Chapter 23 Exercises: API Security Testing

⚠️ Important: API testing can generate high request volumes. Always use rate limiting in your scripts and test only against authorized lab environments.

Exercise 1: API Reconnaissance (Beginner)

Objective: Perform comprehensive API reconnaissance against ShopStack.

Instructions: 1. Discover API documentation by testing common documentation endpoints (swagger.json, openapi.json, api-docs, etc.) 2. Analyze ShopStack's JavaScript bundles for embedded API endpoints 3. Use Kiterunner or ffuf to brute-force additional API paths 4. Check the Wayback Machine for historical API endpoints 5. Compile a complete API endpoint inventory

Deliverable: A comprehensive API endpoint inventory including: endpoint path, HTTP methods, authentication requirements, response format, and discovery method.

Exercise 2: GraphQL Introspection and Mapping (Intermediate)

Objective: Map ShopStack's GraphQL schema through introspection.

Instructions: 1. Send an introspection query to ShopStack's /graphql endpoint 2. Extract all types, queries, mutations, and subscriptions 3. Identify sensitive fields in the schema (passwords, tokens, internal IDs) 4. Visualize the schema using GraphQL Voyager 5. If introspection is disabled, attempt to discover the schema through: - Field suggestion errors - Common field name brute-forcing - Documentation/playground endpoints

Deliverable: A complete schema map with annotated sensitive fields and relationship paths that could lead to data exposure.

Exercise 3: BOLA/IDOR Testing (Intermediate)

Objective: Systematically test ShopStack's API for Broken Object Level Authorization.

Instructions: 1. Create two test accounts (User A and User B) with the same privilege level 2. As User A, perform all CRUD operations and capture the request/response for each 3. Replay each request using User B's authentication credentials but User A's resource IDs 4. Test across all HTTP methods (GET, POST, PUT, PATCH, DELETE) for each endpoint 5. Test with no authentication as well 6. Document: endpoint, method, result (accessible/forbidden), and data exposed

Deliverable: A BOLA testing matrix with results for each endpoint/method/user combination.

Exercise 4: Mass Assignment Testing (Intermediate)

Objective: Test ShopStack's API for mass assignment vulnerabilities.

Instructions: 1. Identify all create and update endpoints in ShopStack's API 2. For each endpoint, examine the expected input fields from documentation 3. Examine the API response for additional fields not in the input 4. Attempt to include additional fields in your requests: - role, is_admin, is_verified, permissions - balance, credit, discount_rate - created_at, updated_at, internal_id 5. After each request, fetch the resource to check if the extra fields were saved

Deliverable: A mass assignment test report documenting each tested endpoint and field, with evidence of any accepted unauthorized fields.

Exercise 5: API Rate Limiting Assessment (Intermediate)

Objective: Evaluate ShopStack's rate limiting controls across different endpoint categories.

Instructions: 1. Test rate limiting on the following endpoint categories: - Authentication (login, registration, password reset) - Data retrieval (product listing, order history) - Write operations (create order, update profile) - Administrative endpoints 2. For each category, incrementally increase request frequency until rate limiting triggers 3. Document the threshold (requests per time window) and the response (429, CAPTCHA, block) 4. Test bypass techniques: X-Forwarded-For manipulation, API version variation, case variation 5. Test GraphQL batching as a rate limit bypass

Deliverable: A rate limiting assessment report with thresholds per endpoint category and bypass results.

Exercise 6: API Fuzzer Development (Advanced)

Objective: Build a Python API fuzzing tool for endpoint discovery and parameter testing.

Instructions: 1. Write a Python tool that: - Accepts a base URL and optional wordlist - Discovers API endpoints by fuzzing paths - For discovered endpoints, identifies accepted HTTP methods - Fuzzes parameters with common names (id, user_id, admin, debug, etc.) - Tests for authentication bypass on each endpoint - Outputs a structured report 2. Use the provided example-01-api-fuzzer.py as a starting point

Deliverable: A working API fuzzer tool with documentation and sample output from testing against ShopStack.

Exercise 7: IDOR Tester Development (Advanced)

Objective: Build a Python tool for automated IDOR/BOLA testing.

Instructions: 1. Write a Python tool that: - Accepts two authentication tokens (User A and User B) - Accepts a list of endpoint patterns with ID placeholders - For each endpoint, accesses User A's resources with User B's token - Compares response codes and content to determine IDOR vulnerability - Supports different ID formats (integer, UUID, encoded) - Generates a report with severity ratings 2. Use the provided example-02-idor-tester.py as a starting point

Deliverable: A working IDOR testing tool with documentation and sample output.

Exercise 8: GraphQL Attack Suite (Advanced)

Objective: Test ShopStack's GraphQL endpoint for the full range of GraphQL-specific vulnerabilities.

Instructions: 1. Introspection: Attempt to query the full schema 2. Excessive Data Exposure: Query sensitive fields on all types 3. Query Complexity: Send deeply nested queries to test for DoS: graphql { products { reviews { author { orders { items { product { reviews { ... } } } } } } } } 4. Batch Attacks: Send 100+ operations in a single batched request 5. Field Duplication: Send queries with duplicated fields using aliases: graphql { a1: user(id:1){name} a2: user(id:2){name} ... a1000: user(id:1000){name} } 6. Mutation Testing: Test all mutations for authorization bypass 7. Injection: Test query arguments for SQL injection and NoSQL injection

Deliverable: A comprehensive GraphQL security assessment covering all tested attack vectors.

Exercise 9: API Business Logic Testing (Advanced)

Objective: Identify business logic vulnerabilities in ShopStack's checkout API.

Instructions: 1. Map the complete checkout workflow through the API: - Add items to cart - Apply coupon codes - Set shipping address - Select shipping method - Process payment - Confirm order 2. Test the following business logic attacks: - Apply the same coupon multiple times (race condition) - Modify item prices in the order request - Skip the payment step and directly confirm - Use negative quantities - Change the order total after payment processing - Apply a coupon after payment but before confirmation 3. Test race conditions using concurrent requests

Deliverable: A business logic assessment documenting the intended workflow, tested manipulations, and any successful bypasses.

Exercise 10: API Authentication Bypass (Intermediate)

Objective: Systematically test ShopStack's API authentication mechanisms for bypass vulnerabilities.

Instructions: 1. For each API endpoint, test access with: - No authentication header - Empty Bearer token - Malformed token (random string, partial JWT) - Expired token - Token from a different service/environment - API key in URL parameter instead of header - HTTP Basic auth with default credentials 2. Test whether changing the HTTP method bypasses auth (GET allowed, POST requires auth?) 3. Test whether adding a trailing slash or path segment bypasses auth 4. Test whether content-type manipulation affects auth enforcement

Deliverable: An authentication bypass matrix showing the result for each endpoint/technique combination.

Exercise 11: OWASP API Security Top 10 Assessment (Advanced)

Objective: Conduct a full OWASP API Security Top 10 assessment of ShopStack's API.

Instructions: For each of the 10 API security risks, perform targeted testing: 1. API1 - BOLA: Cross-user object access testing 2. API2 - Broken Authentication: Auth mechanism assessment 3. API3 - Broken Object Property Level Auth: Mass assignment + excessive data exposure 4. API4 - Unrestricted Resource Consumption: Rate limiting and DoS testing 5. API5 - Broken Function Level Auth: Admin endpoint access from regular user 6. API6 - Unrestricted Access to Sensitive Business Flows: Automation abuse testing 7. API7 - SSRF: URL parameter testing (covered in Chapter 22) 8. API8 - Security Misconfiguration: CORS, error messages, debug endpoints 9. API9 - Improper Inventory Management: Shadow API and version discovery 10. API10 - Unsafe Consumption of APIs: Webhook and integration testing

Deliverable: A complete OWASP API Security Top 10 assessment report with findings organized by category.

Exercise 12: API Security Automation Framework (Advanced)

Objective: Build a reusable API security testing framework.

Instructions: 1. Extend the framework from Section 23.11 to include: - BOLA testing module - Mass assignment testing module - Rate limiting assessment module - Authentication bypass testing module - Excessive data exposure detection - Configuration analysis (CORS, headers, error handling) 2. The framework should accept an OpenAPI/Swagger specification as input 3. Generate a structured JSON/HTML report

Deliverable: A working API security testing framework with module documentation and sample reports.

Exercise 13: MedSecure FHIR API Assessment (Intermediate)

Objective: Test MedSecure's FHIR healthcare API for security vulnerabilities.

Instructions: 1. Discover all FHIR endpoints (Patient, Observation, MedicationRequest, etc.) 2. Test BOLA: Can a clinician access patients outside their care team? 3. Test scope restrictions: Can a billing-scoped token access clinical data? 4. Test the $everything operation for excessive data exposure 5. Verify that audit logs capture all API access (HIPAA requirement) 6. Test the search API for parameter injection 7. Verify that PHI is not exposed in error messages

Deliverable: A FHIR API security assessment with HIPAA compliance annotations.

Exercise 14: gRPC Security Testing (Advanced)

Objective: Test ShopStack's internal gRPC services for security vulnerabilities.

Instructions: 1. Use grpcurl to test whether gRPC reflection is enabled on ShopStack's internal services 2. If reflection is enabled, enumerate all available services and methods 3. Test authentication requirements on each gRPC method 4. Test for authorization bypass (can a customer call merchant-only methods?) 5. Test for injection attacks in gRPC message fields 6. Test for resource exhaustion through streaming RPCs

Deliverable: A gRPC security assessment documenting service enumeration, authentication/authorization testing, and injection results.

Exercise 15: API Versioning and Shadow API Discovery (Intermediate)

Objective: Discover undocumented and deprecated API versions in ShopStack.

Instructions: 1. Test for API versions v1 through v10 on all known endpoint patterns 2. Check for common API prefixes: /api/, /rest/, /graphql/, /internal/, /admin/, /debug/, /staging/ 3. Check for API endpoints on subdomains: api.shopstack.local, internal.shopstack.local 4. Compare the responses from different API versions — do older versions lack security controls? 5. Use Wayback Machine data to identify removed endpoints that may still be accessible 6. Test whether deprecated endpoints still function and lack newer security controls

Deliverable: A shadow API inventory documenting all discovered endpoints with their version, authentication status, and comparison to current documented API.

Exercise 16: Webhook Security Assessment (Intermediate)

Objective: Test ShopStack's webhook endpoints for security vulnerabilities.

Instructions: 1. Identify all webhook endpoints (payment callbacks, shipping notifications, inventory updates) 2. Test whether webhooks verify the sender's identity (signature validation) 3. Attempt to replay a captured webhook with modified data 4. Test for SSRF through webhook URL configuration 5. Test whether webhook payloads can trigger injection attacks in ShopStack's processing logic 6. Verify that webhook failures don't expose sensitive information in error responses

Deliverable: A webhook security assessment covering authentication, integrity, injection, and SSRF testing.

Exercise 17: API Security Report Writing (Beginner)

Objective: Write a professional API security assessment report.

Instructions: 1. Using findings from any three exercises above, create a professional penetration test report including: - Executive Summary (non-technical, for management) - Methodology (tools and techniques used) - Findings (organized by severity: Critical, High, Medium, Low, Informational) - Each finding should include: description, impact, reproduction steps, evidence (screenshots/requests), remediation recommendation, OWASP API mapping - Risk Matrix (likelihood vs. impact) - Appendices (tool output, full request/response captures) 2. Follow the report template from Appendix B

Deliverable: A professional-quality API security assessment report ready for client delivery.

Exercise 18: Vulnerable API Lab Setup (Beginner)

Objective: Deploy and configure a complete API security testing lab.

Instructions: 1. Deploy the following vulnerable applications using Docker: - OWASP crAPI (Completely Ridiculous API) - VAmPI (Vulnerable API) - Damn Vulnerable GraphQL Application (DVGA) 2. Configure Postman or Insomnia with collections for each application 3. Set up Burp Suite to proxy API traffic 4. Complete at least 3 challenges in crAPI 5. Exploit at least 3 vulnerabilities in VAmPI 6. Complete at least 3 GraphQL attacks in DVGA 7. Document each challenge/vulnerability with screenshots

Deliverable: A lab guide with setup instructions, tool configurations, and challenge walkthroughs.

Return to Chapter 23: API Security Testing