Testing Your API for Vulnerabilities Tools and Techniques
Building a secure API is not a one-time event. Security testing is an ongoing process that finds vulnerabilities before attackers do. This topic covers the tools and testing techniques used to evaluate API security — from automated scanning to manual penetration testing.
Types of Security Testing
Static Application Security Testing (SAST): Analyzes source code without running the application. Finds: Hardcoded secrets, SQL injection patterns, insecure function calls. When: During development, in CI/CD pipeline on every commit. Speed: Fast (seconds to minutes). High false positive rate. Dynamic Application Security Testing (DAST): Tests the running application by sending real HTTP requests. Finds: Runtime vulnerabilities, misconfigurations, injection flaws. When: Against staging environment. Periodic production-safe scans. Speed: Slower (minutes to hours). Low false positive rate for confirmed issues. Interactive Application Security Testing (IAST): Agents run inside the application and observe code during testing. Combines SAST accuracy with DAST coverage. When: During automated integration tests in CI/CD. Penetration Testing (Manual): Human security tester actively tries to compromise the API. Finds: Logic flaws, complex authorization issues, chained attacks. When: Pre-launch for high-risk APIs, annually for production APIs. Duration: Days to weeks. Bug Bounty Programs: External security researchers continuously test public APIs. Finds: Real-world vulnerabilities discovered by skilled external testers. When: Ongoing for publicly accessible APIs.
Essential API Security Testing Tools
Burp Suite
The industry-standard tool for manual API security testing. Acts as a proxy between your test client and the API. Key Features for API Testing: Intercept: Capture every API request and modify it before sending. Repeater: Send the same modified request multiple times. Intruder: Automated fuzzing — try thousands of input variations. Scanner: Automated vulnerability scanner. Decoder: Encode/decode Base64, URL encoding, JWT payloads. Common API Test Workflow in Burp: 1. Configure browser or Postman to use Burp as proxy (127.0.0.1:8080). 2. Browse the application normally — Burp captures all requests. 3. Send interesting requests to Repeater. 4. Modify parameters: change user IDs, add SQL injection, modify JWT. 5. Observe differences in responses to identify vulnerabilities. Example — Testing for BOLA: Capture: GET /api/invoices/9901 (your invoice) In Repeater: Change 9901 to 9902, 9903, 9904... Look for 200 responses on IDs that do not belong to you.
OWASP ZAP (Zed Attack Proxy)
Free, open-source alternative to Burp Suite.
Excellent for automated scanning in CI/CD pipelines.
API Testing with ZAP:
Import OpenAPI specification → ZAP generates test cases automatically.
Active scan: Sends attack payloads to all discovered endpoints.
Passive scan: Analyses traffic without sending extra requests.
ZAP in CI/CD (GitHub Actions example):
- name: Run OWASP ZAP API Scan
uses: zaproxy/action-api-scan@v0.5.0
with:
target: 'https://staging-api.company.com'
format: openapi
api_spec: './docs/openapi.yaml'
fail_action: true # Fails the build if HIGH findings exist
This automatically tests every API endpoint defined in the spec
on every pull request or deployment to staging.
Postman
Primarily a development tool, Postman is also used for security testing.
Security Uses:
Manually craft and send edge-case requests.
Test authentication flows step by step.
Collection Runner: run hundreds of test cases automatically.
Environment variables: easily switch between test accounts (UserA, UserB).
BOLA Testing with Postman:
Collection 1 (UserA):
POST /api/login (UserA credentials) → Save token to env variable
GET /api/orders → List orders, note order IDs belonging to UserA
Collection 2 (UserB):
POST /api/login (UserB credentials) → Save token to env variable
GET /api/orders/{UserA_order_id} → Should return 403
→ If returns 200: BOLA confirmed.
Postman also has automated test scripts:
pm.test("Should not access other user's data", function() {
pm.response.to.have.status(403);
});
SQLMap
Automated SQL injection detection and exploitation tool.
Use ONLY on systems you have explicit permission to test.
Basic API SQL injection test:
sqlmap -u "https://api.company.com/products?category=shoes" \
--cookie="session=your_session_cookie" \
--level=3 --risk=2 \
--dbms=mysql \
--dbs # List all databases if injection found
Testing POST endpoints:
sqlmap -u "https://api.staging.company.com/api/search" \
--data='{"query":"test"}' \
--headers="Content-Type: application/json" \
--headers="Authorization: Bearer YOUR_TOKEN" \
--level=3
SQLMap findings tell you:
Whether the endpoint is vulnerable.
What database engine is being used.
What tables exist (if injectable).
Can be used to extract data in authorized testing scenarios.
JWT Security Tools
jwt.io:
Paste any JWT to decode header and payload instantly.
Verify signatures with known secrets or public keys.
Test the "none" algorithm vulnerability manually.
jwt_tool (Python, command line):
Test for common JWT vulnerabilities automatically.
python3 jwt_tool.py TOKEN --all # Tests all known JWT attacks
Tests include:
Algorithm none attack
HS256 signature without secret check
RS256 to HS256 confusion
Key id (kid) injection
JWT expiry bypass
Jose / PyJWT libraries:
Implement custom JWT manipulation for specific test scenarios.
Nikto and Other Reconnaissance Tools
Nikto:
Web server scanner that detects outdated software, misconfigurations,
and common vulnerabilities.
nikto -h https://api.company.com -ssl
Gobuster / feroxbuster:
Brute-force API endpoint discovery using wordlists.
feroxbuster -u https://api.company.com -w /usr/share/wordlists/api_endpoints.txt
Finds: Shadow APIs, admin endpoints, debug endpoints,
undocumented paths.
Amass / subfinder:
DNS enumeration to discover all subdomains.
May reveal staging, dev, or internal API endpoints exposed publicly.
amass enum -d company.com
Manual Testing Checklist
Authentication Tests: □ Can you access protected endpoints without a token? □ Does the API accept expired tokens? □ Does the API accept tokens with invalid signatures? □ Does the API accept JWT with algorithm "none"? □ Can you brute force the JWT secret? (use jwt_tool) □ Does the login endpoint have rate limiting? □ Does the password reset endpoint have rate limiting? Authorization Tests (BOLA/IDOR): □ Create two accounts (User A, User B). □ With User A, access every resource endpoint. □ With User B's token, try every resource ID from User A. □ Any 200 response = BOLA. Authorization Tests (BFLA): □ With a regular user token, try every admin endpoint. □ Try all HTTP methods on regular endpoints. □ Try accessing previous API version endpoints. Input Validation Tests: □ Send SQL injection strings in all text parameters. □ Send scripts in text fields (XSS). □ Send oversized values (10MB string for a 50-char field). □ Send negative numbers, zero, floats where integers expected. □ Send null values for required fields. □ Send extra fields not in the API spec (mass assignment). □ Send XXE payload if endpoint accepts XML. Data Exposure Tests: □ Check every response for fields not needed by the client. □ Check error messages for stack traces or DB info. □ Verify sensitive fields are masked (card, SSN, passwords). □ Check that 404 responses do not reveal resource existence. Transport Security Tests: □ Check SSL Labs rating (aim for A+). □ Verify HTTP is redirected to HTTPS. □ Check HSTS header is present with adequate max-age. □ Verify all security response headers are present. Rate Limiting Tests: □ Send >100 requests in 1 minute to each endpoint. □ Does the API return 429? □ Does the 429 response include Retry-After header? □ Can you bypass rate limiting by rotating IPs or User-Agents?
Integrating Security Testing into CI/CD
Security testing at every stage of the pipeline:
Developer Workstation:
Pre-commit hooks:
- Secret scanning (detect API keys, passwords in code)
- SAST linting (detect common security code smells)
Tools: pre-commit, gitleaks, semgrep
Pull Request / CI Build:
- SAST: Full static analysis (Semgrep, Checkmarx, SonarQube)
- Dependency vulnerability scanning (npm audit, OWASP Dependency-Check)
- Unit tests including security-focused tests
Staging Environment Deployment:
- DAST: OWASP ZAP, Burp Suite Enterprise automated scan
- API schema validation testing
- Authentication and authorization test suite
Pre-Production:
- Manual penetration test (for major releases)
- Full security checklist sign-off
Production:
- Continuous monitoring and anomaly detection (Topic 23)
- Periodic automated scans against production (passive/safe scans)
- Bug bounty program
Fail build on:
Critical or High severity SAST findings (no exceptions)
Known critical CVEs in dependencies
DAST findings rated High or above
Responsible Disclosure and Bug Bounty
For public-facing APIs, a security.txt file and bug bounty program encourage researchers to report issues responsibly. security.txt (at https://api.company.com/.well-known/security.txt): Contact: security@company.com Expires: 2026-01-01T00:00:00Z Encryption: https://api.company.com/pgp-key.txt Policy: https://company.com/responsible-disclosure Preferred-Languages: en, hi Bug Bounty Platforms: HackerOne, Bugcrowd, Intigriti, Synack Scope definition (what researchers can and cannot test): In scope: api.company.com, staging-api.company.com (with permission) Out of scope: Production database, third-party services, DoS attacks Reward structure (example): Critical (RCE, auth bypass): ₹2,50,000 - ₹10,00,000 High (BOLA, data exposure): ₹50,000 - ₹2,50,000 Medium (CSRF, minor leak): ₹10,000 - ₹50,000 Low (info disclosure): ₹2,000 - ₹10,000
Key Points
- Use SAST in development, DAST against staging, and manual penetration testing before major releases. All three catch different vulnerability types.
- Burp Suite is the standard tool for manual API security testing. It intercepts, modifies, and replays requests to probe for vulnerabilities.
- OWASP ZAP integrates into CI/CD pipelines to automatically test APIs on every deployment.
- Always test with two accounts (User A and User B) to verify BOLA — access another user's resources using their IDs and your token.
- Integrate security testing into every stage of the CI/CD pipeline: commit-time secret scanning, build-time SAST, deployment-time DAST.
- A published responsible disclosure policy and bug bounty program harness the security research community to find issues before malicious attackers do.