API Security

Domain overview

APIs deserve their own domain because the backend exposes business state directly. What matters is how object identity, role logic, claims and request shape change what the server thinks is allowed.

How to approach this surface

• Map the object model, not just the endpoints. Most serious API flaws live in relationships between users, tenants, roles and objects.
• Test identity and authorization separately. A valid token only proves presence, not correct scope or object-level access.
• Watch how the backend handles extra fields, nested objects, alternate content types and version drift. Mass assignment and schema confusion love these edges.
• GraphQL deserves dedicated treatment: introspection, batching, field-level auth, resolver trust and query-cost abuse often create unique failure modes.
• Rate limiting is not just anti-abuse hygiene. It shapes enumeration cost, token replay risk and the feasibility of business-logic automation.

Related certification and framework context

• OffSec WEB-200 / OSWAPractical web-attack coverage that often intersects directly with API enumeration and auth testing.
• OffSec WEB-300 / OSWEDeep application logic and source-informed exploitation context.
• OWASP API Security ProjectDedicated guidance, attack classes and testing references for APIs.

Selected public references

• OWASP API Security Top 10The highest-value API weakness categories and framing.
• OWASP Web Security Testing GuideMethodology support for auth, session and application trust testing.
• PortSwigger Web Security Academy · GraphQLPractical GraphQL attack patterns and parser behaviour.
• PortSwigger Web Security Academy · JWTToken handling mistakes, algorithm confusion and claim abuse.
• OpenAPI SpecificationSchema and contract context for endpoint discovery and drift analysis.

Topic index