Nerd Level Tech logo
|
Lesson 17 of 24

API & Mobile Security

API Security Testing

4 min read

APIs are the backbone of modern applications. OWASP API Security Top 10 guides testing priorities. APIs often have weaker security than web interfaces.

OWASP API Security Top 10:2023

# Vulnerability Bug Bounty Relevance
API1 Broken Object Level Authorization HIGH - Most common finding
API2 Broken Authentication HIGH - Account takeover
API3 Broken Object Property Level Auth HIGH - Data exposure
API4 Unrestricted Resource Consumption MEDIUM - DoS potential
API5 Broken Function Level Authorization HIGH - Admin access
API6 Unrestricted Access to Sensitive Business Flows HIGH - Business logic
API7 Server-Side Request Forgery HIGH - Internal access
API8 Security Misconfiguration MEDIUM - Info disclosure
API9 Improper Inventory Management MEDIUM - Shadow APIs
API10 Unsafe Consumption of APIs MEDIUM - Third-party risks

API Discovery

Finding API Endpoints

# From JavaScript files
cat wayback-urls.txt | grep "\.js$" | while read url; do
    curl -s "$url" | grep -oE "(\/api\/[^\"']+|\/v[0-9]+\/[^\"']+)"
done

# From mobile apps (decompiled)
grep -r "api\." ./decompiled/ | grep -oE "https?://[^\"']+"

# From traffic capture
# Use Burp Suite to proxy all app traffic

API Documentation

# Check for exposed docs
/swagger
/swagger-ui
/swagger.json
/openapi.json
/api-docs
/api/docs
/graphql
/.well-known/openapi.yaml

# Use API fuzzing wordlists
ffuf -u https://api.example.com/FUZZ -w api-endpoints.txt

REST API Testing

BOLA (Broken Object Level Authorization)

# Test every endpoint with object IDs
# User A's token → User B's resource

GET /api/users/12345/orders
Authorization: Bearer <user_a_token>
# Change to user B's ID

GET /api/users/12346/orders
Authorization: Bearer <user_a_token>
# If returns user B's data = BOLA

Mass Assignment

# Add extra fields to requests
POST /api/users/profile
{
    "name": "Attacker",
    "role": "admin",      # Added field
    "is_verified": true,  # Added field
    "balance": 99999      # Added field
}

# Check if fields were accepted

Rate Limiting

# Test rate limits
for i in {1..100}; do
    curl -s -o /dev/null -w "%{http_code}\n" \
         "https://api.example.com/login" \
         -d "user=test&pass=test$i"
done

# No rate limit = bruteforce possible

GraphQL Security

Introspection

# Check if introspection enabled
POST /graphql
{
    "query": "{__schema{types{name,fields{name}}}}"
}

# If returns schema = map all queries/mutations

Common GraphQL Bugs

# Query batching for auth bypass
[
    {"query": "mutation { login(user:\"admin\", pass:\"a\") { token }}"},
    {"query": "mutation { login(user:\"admin\", pass:\"b\") { token }}"},
    # ... thousands more
]

# Nested queries for DoS
query {
  users {
    friends {
      friends {
        friends {
          name
        }
      }
    }
  }
}

# Alias-based data extraction
query {
  user1: user(id: "1") { email }
  user2: user(id: "2") { email }
  user3: user(id: "3") { email }
}

GraphQL Tools

# GraphQL voyager - visual schema explorer
# InQL - Burp extension for GraphQL

# Clairvoyance - schema extraction without introspection
python3 -m clairvoyance https://example.com/graphql -o schema.json

Authentication Testing

JWT Attacks

# Check algorithm
# Decode header, try none algorithm
# Try RS256 → HS256 confusion

# jwt_tool automation
python3 jwt_tool.py <token> -X a  # All attacks
python3 jwt_tool.py <token> -X n  # None algorithm
python3 jwt_tool.py <token> -X k  # Key confusion

API Key Security

# Test API key exposure
# Check: JS files, git repos, mobile apps

# Test API key scope
# Can key meant for read-only do writes?
# Can user API key access admin endpoints?

API Testing Checklist

  • Map all endpoints (docs, JS, traffic)
  • Test BOLA on every object ID endpoint
  • Test mass assignment on all POST/PUT
  • Check rate limiting on auth endpoints
  • Test JWT for algorithm vulnerabilities
  • Check for GraphQL introspection
  • Look for verbose error messages
  • Test for old API versions (v1, v2)

Bounty Examples

Company Bug Bounty
Uber BOLA - access any trip $8,000
Shopify GraphQL data exposure $20,000
Twitter API rate limit bypass $5,040
GitLab Mass assignment RCE $12,000

Pro Tip: APIs often trust requests more than web interfaces. Test every field, every parameter, every ID.

Next, we'll cover mobile application security testing. :::

Quiz

Module 5: API & Mobile Security

Take Quiz