← ClaudeAtlas

owasp-api-securitylisted

OWASP API Security Top 10 testing patterns, injection payloads, auth bypass vectors, and security test generation for REST APIs. Use when writing security tests, reviewing API endpoints for vulnerabilities, or auditing input validation.
agigante80/forge-kit · ★ 0 · API & Backend · score 62
Install: claude install-skill agigante80/forge-kit
<!-- owasp-api-security-version: 1 --> # OWASP API Security Testing Comprehensive security testing knowledge base for REST APIs, aligned with OWASP API Security Top 10:2023 and OWASP ASVS 5.0. ## When to Use This Skill - Writing security tests for API endpoints - Reviewing endpoints for OWASP vulnerabilities - Generating injection/fuzzing payloads for test suites - Auditing authentication and authorization logic - Validating input sanitization and output encoding - Assessing rate limiting and resource exhaustion protections ## OWASP API Security Top 10:2023 ### API1 - Broken Object Level Authorization (BOLA / IDOR) **What:** User A can access/modify User B's resources by manipulating IDs. **Test patterns:** ```typescript // Access another user's resource const res = await app.inject({ method: 'GET', url: '/members/OTHER_USER_ID', headers: { cookie: userASession }, }) expect(res.statusCode).toBe(403) // or 404 - never 200 // Modify another user's resource const res = await app.inject({ method: 'PUT', url: '/zones/OTHER_USER_ZONE_ID', headers: { cookie: userASession }, payload: { name: 'hijacked' }, }) expect(res.statusCode).toBe(403) ``` **Checklist:** - [ ] Every endpoint with `:id` params verified against session user - [ ] Enumerable IDs (sequential integers) replaced with CUIDs - [ ] List endpoints only return resources owned by/shared with caller ### API2 - Broken Authentication **Test patterns:** ```typescript // No auth header const res = await