pentest-api-deep

# Pentest API Deep

## Purpose
Perform dedicated API-specific vulnerability testing beyond basic BOLA/GraphQL coverage. Addresses Broken Function Level Authorization (BFLA), mass assignment, rate limiting, excessive data exposure, and unsafe consumption per OWASP API Security Top 10 (2023).

## Prerequisites

### Authorization Requirements
- **Written authorization** with API testing scope explicitly included
- **API documentation** (OpenAPI/Swagger specs, GraphQL schema) if available
- **Test accounts** at multiple privilege levels (user, admin, service account)
- **Rate limit awareness** — confirm acceptable request volume with target owner

### Environment Setup
- Postman or Insomnia for manual API exploration
- Burp Suite with API-specific extensions
- GraphQL Voyager for schema visualization
- grpcurl for gRPC service testing

## Core Workflow
1. **API Discovery**: Enumerate endpoints via OpenAPI/Swagger specs, GraphQL introspection, gRPC reflection, traffic analysis. Discover undocumented endpoints with Kiterunner.
2. **BFLA Testing**: Access admin-only API functions as regular user. HTTP method switching (GET→DELETE). Test function-level authorization gaps distinct from object-level (BOLA).
3. **Mass Assignment**: Send extra fields in POST/PUT (role, isAdmin, balance). Check response objects for leaked internal fields (WSTG-INPV-20).
4. **Rate Limiting & Resource**: Test missing rate limits, GraphQL depth/complexity abuse, pagination abuse, regex DoS via API input.
5. **Excessive Data Exposure**: Compare API responses across privilege levels. Identify fields returned but not displayed in UI. Test verbose error responses.
6. **Unsafe Consumption**: SSRF through upstream API calls, injection through trusted-but-tainted API response data.
7. **API Versioning**: Old API versions with weaker controls, version header manipulation, deprecated endpoint access.

## OWASP API Security Top 10 (2023) Coverage

| Category | Test Focus | Status |
|----------|-----------|--------|
| API1 Broken Object Level Authorization | IDOR via API params | ✅ |
| API2 Broken Authentication | Token/key weaknesses | ✅ |
| API3 Broken Object Property Level Authorization | Mass assignment, excessive data | ✅ |
| API4 Unrestricted Resource Consumption | Rate limits, complexity | ✅ |
| API5 Broken Function Level Authorization | BFLA, method switching | ✅ |
| API6 Unrestricted Access to Sensitive Business Flows | Automation abuse | ✅ |
| API7 Server Side Request Forgery | API-triggered SSRF | ✅ |
| API8 Security Misconfiguration | CORS, headers, versioning | ✅ |
| API9 Improper Inventory Management | Shadow APIs, deprecated versions | ✅ |
| API10 Unsafe Consumption of Third-Party APIs | Upstream injection | ✅ |

## Tool Categories

| Category | Tools | Purpose |
|----------|-------|---------|
| API Discovery | Kiterunner, Swagger UI, GraphQL Voyager | Endpoint enumeration |
| Parameter Discovery | Arjun, x8, ParamSpider | Hidden parameter detection |
| Fuzzing | ffuf, Burp Intruder, custom scripts | Mass assignment, BFLA |
| GraphQL | graphql-cop, InQL, BatchQL | GraphQL-specific attacks |
| gRPC | grpcurl, grpc-tools | gRPC reflection and testing |
| Rate Testing | custom aiohttp scripts, Turbo Intruder | Rate limit verification |

## References
- `references/tools.md` - Tool function signatures and parameters
- `references/workflows.md` - Attack pattern definitions and test vectors