testing-api-security-with-owasp-top-10

# Testing API Security with OWASP Top 10 ## When to Use - During authorized API penetration testing engagements - When assessing REST, GraphQL, or gRPC APIs for security vulnerabilities - Before deploying new API endpoints to production environments - When reviewing API security posture against the OWASP API Security Top 10 (2023) - For validating API gateway security controls and rate limiting effectiveness ## Prerequisites - **Authorization**: Written scope document covering all API endpoints to be tested - **Burp Suite Professional**: For intercepting and modifying API requests - **Postman**: For organizing and executing API test collections - **ffuf**: For API endpoint and parameter fuzzing - **curl/httpie**: Command-line HTTP clients for manual testing - **API documentation**: Swagger/OpenAPI spec, GraphQL schema, or API docs - **jq**: JSON processor for parsing API responses (`apt install jq`) ## Workflow ### Step 1: Discover and Map API Endpoints Enumerate all available API endpoints and understand the API surface. ```bash # If OpenAPI/Swagger spec is available, download it curl -s "https://api.target.example.com/swagger.json" | jq '.paths | keys[]' curl -s "https://api.target.example.com/v2/api-docs" | jq '.paths | keys[]' curl -s "https://api.target.example.com/openapi.yaml" # Fuzz for API endpoints ffuf -u "https://api.target.example.com/api/v1/FUZZ" \ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \ -mc 200,201,204,301,401,403,405 \...