API Security Testing: OWASP API Top 10 in 2025

The API Security Crisis

APIs power 90%+ of modern applications. Average enterprise has 900+ APIs, many undocumented. API attacks up 400% year-over-year. Billions of records breached via API misconfigurations.

OWASP API Security Top 10

API1: Broken Object Level Authorization (BOLA)

Most critical. API doesn't verify requesting user is authorized for the specific object.

Example: GET /api/users/12345/orders should only return orders for user 12345. If user 99999 can access /api/users/12345/orders, that's BOLA.

Testing: replace your user ID with another user's ID. Automate by scripting ID enumeration and checking for unauthorized data returns.

API2: Broken Authentication

Weak token generation, missing validation, credentials exposed in URLs.

Testing: verify tokens expire (test expired tokens), check token invalidation on logout, confirm tokens aren't in URL parameters (exposed in server logs).

API3: Broken Object Property Level Authorization

Returning more data than needed (mass exposure) or allowing updates to non-user-modifiable fields.

Example: profile update API accepting all fields, allowing user to set admin=true.

Testing: send all possible fields in update requests, look for unexpected fields in responses.

API4: Unrestricted Resource Consumption

Missing rate limiting enables DoS, account enumeration, resource exhaustion.

Testing: rapid-fire requests to check rate limiting, test timing attacks in auth endpoints, verify limits on expensive operations.

API5: Broken Function Level Authorization

Admin functions accessible to regular users.

Testing: enumerate all endpoints via Swagger/JavaScript/fuzzing. Test every endpoint with non-admin credentials. Look for admin paths accessible without authorization.

API6: Unrestricted Business Flow Access

Business logic attacks—buying at manipulated prices, bypassing referral code rate limits.

Testing: understand the business flow and abuse it. Test race conditions in inventory/purchase flows.

API7: Server Side Request Forgery (SSRF)

API accepts URLs and fetches them, allowing internal service probing.

Testing: submit internal IPs (169.254.169.254 for cloud metadata, 10.x.x.x, 192.168.x.x) as URL parameters. Test redirect parameters.

API8: Security Misconfiguration

Default credentials, verbose error messages, unnecessary HTTP methods, CORS misconfiguration.

Testing: check all HTTP methods (OPTIONS, TRACE), review error messages for stack traces, test CORS with Origin: evil.com, check default credentials.

API9: Improper Inventory Management

Old API versions with known vulnerabilities still accessible.

Testing: test v1, v2, v3 of all endpoints, look for beta/test/dev subdomains, search GitHub for old API documentation.

API10: Unsafe API Consumption

Trusting third-party API responses without validation.

Testing: check if third-party data is sanitized before database storage, test injection through webhook callbacks.

AI-Powered API Testing Tools

42Crunch: scans code, traffic, and documentation to create comprehensive API inventory including shadow APIs. Salt Security: ML-based API discovery and attack detection from traffic patterns, no code changes. Noname Security: continuous API security posture management.

LLM assistance: "Here is a REST API endpoint: POST /api/orders with fields user_id, product_id, quantity, discount_code. What OWASP API vulnerabilities should I test and what payloads should I use?" LLMs generate comprehensive test cases from API specs.

Testing Tools

OWASP ZAP API Scan: import OpenAPI/Swagger spec, automatically tests all endpoints. Run in CI to prevent regressions. Burp Suite Professional: industry-standard manual testing, Intruder for parameter fuzzing, Collaborator for SSRF/OOB testing. Postman security collections: auth, authorization, and input validation tests as code in CI.

Best Practices

Authentication: OAuth 2.0 with short-lived JWT tokens (15 minutes), refresh token rotation, PKCE for public clients.

Authorization: always verify object ownership (BOLA prevention), field-level access control, default deny—explicit grants only.

Input: validate all inputs server-side, use allowlists not denylists, reject unexpected fields with strict schema validation.

Output: return only necessary data, use response schemas, paginate large datasets.

Monitoring: log all API calls with user context, alert on anomalous patterns, maintain API inventory and sunset old versions.

API security requires both automated scanning (catches common issues efficiently) and manual testing (finds business logic flaws automation misses).