API Security Testing (/test-api)
Tests API security per OWASP API Security Top 10 (2023), PortSwigger Academy, and current API attack trends. Covers REST APIs, GraphQL (including WebSocket auth bypass and aggregation leaks), mass assignment, server-side parameter pollution, prototype pollution, SOAP/WSDL, tRPC, and Salesforce Aura. API vulnerabilities represent 84% of security incidents in 2024.
/test-api <api_base_url> [engagement_dir]
Scope Routing
| Scope |
Sections |
Focus |
rest |
A (A1-A2) + B (B1-B10) + E + F + G + H |
API recon and documentation discovery, full OWASP API Security Top 10, SOAP/WSDL, tRPC, Content-Type switching (JSON to XML for XXE), Salesforce Aura enumeration |
graphql |
C (C1-C6) |
Introspection leaks, query complexity/DoS, mutation testing, alias-based enumeration, directive injection, schema stitching attacks |
prototype |
D (D1-D3) |
Recursive merge exploitation, constructor.prototype abuse, JSON interoperability issues |
Coverage
OWASP API Security Top 10
| Risk |
ID |
Testing Approach |
| Broken Object Level Authorization |
API1:2023 |
BOLA/IDOR via numeric ID iteration, UUID manipulation, body/query parameter ID swapping |
| Broken Authentication |
API2:2023 |
Unauthenticated endpoint access, expired/revoked token reuse, JWT tampering |
| Broken Object Property Level Authorization |
API3:2023 |
Mass assignment (role/isAdmin/permissions elevation), excessive data exposure detection |
| Unrestricted Resource Consumption |
API4:2023 |
Rate limiting absence, pagination limit bypass, resource exhaustion |
| Broken Function Level Authorization |
API5:2023 |
Admin endpoints with regular user tokens, HTTP method override |
| Unrestricted Access to Sensitive Business Flows |
API6:2023 |
Automation of business-critical flows without rate limiting |
| Server-Side Request Forgery |
API7:2023 |
URL parameters fetched server-side (covered in depth by /test-ssrf) |
| Security Misconfiguration |
API8:2023 |
Verbose errors, missing security headers, debug endpoints |
| Improper Inventory Management |
API9:2023 |
API versioning bypass (v1 vs v2), shadow/deprecated endpoints |
| Unsafe Consumption of APIs |
API10:2023 |
Third-party API trust issues |
Additional Coverage
- GraphQL Security -- Introspection enabled, query complexity attacks, mutation testing with unauthorized roles, alias-based data enumeration, directive injection, schema stitching/federation exploitation.
- Prototype Pollution -- Recursive merge detection (
__proto__, constructor.prototype), JSON interoperability issues (duplicate keys, key truncation, comment injection), observable side effects (status code changes, JSON formatting changes).
- SOAP/WSDL -- WSDL disclosure, XML injection in SOAP envelopes, WS-Security header manipulation.
- tRPC -- Broken function-level authorization in tRPC procedure calls.
- Content-Type Switching -- Converting JSON endpoints to XML for XXE testing.
- Salesforce Aura -- Unauthenticated data access via Aura API enumeration.
- Server-Side Parameter Pollution -- Injecting additional parameters into server-side API calls.
Key Sections
| Section |
ID |
Description |
| API Documentation Discovery |
A1 |
Swagger/OpenAPI, Redoc, API schema, actuator/mappings, well-known endpoints. |
| API Endpoint Enumeration |
A2 |
Endpoint extraction from docs, HTTP method testing on each endpoint. |
| OWASP API Top 10 |
B1-B10 |
Complete testing for all 10 risks with specific test cases. |
| GraphQL Security |
C1-C6 |
Introspection (C1), query complexity (C2), mutations (C3), aliases (C4), directives (C5), stitching (C6). |
| Prototype Pollution |
D1-D3 |
Recursive merge (D1), constructor abuse (D2), JSON interop (D3). |
| JSON Interoperability |
D4 |
Duplicate keys, key truncation, comment injection across parser boundaries. |
| SOAP/WSDL |
E |
WSDL disclosure, XML injection, WS-Security. |
| tRPC Authorization |
F |
Function-level auth testing in tRPC endpoints. |
| Content-Type Switching |
G |
JSON-to-XML conversion for XXE on API endpoints. |
| Salesforce Aura |
H |
Unauthenticated Aura API object/record enumeration. |
Model and Thinking Budget
| Component |
Model |
Rationale |
| REST/OWASP Top 10 |
Sonnet |
Systematic testing with well-defined patterns |
| GraphQL |
Sonnet |
Schema analysis and mutation testing |
| Prototype pollution |
Sonnet |
Methodical merge detection with observable effects |
| Salesforce Aura |
Sonnet |
Procedural enumeration |
Kill Switch
| Limit |
Value |
| Timeout |
45 minutes |
| Max requests |
500 (warning at 400) |
| Rate limiting |
Respect API rate limits, back off on 429 |
AI Decision Points
Three [AI-DECISION] markers:
- Undocumented Endpoint Prediction (A) -- From discovered endpoints, predict undocumented endpoints by pattern (version increments, CRUD operations, admin variants). Verify each prediction.
- GraphQL Schema Analysis (C) -- Analyze GraphQL schema from introspection. Identify fields with different authorization requirements and test cross-role access.
- Prototype Pollution Detection (D) -- Identify merge/extend operations in the application. Test
__proto__ and constructor.prototype injection with observable side effects (status code changes, JSON spacing changes).
Knowledge Packs and Cheatsheets
| Resource |
Path |
| GraphQL knowledge pack |
helpers/knowledge-graphql.md |
| GraphQL cheatsheet |
helpers/cheatsheet-graphql.md |
| Research terms |
helpers/research-terms.md |
External payload files: PayloadsAllTheThings GraphQL injection and prototype pollution payloads. SecLists API endpoint wordlists, common API paths, GraphQL discovery wordlists, BurpSuite ParamMiner parameter names.
Safety
- Read-only API testing. Never modify production data.
- Test with provided test credentials only.
- Rate limiting on sensitive endpoints: back off on 429 responses.
- All findings require a working, reproducible PoC.