HARD
🔐 PRO
⏱ 120 min
Module 8 of 8
What you’ll learn
- The OWASP API Top 10 (2023, revised for 2025) in practical depth
- Why APIs carry more commercial risk than UIs in 2026
- REST vs GraphQL vs gRPC testing methodologies
- SSRF, resource exhaustion, shadow APIs, and unsafe upstream consumption
- LLM-integrated API testing — the new 2026 attack surface
Prerequisites: Modules 1–7.
In 2026, the API is the product. Modern web applications are thin clients (browser, mobile app, third-party integration) over APIs that carry all the business logic. This means APIs carry all the commercial risk — and in pentest findings, APIs produce the overwhelming majority of high-severity bugs.
Web pentesting that stops at the frontend misses most of the real vulnerabilities. This module covers the API-specific attack surface using the OWASP API Security Top 10 as the framework, with the 2026 additions that matter (LLM-integrated APIs, event-driven patterns, gRPC).
Why API testing differs from web-app testing
- The UI hides most of the attack surface. An API has dozens of endpoints the frontend never hits.
- Authorization bugs are more common and more severe in APIs.
- Rate limiting and resource consumption issues are more impactful (cloud costs, DoS).
- Multi-tenant boundary violations produce cleaner findings.
- Supply-chain concerns — consuming third-party APIs introduces unsafe-consumption attack vectors.
OWASP API Top 10 — in practice
API1:2023 — Broken Object-Level Authorization (BOLA)
Covered in depth in Module 6. The single most common API finding. Test every object identifier in every request across every HTTP verb.
API2:2023 — Broken Authentication
Covered in Module 3 for user-facing auth. API-specific additions:
- API key authentication without rotation or rate limiting — once leaked, keys work forever
- OAuth in API flows — PKCE requirements for public clients, state parameter validation
- JWT misuse — same attacks as Module 3
- mTLS for service-to-service APIs — validate certificate chain, check common name, monitor for revocation
API3:2023 — Broken Object Property-Level Authorization
Two sub-cases:
- Excessive data exposure: API returns more fields than the frontend uses. Internal flags, admin notes, stripe_customer_id, password_hash — all leaked via the API.
- Mass assignment: covered in Module 6.
Test by fetching your own user object and scanning the response for unexpected fields. Every field returned = potential data leak; every field accepted in update = potential mass assignment.
API4:2023 — Unrestricted Resource Consumption
New in 2023 edition. Covers:
Continue reading with Pro tier (₹4,999/year)
You've read 27% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.