API Security Testing & Authorization Assessment
This project involved comprehensive security testing of REST and web APIs to identify vulnerabilities related to authentication, authorization, and data exposure.
Testing focused on common and advanced API attack scenarios, including broken object level authorization (BOLA/IDOR), excessive data exposure, authentication bypass, and improper rate limiting. The assessment followed OWASP API Security Top 10 guidelines and emphasized manual testing techniques beyond automated scanning.
Scope & Activities
-
Authentication and token handling review (JWT, API keys)
-
Authorization testing and IDOR/BOLA validation
-
Input validation and injection testing
-
Rate limiting and abuse testing
-
Error handling and data exposure analysis
Key Findings
-
Broken object level authorization allowing unauthorized data access
-
Missing or weak rate limiting enabling brute-force attacks
-
Excessive API responses exposing sensitive fields
Tools Used
Postman, Burp Suite, OWASP API Top 10, custom payloads
Outcome
The engagement delivered clear, actionable findings with proof-of-concept evidence and remediation guidance to help improve API security and prevent unauthorized access.