API Security Testing: OWASP Top 10, Tools & Checklist
Introduction
APIs are the most common attack vector in modern applications. According to Gartner, API attacks became the most frequent attack vector for enterprise web applications by 2024. Every API you expose is a potential entry point for attackers — and traditional web application security testing is not enough to protect them.
API security testing is the practice of systematically testing your API endpoints for vulnerabilities — authentication bypasses, data exposure, injection attacks, and business logic flaws. This guide covers the OWASP API Security Top 10, practical testing techniques with code examples, the best tools available, and a comprehensive checklist you can follow.
Whether you are a developer building APIs, a QA engineer validating security, or a DevSecOps lead implementing shift-left security, this guide gives you actionable techniques to secure your APIs.
OWASP API Security Top 10 (2023)
The OWASP API Security Top 10 is the industry-standard framework for API security risks. Here is each vulnerability with testing techniques:
API1: Broken Object Level Authorization (BOLA)
The most common API vulnerability. An attacker manipulates object IDs in requests to access other users' data.
How to test:
# Log in as User A, get their resource curl -X GET https://api.example.com/users/101/orders \ -H "Authorization: Bearer USER_A_TOKEN" # Returns User A's orders ✓
# Now try accessing User B's resource with User A's token curl -X GET https://api.example.com/users/102/orders
-H "Authorization: Bearer USER_A_TOKEN" # Should return 403 Forbidden, not User B's orders
Fix: Always verify that the authenticated user owns (or has permission to access) the requested resource. Never rely on client-supplied IDs alone.
API2: Broken Authentication
Weak authentication mechanisms that allow attackers to compromise tokens, keys, or passwords.
What to test:
- Can you access protected endpoints without a token? (Should get 401)
- Does the API accept expired tokens?
- Is there rate limiting on login attempts?
- Are tokens invalidated on logout/password change?
- Is the token stored securely (HttpOnly cookies, not localStorage)?
# Test: No auth header curl -X GET https://api.example.com/users/me # Expected: 401 Unauthorized# Test: Expired token curl -X GET https://api.example.com/users/me
-H "Authorization: Bearer EXPIRED_TOKEN_HERE" # Expected: 401 Unauthorized
# Test: Brute force protection (rapid login attempts) for i in {1..100}; do curl -s -o /dev/null -w "%{http_code}\n"
-X POST https://api.example.com/auth/login
-d '{"email":"victim@example.com","password":"guess'$i'"}' done # Expected: 429 Too Many Requests after several attempts
API3: Broken Object Property Level Authorization
The API exposes sensitive object properties that should be hidden or read-only.
How to test:
# Test: Can a regular user set admin-only fields?
curl -X PATCH https://api.example.com/users/101 \
-H "Authorization: Bearer REGULAR_USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"role": "admin", "isVerified": true}'
# Expected: "role" and "isVerified" should be ignored or return 403
API4: Unrestricted Resource Consumption
The API does not limit request rates, payload sizes, or resource-intensive operations.
What to test:
- Send oversized payloads (100MB JSON body)
- Request very large page sizes (GET /users?limit=1000000)
- Trigger expensive operations repeatedly
- Upload excessively large files
API5: Broken Function Level Authorization
Regular users can access admin-only API endpoints.
# Test: Access admin endpoints with regular user token curl -X GET https://api.example.com/admin/users \ -H "Authorization: Bearer REGULAR_USER_TOKEN" # Expected: 403 Forbidden
curl -X DELETE https://api.example.com/admin/users/102
-H "Authorization: Bearer REGULAR_USER_TOKEN" # Expected: 403 Forbidden
API6: Unrestricted Access to Sensitive Business Flows
Automated abuse of legitimate business features — scalping, spam, coupon abuse.
API7: Server Side Request Forgery (SSRF)
The API fetches external URLs provided by the user without validation, allowing attackers to scan internal networks.
# Test: Try to access internal services via URL parameter curl -X POST https://api.example.com/fetch-url \ -d '{"url": "http://169.254.169.254/latest/meta-data/"}' # Should be blocked — this targets AWS metadata
curl -X POST https://api.example.com/fetch-url
-d '{"url": "http://localhost:6379/"}' # Should be blocked — this targets internal Redis
API8: Security Misconfiguration
Missing security headers, verbose error messages, unnecessary HTTP methods enabled.
# Test: Check security headers curl -I https://api.example.com/users# Verify these headers are present: # X-Content-Type-Options: nosniff # X-Frame-Options: DENY # Strict-Transport-Security: max-age=31536000 # Content-Security-Policy: default-src 'self'
# Test: Check for verbose error messages curl -X GET https://api.example.com/users/invalid # Should NOT expose stack traces, database details, or internal paths
API9: Improper Inventory Management
Old API versions still accessible, undocumented endpoints exposed, development/staging endpoints left public.
What to test: Try accessing /api/v1/ when /api/v2/ is current. Check for common paths like /debug, /swagger, /graphql, /actuator.
API10: Unsafe Consumption of APIs
The API blindly trusts data from third-party APIs without validation.
API Security Testing Tools
OWASP ZAP (Zed Attack Proxy)
Free, open-source security testing tool maintained by OWASP. It can automatically scan APIs for common vulnerabilities.
# Run ZAP against your API using the API scan
docker run -t zaproxy/zap-stable zap-api-scan.py \
-t https://api.example.com/openapi.json \
-f openapi \
-r report.html
Burp Suite
The industry-standard tool for web and API security testing. Burp Suite Professional offers automated scanning, intruder (fuzzing), and repeater for manual testing.
Postman + Security Scripts
You can add security test scripts to your existing Postman collections:
// Postman test script for security checks pm.test("No sensitive data in response", () => { const body = pm.response.text(); pm.expect(body).to.not.include("password"); pm.expect(body).to.not.include("ssn"); pm.expect(body).to.not.include("credit_card"); });pm.test("Security headers present", () => { pm.expect(pm.response.headers.get("X-Content-Type-Options")).to.equal("nosniff"); pm.expect(pm.response.headers.get("Strict-Transport-Security")).to.exist; });
pm.test("No server version disclosure", () => { pm.expect(pm.response.headers.get("Server")).to.not.include("Apache/2.4"); pm.expect(pm.response.headers.get("X-Powered-By")).to.not.exist; });
Qodex.ai
Qodex.ai includes built-in security testing that automatically scans your APIs for OWASP Top 10 vulnerabilities. The AI agent generates security test cases alongside functional tests, covering authentication bypasses, injection attacks, and data exposure — without requiring security expertise.
Nuclei
Fast, template-based vulnerability scanner. Thousands of community-contributed templates for API security testing.
# Scan an API for known vulnerabilities
nuclei -u https://api.example.com -t api/ -severity critical,high
Tool Comparison
| Tool | Type | Cost | Automation | Best For |
|---|---|---|---|---|
| OWASP ZAP | DAST | Free | CI/CD ready | Automated API scanning |
| Burp Suite | DAST | $449+/yr | Limited | Manual penetration testing |
| Qodex.ai | AI-powered | Free tier | Full CI/CD | AI-generated security tests |
| Nuclei | Scanner | Free | CI/CD ready | Template-based scanning |
| StackHawk | DAST | Paid | CI/CD native | Developer-first DAST |
API Security Testing Checklist
Use this checklist for every API you build or review:
Authentication
- All endpoints require authentication (except public ones)
- Tokens expire within a reasonable timeframe
- Refresh token rotation is implemented
- Failed login attempts are rate-limited
- Password reset flows are secure
- API keys are not exposed in URLs (use headers)
Authorization
- Object-level authorization on every endpoint (BOLA protection)
- Function-level authorization (admin endpoints restricted)
- Property-level authorization (sensitive fields protected)
- Authorization cannot be bypassed by changing HTTP method
Input Validation
- All input is validated (type, length, format, range)
- SQL injection protection (parameterized queries)
- NoSQL injection protection
- Request body size limits enforced
- File upload validation (type, size, content)
Data Protection
- HTTPS enforced (HSTS header present)
- Sensitive data not exposed in responses (passwords, tokens, PII)
- Sensitive data not logged
- CORS configured restrictively
- Response headers prevent caching of sensitive data
Rate Limiting & Throttling
- Rate limits on all endpoints
- Stricter limits on authentication endpoints
- Rate limit headers returned (X-RateLimit-*)
- 429 status code returned when limits exceeded
Integrating Security Testing into CI/CD
Security testing should be automated and run on every code change — not just before releases.
# GitHub Actions — API security scan name: API Security Tests on: push: branches: [main, develop]jobs: security-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: Start API server run: docker-compose up -d - name: Wait for API run: npx wait-on http://localhost:3000/health - name: Run OWASP ZAP scan uses: zaproxy/action-api-scan@v0.7.0 with: target: http://localhost:3000/openapi.json rules_file_name: .zap/rules.tsv fail_action: true - name: Run custom security tests run: npm run test:security - name: Upload security report if: always() uses: actions/upload-artifact@v4 with: name: security-report path: zap-report.html
Building a Security-First API Testing Strategy
API security testing works best when combined with other testing types:
- Functional testing — Verify correct behavior (REST API testing guide)
- Load testing — Verify performance under pressure (API load testing guide)
- Integration testing — Verify service interactions (API integration testing guide)
- Security testing — Verify protection against attacks (this guide)
For a comprehensive view of all available testing tools, see our API testing tools comparison.
Frequently Asked Questions
What is API security testing?
API security testing is the process of testing your API endpoints for vulnerabilities — authentication bypasses, injection attacks, data exposure, and authorization flaws. The goal is to identify and fix security weaknesses before attackers exploit them.
What is the OWASP API Security Top 10?
The OWASP API Security Top 10 is a list of the most critical API security risks, maintained by the Open Worldwide Application Security Project. It includes Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization, and seven other common API vulnerabilities.
How do I start API security testing?
Start with the OWASP API Security Top 10 checklist above. Run an automated scan with OWASP ZAP against your API specification. Then manually test authentication, authorization, and injection vulnerabilities. Use Qodex.ai to automatically generate security test cases from your API spec.
What tools are best for API security testing?
OWASP ZAP (free, automated scanning), Burp Suite (professional penetration testing), Qodex.ai (AI-powered security test generation), and Nuclei (template-based scanning). Most teams use a combination of automated and manual testing tools.
What is the difference between SAST and DAST for APIs?
SAST (Static Application Security Testing) analyzes source code without running the application. DAST (Dynamic Application Security Testing) tests the running API by sending requests and analyzing responses. Both are valuable — SAST catches code-level issues early, and DAST finds runtime vulnerabilities.
How often should I run API security tests?
Automated security scans should run on every deployment (in CI/CD). Comprehensive penetration testing should be done quarterly or before major releases. Continuously monitor for new vulnerabilities in dependencies using tools like Dependabot or Snyk.
Discover, Test, & Secure your APIs 10x Faster than before
Auto-discover every endpoint, generate functional & security tests (OWASP Top 10), auto-heal as code changes, and run in CI/CD - no code needed.
Related Blogs
