API Security Testing 101: How to Find Vulnerabilities Before Attackers Do
APIs are the #1 attack target. Learn how to test for BOLA, broken authentication, rate limiting, and injection flaws with actionable techniques and tools. Based on Axum's research across 10,000+ APIs.
APIs are the #1 attack target. Learn how to test for BOLA, broken authentication, rate limiting, and injection flaws with actionable techniques and tools. Based on Axum's research across 10,000+ APIs.
Why API security testing matters
APIs power everything. Your mobile app talks to your backend via API. Your frontend JavaScript fetches data via API. Your partners integrate with you via API.
And attackers know this.
In Axum's 2025 API security research across 10,000+ APIs, we found that 87% of APIs had at least one critical or high-severity vulnerability. The average API had 14 security flaws.
The good news? Most of these vulnerabilities are discoverable — and fixable — before attackers find them.
This guide walks through API security testing: what to test, how to test it, and common mistakes to avoid.
What makes API testing different from web app testing?
| Web application testing | API security testing |
|---|---|
| Focus on UI and forms | Focus on endpoints and data structures |
| Test for XSS in input fields | Test for injection in JSON/XML bodies |
| Check session cookies | Check JWT tokens, API keys, OAuth |
| Manual browsing | Automated endpoint fuzzing |
| CSRF tokens matter | Rate limiting and BOLA matter more |
APIs have no UI to hide behind. Attackers talk directly to your business logic.
The OWASP API Top 10 (your testing checklist)
OWASP maintains a specific top 10 for APIs. Test for these:
| # | Category | What to check |
|---|---|---|
| API1 | Broken Object Level Authorization (BOLA) | Can user A access user B's data by changing an ID? |
| API2 | Broken Authentication | Are tokens weak? Can they be forged? |
| API3 | Excessive Data Exposure | Does the API return more fields than needed? |
| API4 | Lack of Rate Limiting | Can I make 10,000 requests per minute? |
| API5 | Broken Function Level Authorization | Can a standard user call admin endpoints? |
| API6 | Mass Assignment | Can I update fields I shouldn't control? |
| API7 | Security Misconfiguration | Are debug endpoints exposed? CORS wide open? |
| API8 | Injection | SQL, NoSQL, command injection in parameters |
| API9 | Improper Assets Management | Are old API versions still live? |
| API10 | Unsafe Consumption | Does the API blindly trust third-party APIs? |
5 essential API testing techniques
1. Endpoint discovery
You can't test what you don't know exists.
How to do it:
- Crawl the frontend JavaScript for API calls
- Review OpenAPI/Swagger specs (often left public)
- Fuzz for common endpoints:
/v1/, /v2/api/, /admin/, /internal/ - Check
robots.txtandsitemap.xml
Tools: Burp Suite, Postman, Kiterunner, ffuf
Example command:
ffuf -u https://target.com/FUZZ -w wordlist.txt -c
2. Authentication testing
Weak authentication is the fastest path to a breach.
What to test:
- Can you register with a duplicate email?
- Are password reset tokens predictable?
- Does the JWT use "none" algorithm? (Yes, this happens)
- Is the JWT secret weak or default?
- Can you reuse an expired token?
- Is there MFA? Can it be bypassed?
Tools: jwt_tool, Burp Sequencer, custom scripts
Example JWT attack:
// Original token header { "alg": "HS256", "typ": "JWT" } // Try changing to "none" { "alg": "none", "typ": "JWT" } // Remove signature — some APIs will accept it
3. BOLA / IDOR testing
Broken Object Level Authorization is the #1 API vulnerability for a reason — it's everywhere.
What to test:
- Change
user_idin/api/users/123/profileto another number - Change
invoice_idin/api/invoices/INV-001to another ID - Try UUIDs — are they sequential? Predictable?
- Test nested resources:
/api/orgs/1/users/2— can you access other orgs?
How to automate:
import requests for i in range(1, 1000): url = f"https://target.com/api/users/{i}/profile" response = requests.get(url, headers=headers) if response.status_code == 200: print(f"Found accessible profile: {i}")
4. Rate limiting testing
No rate limiting means attackers can brute force, scrape, or DoS your API.
What to test:
- Send 100 requests as fast as possible
- Send 10,000 requests over 5 minutes
- Try different IPs (via X-Forwarded-For header)
- Try different user accounts or API keys
Simple test using curl:
for i in {1..100}; do curl -X POST https://target.com/api/login \ -d '{"email":"test@example.com","password":"guess'.$i.'"}' \ -H "Content-Type: application/json" done
What a good API should do:
- Return
429 Too Many Requestsafter a threshold - Block or CAPTCHA after repeated failures
- Track rate limits by IP, API key, and user ID
5. Injection testing
APIs accept structured data (JSON, XML, GraphQL) and can be vulnerable just like web forms.
What to test:
- SQL injection in query parameters and JSON values
- NoSQL injection in MongoDB/GraphQL APIs
- Command injection if the API calls system commands
- XXE in XML-based APIs (SOAP, old REST)
Example NoSQL injection in JSON:
{ "username": "admin", "password": { "$ne": "" } }
This may bypass authentication by asking for "password not equal to empty string."
Example SQL injection in query param:
GET /api/users?username=admin' OR '1'='1
Tools we recommend
| Tool | Purpose |
|---|---|
| Postman / Insomnia | Manual API testing and exploration |
| Burp Suite (Professional) | Proxy, repeater, intruder for parameter fuzzing |
| ffuf / gobuster | Endpoint discovery and fuzzing |
| Kiterunner | API-specific endpoint brute forcing |
| jwt_tool | JWT token testing and forgery |
| GraphQL Raider (Burp extension) | GraphQL introspection and attack testing |
| ZAP (OWASP) | Free automated API scanning |
Automated vs. manual testing
| Automated | Manual |
|---|---|
| Finds misconfigurations, missing auth, known CVEs | Finds business logic flaws, BOLA, complex chains |
| Fast, scalable | Slow, requires skill |
| Low false positives | High-value findings |
| Best for CI/CD | Best for pre-release penetration testing |
Our recommendation: Do both. Automate what you can. Manually test business-critical endpoints.
API testing in CI/CD
Tools like Postman, SoapUI, and ZAP can run in your pipeline:
# GitHub Actions example - name: Run API security scan run: | zap-api-scan.py \ -t https://staging.target.com/openapi.json \ -f openapi \ -r report.html
What to check in CI/CD:
- Authentication bypasses
- Missing rate limits
- Exposed sensitive fields
- SQL/NoSQL injection patterns
Common mistakes (and how to avoid them)
| Mistake | Fix |
|---|---|
| Only testing documented endpoints | Discover and test shadow APIs |
| Ignoring GraphQL | Check introspection and depth limiting |
| Testing as admin only | Test as every role (user, viewer, unauthenticated) |
| No negative testing | Don't just test happy path — break things |
| Trusting API specs blindly | What's documented vs. what's deployed often differ |
API security testing checklist
Pre-flight:
- Obtain OpenAPI / Swagger spec if available
- Understand authentication method (JWT, API key, OAuth)
- Know user roles (admin, user, guest)
Basic tests:
- Crawl frontend for hidden endpoints
- Test for missing authentication on all endpoints
- Test for BOLA across all ID parameters
- Test rate limiting with 500+ requests
Advanced tests:
- Test JWT weaknesses (alg none, weak secret, expiration)
- Test GraphQL introspection and depth attacks
- Test for mass assignment
- Test for injection in JSON/XML payloads
Post-testing:
- Document all findings with repro steps
- Prioritize by risk (Critical → High → Medium → Low)
- Provide remediation guidance
How Axum can help
We offer comprehensive API security testing:
- API Discovery Audit – Find every API endpoint you didn't know existed
- Manual Penetration Testing – Expert testers finding business logic flaws
- Automated API Scanning – Continuous testing integrated into your CI/CD
- GraphQL Security Assessment – Deep dive into GraphQL attack surfaces
Final thoughts
API security testing isn't optional. Attackers have shifted their focus to APIs because they know organizations haven't.
Start with the OWASP API Top 10. Test authentication and BOLA first — that's where most critical findings live. Automate what you can, but invest in manual testing for business logic.
And remember: Your API is already being probed by attackers. The only question is whether you'll find vulnerabilities before they do.
Want to test your APIs? Contact our team →
Read our full API security research: Download whitepaper →
Tags: API Security Penetration Testing BOLA GraphQL OWASP API Top 10