Home GuidesAPI Security Testing Guide (OWASP API Top 10)

API Security Testing Guide (OWASP API Top 10)

Test REST and GraphQL APIs against the OWASP API Security Top 10 — broken object/function-level authorization, mass assignment, excessive data exposure, and rate-limit flaws.

Intermediate

6 steps18 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Map the API surface

Collect every endpoint, method, and parameter from docs, OpenAPI/Swagger specs, JS bundles, and proxy traffic. You can't test what you haven't enumerated. Note auth requirements and object IDs per route.

Example payloads

GET /openapi.json

GET /api/v1/swagger.json

# proxy the mobile/web client and harvest routes

Test Broken Object Level Authorization (BOLA/IDOR)

API #1 risk. Swap object identifiers across accounts — if user A can read/modify user B's object by changing an ID, authorization is broken. Test numeric, UUID, and nested IDs.

Example payloads

GET /api/v1/users/1001/orders   (as user 1002)

PUT /api/v1/accounts/{otherId}

GET /api/v1/invoices/{guessable-uuid}

Test Broken Function Level Authorization (BFLA)

Call privileged or admin-only functions as a low-privileged user, and try undocumented methods. Many APIs gate the UI button but not the endpoint.

Example payloads

DELETE /api/v1/users/55   (as a normal user)

POST /api/v1/admin/promote

# swap GET->PUT/PATCH/DELETE on a read endpoint

Probe mass assignment & excessive data exposure

Send extra fields the client never shows (role, isAdmin, balance) and check whether the API binds them. Inspect responses for over-fetching — objects returning fields the UI hides.

Example payloads

PATCH /api/v1/users/me  {"role":"admin"}

POST /api/v1/orders {"price":0,"status":"paid"}

# diff response fields vs what the UI uses

Test injection through API parameters

APIs pass arguments to SQL/NoSQL/OS/GraphQL resolvers. Treat every JSON field, query param, and header as an injection point.

Example payloads

{"filter":"' OR '1'='1"}

{"q":{"$ne":null}}   # NoSQL operator injection

X-Forwarded-Host: attacker.tld

Check rate limiting, then report

Brute-force OTP/login and resource-heavy endpoints to confirm throttling; try header tricks and batching to bypass it. Report findings mapped to the OWASP API Top 10 with concrete reproduction and remediation (per-object authz, allow-list binding, server-side rate limits).

Example payloads

# 500 rapid requests to /api/v1/login

X-Forwarded-For: rotating-ip-per-request

GraphQL alias batching to defeat per-request limits

Related Resources

API Security Cheat Sheet

Quick reference

API Security Testing Hub

Open the tool

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Map the API surface

Example payloads

GET /openapi.json

GET /api/v1/swagger.json

# proxy the mobile/web client and harvest routes

Test Broken Object Level Authorization (BOLA/IDOR)

API #1 risk. Swap object identifiers across accounts — if user A can read/modify user B's object by changing an ID, authorization is broken. Test numeric, UUID, and nested IDs.

Example payloads

GET /api/v1/users/1001/orders   (as user 1002)

PUT /api/v1/accounts/{otherId}

GET /api/v1/invoices/{guessable-uuid}

Probe mass assignment & excessive data exposure

Send extra fields the client never shows (role, isAdmin, balance) and check whether the API binds them. Inspect responses for over-fetching — objects returning fields the UI hides.

Example payloads

PATCH /api/v1/users/me  {"role":"admin"}

POST /api/v1/orders {"price":0,"status":"paid"}

# diff response fields vs what the UI uses

Check rate limiting, then report

Example payloads

# 500 rapid requests to /api/v1/login

X-Forwarded-For: rotating-ip-per-request

GraphQL alias batching to defeat per-request limits