API Security

Domain overview

This domain covers REST, GraphQL and gRPC-adjacent thinking, JWT and token handling, OAuth/OIDC, rate controls, BOLA/BFLA, mass assignment, schema abuse, discovery workflows and API fuzzing. The job is to model what the backend thinks the caller is allowed to do, then prove where that model breaks under alternate identifiers, roles, claims, objects, content types or request cadence.

How to approach this surface

• Map the object model, not just the endpoints. Most serious API flaws live in relationships between users, tenants, roles and objects.
• Test identity and authorization separately. A valid token only proves presence, not correct scope or object-level access.
• Watch how the backend handles extra fields, nested objects, alternate content types and version drift. Mass assignment and schema confusion love these edges.
• GraphQL deserves dedicated treatment: introspection, batching, field-level auth, resolver trust and query-cost abuse often create unique failure modes.
• Rate limiting is not just anti-abuse hygiene. It shapes enumeration cost, token replay risk and the feasibility of business-logic automation.

Related certification and framework context

• OffSec WEB-200 / OSWAPractical web-attack coverage that often intersects directly with API enumeration and auth testing.
• OffSec WEB-300 / OSWEDeep application logic and source-informed exploitation context.
• OWASP API Security ProjectDedicated guidance, attack classes and testing references for APIs.

Curated public references

• OWASP API Security Top 10The highest-value API weakness categories and framing.
• OWASP Web Security Testing GuideMethodology support for auth, session and application trust testing.
• PortSwigger Web Security Academy · GraphQLPractical GraphQL attack patterns and parser behaviour.
• PortSwigger Web Security Academy · JWTToken handling mistakes, algorithm confusion and claim abuse.
• OpenAPI SpecificationSchema and contract context for endpoint discovery and drift analysis.

Brief index