Q31 of 37 · API testing

How would you test for security vulnerabilities at the API layer (OWASP API Top 10)?

API testingSeniorapisecurityowaspvulnerabilitiessenior

Short answer

Short answer: For each OWASP API Top 10 category, write targeted tests: BOLA (request other tenants' resources), broken auth (tampered tokens, missing tokens), excessive data exposure (compare response to schema), injection (malicious payloads), rate limiting, and so on. Combine with automated scans (ZAP, Burp) for breadth; regression tests cover the bugs you've already found.

Detail

The 2023 OWASP API Top 10 covers the most common API security weaknesses. Each warrants test coverage; together they form a security-regression suite.

API1 — Broken Object Level Authorisation (BOLA): The most-exploited issue. User A requests user B's resource by id; the API returns it. Test:

const tokenA = await getToken('userA');
const userBResource = '/users/B/orders/123';
const res = await request.get(userBResource, { headers: auth(tokenA) });
expect(res.status()).toBe(403);  // or 404 if hiding existence

Repeat across every resource the API exposes — orders, files, messages.

API2 — Broken Authentication:

  • Tampered tokens → 401.
  • Expired tokens → 401.
  • Tokens from a different audience → 401.
  • Tokens signed with alg: none → 401.
  • Brute-force the login endpoint → rate limited.

API3 — Broken Object Property Level Authorisation: A user can read/write fields they shouldn't. PATCH /users/me { role: 'admin' } succeeding when it shouldn't. Test by attempting privilege escalation via field updates.

API4 — Unrestricted Resource Consumption:

  • Send very large payloads (10MB JSON) — should reject.
  • Send very deep nested objects — should reject.
  • Pagination with very large per_page — should cap.

API5 — Broken Function Level Authorisation:

  • A non-admin calls an admin-only endpoint → 403.
  • Cover hidden / undocumented endpoints — fuzz the URL space (/users/123/admin, /internal/...) and confirm they're not accessible.

API6 — Unrestricted Access to Sensitive Business Flows:

  • A user can submit 1000 password reset requests, exhausting email quota.
  • A bot can scrape your entire user list via paginated GETs without rate limits.

API7 — Server-Side Request Forgery (SSRF): Endpoints that take URLs (webhook config, file import) — submit http://localhost or http://169.254.169.254 (AWS metadata service); should reject.

API8 — Security Misconfiguration:

  • CORS Access-Control-Allow-Origin: * on authenticated endpoints — should be specific origins.
  • Missing security headers (X-Frame-Options, Content-Security-Policy).
  • Stack traces in error responses.

API9 — Improper Inventory Management:

  • Old API versions still alive past sunset.
  • Documentation lags behind implementation.

API10 — Unsafe Consumption of APIs: Your API calls third parties; if their response is malformed/malicious, do you handle it safely? Test with a controlled mock returning huge / malformed responses.

Automated complement:

  • OWASP ZAP — active scan against staging.
  • Burp Suite — manual penetration testing.
  • Schemathesis — property-based fuzzing from OpenAPI.

Regression baseline: every security bug found becomes a permanent test. The suite encodes the team's threat model.

The senior signal: covering the categories systematically, complementing manual tests with scanners, and treating security tests as regression — once a bug is found, it never comes back.

// WHAT INTERVIEWERS LOOK FOR

Familiarity with the OWASP API Top 10 by name, concrete tests for the high-frequency categories (BOLA, broken auth), and complementing custom tests with ZAP/Burp/Schemathesis.

// COMMON PITFALL

Outsourcing all security testing to scanners. ZAP catches breadth; targeted regression tests catch your *specific* bugs. Both are needed.

// Related questions

What is the difference between authentication and authorisation?

API testing

Explain the structure of a JWT and how to test endpoints that use it.

API testing