API Security Testing
Comprehensive API security testing based on OWASP API Security Top 10 including broken authentication, injection attacks, rate limiting, BOLA/BFLA vulnerabilities, and automated security scanning with ZAP and custom scripts.
git clone --depth 1 https://github.com/PramodDutta/qaskills /tmp/api-security-testing && cp -r /tmp/api-security-testing/seed-skills/api-security-testing ~/.claude/skills/api-security-testingSKILL.md
# API Security Testing Skill
You are an expert in API security testing. When the user asks you to test API security, implement OWASP API Top 10 checks, detect authentication and authorization vulnerabilities, or set up automated security scanning, follow these detailed instructions.
## Core Principles
1. **OWASP API Security Top 10 coverage** -- Every API security test suite must cover all 10 categories from the OWASP API Security Top 10 list, adapted to the specific API being tested.
2. **Authentication before authorization** -- Test authentication mechanisms first (token validation, session management, credential handling), then test authorization (access control, privilege escalation).
3. **Broken Object Level Authorization (BOLA)** -- The most critical API vulnerability. Test that every endpoint verifies the requesting user has access to the specific resource being requested.
4. **Input validation at every boundary** -- Test all input vectors: path parameters, query strings, headers, request bodies, and file uploads for injection, overflow, and type confusion attacks.
5. **Rate limiting and resource exhaustion** -- Verify that APIs implement rate limiting, request size limits, and pagination caps to prevent denial-of-service attacks.
6. **Sensitive data exposure** -- Verify that APIs do not leak sensitive information in responses, error messages, headers, or logs.
7. **Automated scanning plus manual testing** -- Automated tools catch common vulnerabilities. Manual testing catches business logic flaws. Both are required.
## Project Structure
```
security-tests/
owasp/
bola.test.ts
broken-auth.test.ts
broken-object-property.test.ts
unrestricted-resource.test.ts
broken-function-level-auth.test.ts
mass-assignment.test.ts
ssrf.test.ts
security-misconfiguration.test.ts
improper-inventory.test.ts
unsafe-api-consumption.test.ts
auth/
token-validation.test.ts
session-management.test.ts
credential-handling.test.ts
oauth-flow.test.ts
injection/
sql-injection.test.ts
nosql-injection.test.ts
command-injection.test.ts
xss-injection.test.ts
header-injection.test.ts
rate-limiting/
rate-limit.test.ts
resource-exhaustion.test.ts
helpers/
api-client.ts
token-generator.ts
payload-generator.ts
vulnerability-reporter.ts
config/
security-config.ts
endpoints.ts
reports/
.gitkeep
```
## BOLA (Broken Object Level Authorization) Testing
```typescript
// security-tests/owasp/bola.test.ts
import { describe, it, expect, beforeAll } from 'vitest';
import { SecurityApiClient } from '../helpers/api-client';
describe('BOLA - Broken Object Level Authorization', () => {
let userAClient: SecurityApiClient;
let userBClient: SecurityApiClient;
let adminClient: SecurityApiClient;
let userAResourceId: string;
beforeAll(async () => {
userAClient = await SecurityApiClient.authenticateAs('userA');
userBClient = await SecurityApiClient.authenticateAs('userB');
adminClient = await SecurityApiClient.authenticateAs('admin');
// Create a resource owned by User A
const response = await userAClient.post('/api/resources', { name: 'Private Resource' });
userAResourceId = response.data.id;
});
it('should prevent User B from accessing User A resources', async () => {
const response = await userBClient.get(`/api/resources/${userAResourceId}`);
expect(response.status).toBe(403);
});
it('should prevent User B from modifying User A resources', async () => {
const response = await userBClient.put(`/api/resources/${userAResourceId}`, {
name: 'Hacked',
});
expect(response.status).toBe(403);
});
it('should prevent User B from deleting User A resources', async () => {
const response = await userBClient.delete(`/api/resources/${userAResourceId}`);
expect(response.status).toBe(403);
});
it('should prevent IDOR via numeric ID enumeration', async () => {
// Try accessing resources by incrementing/decrementing IDs
const numericId = parseInt(userAResourceId, 10);
if (!isNaN(numericId)) {
for (let offset = -5; offset <= 5; offset++) {
if (offset === 0) continue;
const testId = numericId + offset;
const response = await userBClient.get(`/api/resources/${testId}`);
expect([403, 404]).toContain(response.status);
}
}
});
it('should prevent IDOR via UUID guessing', async () => {
// Try variations of the UUID
const uuidVariations = [
userAResourceId.replace(/-/g, ''),
userAResourceId.toUpperCase(),
userAResourceId.slice(0, -1) + '0',
];
for (const variation of uuidVariations) {
const response = await userBClient.get(`/api/resources/${variation}`);
if (response.status === 200) {
expect.fail(`BOLA vulnerability: User B accessed resource with ID variation: ${variation}`);
}
}
});
it('should prevent accessing resources via nested endpoints', async () => {
// Test nested resource access patterns
const nestedEndpoints = [
`/api/users/${userAResourceId}/profile`,
`/api/resources/${userAResourceId}/details`,
`/api/resources/${userAResourceId}/comments`,
];
for (const endpoint of nestedEndpoints) {
const response = await userBClient.get(endpoint);
expect([403, 404]).toContain(response.status);
}
});
});
```
## Authentication Testing
```typescript
// security-tests/auth/token-validation.test.ts
import { describe, it, expect } from 'vitest';
import { SecurityApiClient } from '../helpers/api-client';
describe('Authentication - Token Validation', () => {
it('should reject requests without tokens', async () => {
const client = new SecurityApiClient();
const response = await client.get('/api/protected-resource');
expect(response.status).toBe(401);
});
it('should reject expired tokens', async () => {
const expiredToken = 'eyJhbGciOiJIUzI1NiIsInAutomated accessibility testing with axe-core integrated into CI pipelines, including custom rule configuration, issue prioritization, and remediation guidance.
Validating A/B test implementations including traffic splitting accuracy, statistical significance calculation, metric tracking, and experiment cleanup.
Comprehensive WCAG compliance and accessibility testing covering ARIA, keyboard navigation, screen readers, color contrast, and automated a11y validation.
Comprehensive WCAG 2.1 AA compliance testing combining automated axe-core scans with manual keyboard navigation, screen reader compatibility, and focus management verification
American Fuzzy Lop Plus Plus mutation-based fuzz testing for finding crashes, hangs, and security vulnerabilities in binary programs.
Fast Rust-based headless browser automation CLI with Node.js fallback for AI agents, featuring navigation, clicking, typing, snapshots, and structured commands optimized for agent workflows.
AI-first testing methodology where autonomous agents plan, generate, execute, and maintain test suites with minimal human intervention, covering agent orchestration, feedback loops, and intelligent test prioritization.
Comprehensive evaluation patterns for AI agents including multi-turn conversation testing, LLM-as-judge frameworks, benchmark suites, regression detection, and systematic eval pipelines for measuring agent quality and safety.