Chapter 23 Further Reading: API Security Testing

Standards and Frameworks

  • OWASP API Security Top 10 (2023). The definitive classification of API security risks. Each entry includes a detailed description, example attack scenarios, and prevention measures. This should be the starting framework for every API security assessment. https://owasp.org/API-Security/

  • OWASP API Security Testing Guide. Complements the Top 10 with specific testing procedures, tools, and expected outcomes for each vulnerability category. https://owasp.org/www-project-api-security/

  • OpenAPI Specification (OAS) 3.1. Understanding the API documentation standard helps with both reconnaissance (finding API documentation) and understanding API architecture. https://spec.openapis.org/oas/latest.html

  • GraphQL Specification. The official GraphQL specification is essential for understanding the query language, type system, introspection mechanism, and execution model that underpin GraphQL-specific attacks. https://spec.graphql.org/

  • gRPC Documentation. Official documentation for gRPC including Protocol Buffers, service definitions, and interceptor patterns relevant to security testing. https://grpc.io/docs/

  • NIST SP 800-204: Security Strategies for Microservices-based Application Systems. NIST guidance on securing microservice architectures, which are typically API-driven. Covers authentication, authorization, and API gateway security patterns. https://csrc.nist.gov/publications/detail/sp/800-204/final

Books

  • "Hacking APIs: Breaking Web Application Programming Interfaces" by Corey Ball (No Starch Press, 2022). The most comprehensive book specifically dedicated to API security testing. Covers reconnaissance, authentication attacks, authorization flaws, and injection techniques with practical methodology.

  • "Black Hat GraphQL" by Nick Aleks and Dolev Farhi (No Starch Press, 2023). Focused exclusively on GraphQL security, covering introspection exploitation, query manipulation, authorization bypass, and GraphQL-specific injection attacks.

  • "API Security in Action" by Neil Madden (Manning, 2020). Approaches API security from the defensive perspective, covering token-based authentication, OAuth 2.0, capability-based security, and microservice security patterns. Understanding the intended security architecture helps identify implementation gaps.

  • "Designing Web APIs" by Brenda Jin, Saurabh Sahni, and Amir Shevat (O'Reilly, 2018). Covers API design best practices including authentication patterns, rate limiting, and versioning. Understanding design intent helps identify where implementations deviate.

  • "Bug Bounty Bootcamp" by Vickie Li (No Starch Press, 2021). Includes practical chapters on API vulnerability discovery and exploitation with a bug bounty focus, including IDOR, mass assignment, and business logic flaws.

Research and Reports

  • Salt Security: State of API Security Report (Annual). Annual industry report with statistics on API attack trends, vulnerability categories, and organizational preparedness. The 681% increase in API attacks statistic is from their 2024 report. https://salt.security/api-security-trends

  • Postman State of the API Report (Annual). Industry survey covering API adoption, architecture choices, and security practices. Useful for understanding the threat landscape context. https://www.postman.com/state-of-api/

  • "How We Hacked Apple's Production Infrastructure Using Forgotten APIs" by Sam Curry (2023). Blog post documenting API reconnaissance and exploitation techniques against a major technology company's production environment. https://samcurry.net/

  • "Uber's Bug Bounty: IDOR to Account Takeover" by various researchers. Multiple published bug bounty reports documenting BOLA/IDOR vulnerabilities in Uber's API, demonstrating real-world exploitation techniques.

  • Optus Breach Analysis by Australian Cyber Security Centre. Post-incident analysis of the API vulnerability that exposed 9.8 million customer records.

Tools and Documentation

  • Kiterunner. API endpoint discovery tool using route signatures from common web frameworks. Significantly more effective than generic directory brute-forcing for API discovery. https://github.com/assetnote/kiterunner

  • Arjun. HTTP parameter discovery tool that identifies hidden and undocumented API parameters through intelligent fuzzing. https://github.com/s0md3v/Arjun

  • GraphQL Voyager. Interactive GraphQL schema visualization tool that generates relationship diagrams from introspection queries. https://github.com/graphql-kit/graphql-voyager

  • InQL (Burp Suite Extension). GraphQL introspection, query analysis, and attack payload generation integrated into Burp Suite. https://github.com/doyensec/inern

  • grpcurl. Command-line tool for interacting with gRPC services, including reflection-based service discovery. https://github.com/fullstorydev/grpcurl

  • Postman and Insomnia. API development and testing platforms that facilitate manual API security testing through collection management, environment variables, and request chaining. https://www.postman.com/ https://insomnia.rest/

  • ffuf. Fast web fuzzer ideal for API endpoint discovery and parameter fuzzing. https://github.com/ffuf/ffuf

  • Burp Suite API Testing Features. Burp Suite's built-in OpenAPI parser and API scanning capabilities for automated API vulnerability detection. https://portswigger.net/burp/documentation/desktop/testing-workflow/working-with-apis

Vulnerable Practice Applications

  • OWASP crAPI (Completely Ridiculous API). Purpose-built vulnerable API application covering all OWASP API Security Top 10 categories. The recommended first practice target for API security testing. https://github.com/OWASP/crAPI

  • VAmPI (Vulnerable API). A simple vulnerable REST API built with Flask, ideal for learning basic API vulnerability exploitation. https://github.com/erev0s/vamPI

  • Damn Vulnerable GraphQL Application (DVGA). Intentionally vulnerable GraphQL application with challenges covering introspection, injection, authorization bypass, and DoS. https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application

  • OWASP Juice Shop. While primarily a web application, Juice Shop includes extensive API-based challenges and serves as a realistic target. https://owasp.org/www-project-juice-shop/

  • Pixi by OWASP DevSlop. A deliberately vulnerable API designed for teaching API security concepts. https://github.com/DevSlop/Pixi

Conference Talks and Courses

  • "Hacking APIs" by Corey Ball (DEF CON, various years). Practical demonstrations of API exploitation techniques against realistic targets.

  • "Top 10 API Bugs (and How to Find Them)" by Inon Shkedy (OWASP AppSec). Overview of the most common API vulnerabilities with practical detection methodology from the OWASP API Security Project lead.

  • "GraphQL Batching Attack" by Nick Aleks (NahamCon). Demonstration of GraphQL-specific attacks including batching, query complexity exploitation, and authorization bypass.

  • APIsec University. Free online courses covering API security fundamentals, OWASP API Top 10, and hands-on testing techniques. https://www.apisecuniversity.com/

  • PortSwigger Web Security Academy — API Testing. Free structured labs covering API vulnerability identification and exploitation. https://portswigger.net/web-security/api-testing

Healthcare API Security

  • HL7 FHIR Security Specification. Security and privacy guidance specific to FHIR healthcare APIs, including SMART on FHIR authorization. https://www.hl7.org/fhir/security.html

  • ONC Cures Act Final Rule API Requirements. US regulatory requirements for healthcare API access, balancing patient data accessibility with security. https://www.healthit.gov/curesrule/

Return to Chapter 23: API Security Testing