Why API Security is Critical
APIs are prime targets for attackers. They expose business logic, handle sensitive data, and often lack the security scrutiny of user-facing applications. Security testing is not optional—it's critical.
OWASP Top 10 API Vulnerabilities
1. Broken Object Level Authorization
Attackers can access objects they shouldn't have access to:
GET /api/users/123/profile // What if 123 isn't your user?
GET /api/users/456/profile // Can I access someone else's data?Fix: Always verify ownership before returning data.
2. Broken Authentication
Weak or missing authentication controls:
- No authentication required
- Weak password policies
- Unencrypted tokens
- No session timeout
3. Excessive Data Exposure
APIs return more data than necessary:
- Returning internal IDs
- Exposing admin fields
- Including password hashes
- Revealing database structure
4. Lack of Resources & Rate Limiting
Attackers can abuse the API:
- No rate limiting
- No size limits on requests
- No pagination limits
- No timeout controls
5. API Injection
SQL injection, NoSQL injection, command injection:
GET /api/users?name='; DROP TABLE users; --Security Testing Checklist
- Test Authentication - Try accessing endpoints without authentication, use invalid tokens, modify tokens
- Test Authorization - Access resources you don't own, modify another user's data, access admin endpoints
- Test Input Validation - Send oversized payloads, try SQL injection, send special characters
- Test Rate Limiting - Send 1000 requests in 1 second, check if throttling is applied
- Test Data Exposure - Check what data is returned, look for sensitive information, examine error messages
Security Testing Tools
Burp Suite Professional
- Web proxy for intercepting requests
- Automated vulnerability scanning
- Manual testing tools
- API scanning features
OWASP ZAP
- Free alternative to Burp Suite
- Automated scanning
- API support
- Good learning tool
Real-World Vulnerability Example
// VULNERABLE CODE
app.get('/api/users/:id', (req, res) => {
const user = User.findById(req.params.id);
res.json(user); // Returns password_hash and admin flag!
});
// SECURE CODE
app.get('/api/users/:id', (req, res) => {
// Check authorization
if (req.user.id !== req.params.id && !req.user.isAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
const user = User.findById(req.params.id);
// Only return safe fields
const safeUser = {
id: user.id,
name: user.name,
email: user.email
};
res.json(safeUser);
});Conclusion
API security testing should be part of your development lifecycle, not an afterthought. Start with the OWASP Top 10, use automated tools, then supplement with manual testing. Security is a journey, not a destination.