API Testing

API security testing is the process of finding and validating API vulnerabilities, such as broken authentication, authorization flaws, and injection. API security testing is important because APIs expose sensitive data and business logic by design, making them a top target for attackers.

API security testing often includes automated API vulnerability scanning, traffic analysis and manipulation (or fuzzing), plus continuous checks in CI/CD. API penetration testing is typically a tightly-scoped, time-boxed, manual pentest focused on deeper exploitation paths of specific sets of APIs. Many teams use both. Automated API security testing is frequently used for continuous validation and broad application portfolio coverage, while API pentesting is reserved for the organization's most critical assets or where regulation mandates it.

Yes, automated API security testing can run in CI/CD. It's accomplished by executing security test suites on every build, pull request, or release. This “shift-left” approach catches API vulnerabilities early and supports continuous API security posture improvement.

Testing with authenticated context is often where challenges arise for security testing, even for skilled practitioners. Most APIs don't make data or functionality available to anonymous users. Better test tooling provides ways to capture and repurpose valid sessions from live traffic to check for authentication or authorization flaws. Test tools may also provide a macro recording and playback mechanism, or they make use of Selenium scripts that can replay as needed to spawn valid, authenticated sessions.

Static application security testing (SAST) analyzes source code to find API security issues before runtime. Dynamic application security testing (DAST) tests APIs running in infrastruture without the source code context to identify exploitable vulnerabilities. Interactive applicaton security testing (IAST) aims to combine both techniques of SAST and DAST, instrumenting the application runtime directly, using extended traffic analysis, or evaluating application logs to detect issues. Using multiple forms of testing improves API security coverage across the SDLC.

The OWASP API Security Top 10 is frequently used as a starting point. Top risks include broken object level authorization (BOLA), broken authentication, broken object property level authorization (BOPLA), broken function level authorization (BFLA), security misconfiguration, and unsafe consumption of APIs, specifically third-party APIs.

Authorization testing verifies role-based access control (RBAC) and attribute-based access control (ABAC) mechanisms by exercising API endpoints with different roles, tenants, and/or scopes to confirm least-privilege access. Specifically, testing for horizontal and vertical privilege escalation involves attempting actions beyond the user’s permissions. In the case of horizontal privilege escalation, you are checking to see if one user can access the data or functionality of another user with similar permision levels. In the case of vertical privilege escalation, you are checking to see if a user can attain priviliged or administrative access.

Authorization testing verifies role-based access control (RBAC) and attribute-based access control (ABAC) mechanisms by exercising API endpoints with different roles, tenants, and/or scopes to confirm least-privilege access. Specifically, testing for horizontal and vertical privilege escalation involves attempting actions beyond the user’s permissions. In the case of horizontal privilege escalation, you are checking to see if a user can access unauthorized data or functionality of another user with similar permision levels. In the case of vertical privilege escalation, you are checking to see if a user can attain unauthorized administrative access.

To test for BOLA manually, you can attempt to access or modify resources by changing object IDs (e.g., change /users/123 to /users/124) while staying authenticated as a different user. Intercepting proxy tools like Burp Suite or OWASP ZAP common in pentesting can be used to perform this type of valiation. Effective API authorization testing at scale verifies object-level access control across every endpoint and method in an automated way.

Excessive data exposure testing involves inspecting API responses for sensitive fields such as personally identifiable information (PII), secrets, internal IDs, and account numbers that are returned unnecessarily. The goal is to validate response filtering, field-level authorization, and safe defaults for serialization as described the OWASP risk API3:2023 Broken Object Property Level Authorization (BOPLA).