Chapter 23 Quiz: API Security Testing

Test your understanding of REST, GraphQL, and gRPC security, BOLA/IDOR, mass assignment, rate limiting, API authentication, and the OWASP API Security Top 10.

Question 1. What is Broken Object Level Authorization (BOLA), and why is it the #1 risk in the OWASP API Security Top 10?

A) A vulnerability where the API allows SQL injection through object parameters; ranked #1 because SQL injection is the most common attack B) A failure to verify that the requesting user is authorized to access a specific object; ranked #1 because it is the most prevalent and easily exploitable API vulnerability C) A flaw where API objects are not properly encrypted; ranked #1 because data exposure is the most impactful risk D) A misconfiguration where API endpoints are not authenticated; ranked #1 because unauthenticated APIs are the most dangerous

Question 2. An API returns the following response for a product query. Which field represents excessive data exposure?

{"id": 123, "name": "Widget", "price": 29.99, "cost": 12.50, "supplier_api_key": "sk_abc123"}

A) The id field because it is a sequential integer B) The price field because it reveals pricing strategy C) The cost and supplier_api_key fields because they expose internal business data and credentials D) All fields are appropriate for a product API response

Question 3. GraphQL introspection is a security concern because:

A) It allows attackers to execute arbitrary database queries B) It reveals the entire API schema including all types, fields, and relationships C) It provides direct access to the underlying database D) It bypasses all authentication controls

Question 4. What is mass assignment vulnerability in the context of APIs?

A) Assigning multiple users to the same API key B) Sending bulk requests that overwhelm the server C) Including additional properties in a request that automatically bind to internal object fields the user shouldn't be able to modify D) Assigning the same object ID to multiple resources

Question 5. A deeply nested GraphQL query like { users { orders { items { product { reviews { author { orders { ... } } } } } } } } can cause:

A) SQL injection through nested field names B) Cross-site scripting through deeply nested responses C) Denial of service through exponential database query generation D) Authentication bypass through query depth confusion

Question 6. An attacker sends the following registration request. What attack is being attempted?

POST /api/v1/register
{"username": "hacker", "password": "pass123", "email": "h@ck.er", "role": "admin"}

A) SQL injection B) Mass assignment (attempting to set a privileged role during registration) C) Credential stuffing D) Parameter pollution

Question 7. Which tool is specifically designed for API endpoint discovery using route signature matching?

A) Nmap B) Nikto C) Kiterunner D) Wireshark

Question 8. An API implements rate limiting based on IP address. Which technique is most likely to bypass this control?

A) Using HTTPS instead of HTTP B) Rotating the X-Forwarded-For header value with each request C) Changing the User-Agent header D) Using a different Content-Type

Question 9. In GraphQL batch query attacks, an attacker sends 1000 login mutations in a single HTTP request. This bypasses rate limiting because:

A) GraphQL uses a different protocol that doesn't support rate limiting B) Most rate limiting implementations count HTTP requests, not individual operations within a batch C) GraphQL mutations are not subject to authentication controls D) Batch queries are processed asynchronously and bypass all security controls

Question 10. What is a "shadow API"?

A) An API that only operates during nighttime hours B) An API endpoint that exists in production but is not documented in the organization's API inventory C) A backup API that activates when the primary API fails D) An API that uses encryption to hide its traffic

Question 11. When testing for BOLA in an API that uses UUIDs instead of sequential integers, which approach is most effective?

A) BOLA testing is unnecessary because UUIDs cannot be enumerated B) Generate random UUIDs and test each one C) Collect UUIDs from other API responses, listing endpoints, and application features, then test cross-user access D) Convert UUIDs to sequential integers using a lookup table

Question 12. An API endpoint /api/v1/users returns 403 for a regular user. The attacker changes the request to POST /api/v1/users and receives a 200 response. This vulnerability is classified as:

A) Broken Object Level Authorization (API1) B) Broken Authentication (API2) C) Broken Function Level Authorization (API5) D) Security Misconfiguration (API8)

Question 13. During API testing, you discover that the /api/v2/users endpoint exists alongside the documented /api/v3/users. The v2 endpoint returns more data and has weaker authentication. This finding maps to which OWASP API risk?

A) API3: Broken Object Property Level Authorization B) API5: Broken Function Level Authorization C) API9: Improper Inventory Management D) API10: Unsafe Consumption of APIs

Question 14. What is the most effective defense against BOLA/IDOR vulnerabilities?

A) Using UUIDs instead of sequential integers for resource identifiers B) Implementing server-side authorization checks that validate the requesting user's ownership of or access to the requested resource C) Requiring API keys for all endpoints D) Rate limiting all API requests

Question 15. A race condition in ShopStack's coupon API allows applying a 20% discount code 50 times simultaneously, resulting in a 1000% discount. This vulnerability maps to which OWASP API risk category?

A) API1: BOLA B) API4: Unrestricted Resource Consumption C) API6: Unrestricted Access to Sensitive Business Flows D) API8: Security Misconfiguration

Question 16. Which of the following is the best approach for testing API token expiration?

A) Decode the JWT and check the exp claim value B) Use the token immediately after issuance, then wait past the expected expiration time and test again C) Change the exp claim to a future date and resubmit D) Delete the token and verify the server returns a 401

Question 17. gRPC reflection being enabled on a production service is a security concern because:

A) It allows remote code execution through Protocol Buffers B) It reveals all available service definitions, methods, and message types to any client C) It enables man-in-the-middle attacks on HTTP/2 connections D) It bypasses TLS encryption on gRPC connections

Question 18. An API webhook endpoint accepts payment notifications without verifying the sender's cryptographic signature. An attacker sends a forged payment confirmation to mark an unpaid order as paid. This vulnerability maps to:

A) API2: Broken Authentication B) API7: Server Side Request Forgery C) API10: Unsafe Consumption of APIs D) API8: Security Misconfiguration

Answer Key

  1. B — BOLA occurs when API endpoints expose object identifiers but fail to verify that the requesting user is authorized to access the specific object. It is ranked #1 because it is extremely common in APIs (which rely on client-provided identifiers) and is easily exploitable.

  2. C — The cost field reveals internal business information (profit margins), and the supplier_api_key exposes third-party credentials. Neither should be included in a customer-facing API response.

  3. B — GraphQL introspection reveals the complete schema, allowing attackers to understand every type, field, query, mutation, and relationship — essentially providing a complete map of the API's capabilities.

  4. C — Mass assignment occurs when an API automatically binds all request properties to internal object fields. An attacker includes fields like role or is_admin that they shouldn't be able to set.

  5. C — Deeply nested GraphQL queries can cause the server to execute an exponential number of database queries. Without query depth/complexity limits, this creates a denial-of-service condition.

  6. B — The attacker is attempting mass assignment by including a role field in the registration request, hoping the API will automatically assign the admin role.

  7. C — Kiterunner is specifically designed for API endpoint discovery, using route signatures from common web frameworks to efficiently identify API paths.

  8. B — Many applications trust the X-Forwarded-For header for IP identification. By rotating this value, the attacker appears to come from different IP addresses, bypassing IP-based rate limiting.

  9. B — GraphQL batching allows multiple operations in a single HTTP request. Rate limiters that count HTTP requests see only one request, even though it contains 1000 individual operations.

  10. B — A shadow API is an endpoint that exists in production but is not documented, monitored, or managed as part of the organization's API inventory — making it a prime target for attackers.

  11. C — While UUIDs cannot be enumerated sequentially, they can be discovered through other API responses, listing endpoints, error messages, and application features. BOLA testing requires obtaining valid UUIDs, not generating them randomly.

  12. C — Broken Function Level Authorization (API5) occurs when an API endpoint is protected for one HTTP method but not another. The authorization should be consistent across all methods for the same resource.

  13. C — Improper Inventory Management (API9) addresses the risk of deprecated, undocumented, or forgotten API versions remaining accessible in production with weaker security controls.

  14. B — The primary defense against BOLA is implementing authorization checks on every data access that verify the requesting user has legitimate access to the specific resource. UUIDs reduce enumerability but do not prevent authorized access abuse.

  15. C — This is an abuse of a sensitive business flow (coupon application) through automation (concurrent requests). API6 specifically addresses flows that can be abused when accessed at scale or in unintended patterns.

  16. B — The definitive test for token expiration is functional: use the token, wait for expiration, and test again. Simply reading the exp claim only verifies the claim is present, not that the server enforces it.

  17. B — gRPC reflection reveals the complete service definition to any client, similar to GraphQL introspection. This provides attackers with a complete map of available services, methods, and message structures.

  18. C — Unsafe Consumption of APIs (API10) addresses the risk of an API trusting data from third-party sources (in this case, a payment webhook) without proper verification of authenticity and integrity.

Return to Chapter 23: API Security Testing