Price manipulation in e-commerce APIs
  • Referral or reward system abuse
  • Race conditions in financial transactions
  • Workflow bypasses (skipping payment steps)
  • Coupon or discount code issues

Testing approach: 1. Understand the intended business workflows 2. Test for missing validation steps 3. Attempt out-of-sequence operations 4. Test race conditions with concurrent requests 5. Look for client-side validations that aren’t enforced server-side

Phase 5: Data Exposure and Privacy

Test for:

  • Sensitive data in API responses (passwords, keys, tokens)
  • PII exposure beyond what’s necessary
  • Error messages revealing system information
  • Debug endpoints or admin functions exposed
  • GraphQL introspection in production

Testing approach: 1. Review all API responses for sensitive data 2. Test error handling with malformed requests 3. Check for verbose error messages 4. Look for debug headers or parameters 5. Test GraphQL introspection queries

Essential Tools for API Security Testing

Burp Suite Professional

The industry standard for web application and API testing. Essential features for API testing:

  • Repeater: Modify and replay requests
  • Intruder: Automated fuzzing and parameter manipulation
  • Proxy: Intercept and analyse API traffic
  • Extensions: OpenAPI parser, JWT tools, GraphQL security

When to use: All phases of API testing, especially manual testing and authorisation checks.

OWASP ZAP

Free and open-source alternative to Burp Suite with strong API testing capabilities.

Key features:

  • API scanning from OpenAPI definitions
  • Fuzzing capabilities
  • Automation scripts for CI/CD integration

When to use: Budget-conscious projects, automated scanning, CI/CD integration.

Postman

While primarily used by developers, Postman is valuable for API security testing.

Security testing uses:

  • Collection Runner for automated test sequences
  • Pre-request scripts for token management
  • Environment variables for multi-user testing
  • Test scripts for response validation

When to use: Organising test cases, automated regression testing, team collaboration.

curl and Custom Scripts

For complex scenarios or automation, command-line tools provide flexibility.

Example – Testing BOLA:

#!/bin/bash
# Test access to 1000 user accounts with User A's token
TOKEN="user_a_token_here"
for i in {1..1000}; do
  curl -H "Authorization: Bearer $TOKEN" \
       "https://api.example.com/users/$i/profile" \
       -o "user_$i.json"
done

When to use: Large-scale testing, custom workflows, specific attack scenarios.

Specialized API Security Tools

Nuclei: Template-based vulnerability scanner with an actively maintained library of API-specific templates — one of the most frequently updated scanners in the ecosystem. GraphQL Cop: lightweight, maintained Python auditor for GraphQL APIs, handy for quick checks and CI/CD. JWT_Tool: actively maintained Swiss-army knife for JWT manipulation, tampering, and cracking. Kiterunner: API endpoint discovery and content-discovery brute-forcing — still widely used and effective, though no longer actively maintained (last release April 2021), so treat its bundled wordlist dataset as frozen at that point.

Common Pitfalls in API Security Testing

1. Only Testing the Happy Path

Testing valid requests with valid data won’t find security issues. You must test invalid inputs, unexpected sequences, and edge cases.

2. Ignoring Rate Limiting

Many testers assume rate limiting is in place. Always verify with actual testing, especially on authentication endpoints.

3. Testing with Only One User Account

Authorisation vulnerabilities require testing with multiple user contexts. Create test accounts at different privilege levels.

4. Relying Only on Automated Scanning

Automated tools miss business logic flaws, complex authorisation issues, and context-specific vulnerabilities. Manual testing is essential.

5. Not Testing Mobile APIs Directly

Mobile apps often communicate with APIs differently than web applications. Test the actual mobile traffic, not just the web version — capturing and replaying it is its own discipline, which we cover in our guide to mobile app security testing on iOS and Android.

Securing Your APIs: Developer Checklist

If you’re building APIs, implement these security controls:

Authentication & Authorisation:

  • Use industry-standard authentication (OAuth 2.0, OpenID Connect)
  • Implement proper authorisation checks on every endpoint
  • Validate user permissions for each object accessed
  • Use strong, randomly generated tokens
  • Implement token expiration and refresh

Input Validation:

  • Validate all inputs (path, query, headers, body)
  • Use allow-lists rather than deny-lists
  • Validate data types and formats
  • Implement request size limits
  • Sanitise output to prevent injection

Rate Limiting & Resource Control:

  • Implement rate limiting on all endpoints
  • Use stricter limits on authentication endpoints
  • Limit query complexity (especially GraphQL)
  • Restrict batch operations
  • Monitor for abuse patterns

Data Exposure:

  • Return only necessary data in responses
  • Remove debug information in production
  • Disable introspection in production (GraphQL)
  • Implement proper error handling (don’t leak system info)
  • Use HTTPS for all API communication

Monitoring & Logging:

  • Log authentication attempts (successes and failures)
  • Log authorisation failures
  • Monitor for unusual access patterns
  • Alert on potential abuse (rate limit hits, enumeration)
  • Maintain audit logs for sensitive operations

API Security Testing Checklist: Tester’s Edition

The developer checklist above covers what to build in. This one covers what to check — a scannable reference for the person running the assessment, ordered the way an engagement actually unfolds. It complements, rather than repeats, the build-time controls above.

Pre-engagement:

  • Scope agreed: which APIs, environments, and versions are in and out
  • Test accounts provisioned at every privilege level (and ideally two of each, for horizontal checks)
  • API documentation and OpenAPI/Swagger specs obtained
  • Staging or test environment confirmed — never test against production data
  • Rules of engagement set: rate-limit tolerance, destructive-test boundaries, escalation contacts

Phase 1 – Discovery:

  • Client-side code and JavaScript bundles reviewed for endpoints
  • Documented surface mapped (endpoints, methods, parameters, auth schemes)
  • Shadow endpoints hunted (spec-vs-traffic diff, content discovery)
  • Zombie versions and non-prod hosts enumerated (v1/v2, staging, dev, internal)

Phase 2 – Authentication & authorisation:

  • Token structure, signature verification, and expiry tested (including alg: none)
  • Credential validation, lockout, and reset workflows tested
  • BOLA: object access tested across user contexts and via ID enumeration
  • Function-level authorisation: privileged endpoints tested with low-privilege accounts
  • Unauthenticated access attempted against “authenticated” endpoints

Phase 3 – Input validation & injection:

  • All input points fuzzed (path, query, headers, body)
  • Injection classes tested (SQL, NoSQL, command, XXE, template, LDAP)
  • SSRF tested on every URL/host parameter (incl. cloud metadata endpoints)

Phase 4 – Business logic & abuse:

  • Sensitive business flows mapped and automation-replayed at scale (API6)
  • Race conditions tested with concurrent requests
  • Workflow and payment-step bypasses attempted

Phase 5 – Data exposure & misconfiguration:

  • Responses reviewed for excessive data and mass-assignment write paths
  • Error handling, verbose messages, and debug endpoints checked (API8)
  • CORS, security headers, and enabled HTTP methods verified
  • GraphQL introspection confirmed disabled in production

Reporting:

  • Findings reproducible against specific endpoints with request/response evidence
  • Severity tied to real business impact, not just CVSS
  • Remediation guidance and a re-test plan agreed

When to Conduct API Security Testing

During development: Integrate security testing into your CI/CD pipeline with automated API scans.

Before launch: Conduct thorough penetration testing covering all endpoints and user scenarios.

Regular intervals: Quarterly or bi-annual testing for production APIs, especially after significant changes.

After incidents: If a security issue is found, test the entire API surface, not just the affected endpoint.

Compliance requirements: Many standards (PCI DSS, SOC 2, ISO 27001) require regular comprehensive security testing assessments.

For organisations serious about API security, professional penetration testing services provide comprehensive assessment by experienced security professionals who understand both common vulnerabilities and business-specific risks.

Conclusion

API security testing is no longer optional in 2026. With APIs forming the foundation of modern applications, organisations must prioritise testing to protect customer data, business logic, and system integrity.

Effective API security testing requires:

  • Understanding different API architectures and their unique challenges
  • Following a structured methodology from discovery through business logic testing
  • Using the right tools for the job
  • Testing with multiple user contexts and privilege levels
  • Thinking like an attacker to find what automated tools miss

Whether you’re conducting in-house security testing or engaging professional services, the investment in API security testing pays dividends by preventing breaches, protecting reputation, and maintaining customer trust.

Launching a new API, or auditing an existing one?
BSG runs OWASP API Top 10 assessments across REST, GraphQL, SOAP, and gRPC — covering BOLA, broken auth, mass assignment, and business-logic abuse — with reproducible findings tied to your specific endpoints and a 90-day re-test included.

Request a quote →

Frequently Asked Questions

What is API security testing?

API security testing is the process of evaluating an application’s APIs to identify vulnerabilities, misconfigurations, and design flaws that could be exploited by attackers. It includes testing authentication, authorisation, input validation, business logic, and data exposure across all API endpoints.

What is AppSec testing and how does it differ from API testing?

Application security (appsec) testing is a comprehensive security assessment that examines your entire application stack—source code, runtime behaviour, dependencies, APIs, and infrastructure. While API testing focuses specifically on endpoint security, authentication, and data exchange vulnerabilities, appsec testing includes SAST (static code analysis), DAST (dynamic testing), API penetration testing, and dependency scanning. Organisations with complex applications benefit from periodic comprehensive appsec testing (annually or when major changes occur) combined with focused API testing for new endpoints or integrations.

How long does API security testing take?

API security testing duration depends on the API’s complexity and scope. A basic REST API with 10-20 endpoints might take 2-3 days, whilst a complex microservices architecture with dozens of APIs and multiple authentication mechanisms could require 2-3 weeks. Factors include the number of endpoints, authentication complexity, user roles, and business logic complexity. These same factors drive cost as well as duration — our guide to what you can expect to pay for penetration testing breaks down how scope translates into a quote.

What’s the difference between API testing and API penetration testing?

API testing (functional testing) verifies that APIs work as intended, returning correct data and handling requests properly. API penetration testing (security testing) actively attempts to exploit vulnerabilities, bypass security controls, and access unauthorised data. Penetration testing simulates real-world attacks to find security weaknesses before malicious actors do.

Can automated tools find all API vulnerabilities?

No. Automated tools excel at finding common issues like missing authentication, SQL injection, and excessive data exposure. However, they miss business logic flaws, complex authorisation issues, and context-specific vulnerabilities. Effective API security testing requires both automated scanning and manual testing by experienced security professionals.

How often should we test our APIs for security issues?

Test APIs during initial development, before production launch, and regularly thereafter. Minimum recommendation: annual penetration testing for stable APIs, quarterly testing for frequently updated APIs or those handling sensitive data. Also test after major changes, security incidents, or when compliance requirements dictate. Many organisations integrate automated API security scanning into CI/CD pipelines for continuous testing.

Should we do API testing or full appsec testing?

The answer depends on your application architecture and risk profile. Choose focused API testing when you need rapid assessment of specific endpoints, are launching a new API, or have API-specific concerns. Choose comprehensive appsec testing when you need complete security coverage (code, runtime, dependencies, infrastructure), are preparing for compliance audits, or haven’t had professional security testing in 12+ months. Many organisations benefit from annual appsec testing combined with API testing for significant updates or new integrations. BSG’s security consultants can help you determine the right testing scope based on your specific needs and risk tolerance.

What’s BOLA and why is it so common in APIs?

BOLA (Broken Object Level Authorisation), also called IDOR (Insecure Direct Object Reference), occurs when an API doesn’t verify that an authenticated user should access a specific object. For example, if /api/users/123/orders returns data for user 123 without checking if the requesting user owns that account, any authenticated user can access any other user’s orders. It’s common because developers often implement authentication (checking who you are) but forget authorisation (checking what you can access).

Should we test our internal APIs?

Yes. Internal APIs are critical attack targets. If an attacker gains access to your network (via phishing, compromised employee account, or other means), insecure internal APIs provide pathways to sensitive data and systems. Treat internal APIs with the same security rigour as public-facing ones.

What credentials do pentesters need for API testing?

Effective API security testing requires test accounts at different privilege levels: standard user, power user/premium account, administrator, and ideally multiple accounts of each type to test horizontal authorisation. Providing API documentation, OpenAPI specifications, and access to staging/test environments significantly improves testing quality. Never provide production credentials that could affect live data.