All SkillsGet Started Free
Testing API Security With Owasp Top 10
Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated and manual testing techniques.
MCP get_skill({ skillId: "testing-api-security-with-owasp-top-10-04b3e4a4" })Use this skill with your agent
Create a free account and connect via MCP
# Testing API Security with OWASP Top 10
## When to Use
- During authorized API penetration testing engagements
- When assessing REST, GraphQL, or gRPC APIs for security vulnerabilities
- Before deploying new API endpoints to production environments
- When reviewing API security posture against the OWASP API Security Top 10 (2023)
- For validating API gateway security controls and rate limiting effectiveness
## Prerequisites
- **Authorization**: Written scope document covering all API endpoints to be tested
- **Burp Suite Professional**: For intercepting and modifying API requests
- **Postman**: For organizing and executing API test collections
- **ffuf**: For API endpoint and parameter fuzzing
- **curl/httpie**: Command-line HTTP clients for manual testing
- **API documentation**: Swagger/OpenAPI spec, GraphQL schema, or API docs
- **jq**: JSON processor for parsing API responses (`apt install jq`)
## Workflow
### Step 1: Discover and Map API Endpoints
Enumerate all available API endpoints and understand the API surface.
```bash
# If OpenAPI/Swagger spec is available, download it
curl -s "https://api.target.example.com/swagger.json" | jq '.paths | keys[]'
curl -s "https://api.target.example.com/v2/api-docs" | jq '.paths | keys[]'
curl -s "https://api.target.example.com/openapi.yaml"
# Fuzz for API endpoints
ffuf -u "https://api.target.example.com/api/v1/FUZZ" \
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
-mc 200,201,204,301,401,403,405 \
-fc 404 \
-H "Content-Type: application/json" \
-o api-enum.json -of json
# Fuzz for API versions
for v in v1 v2 v3 v4 beta internal admin; do
status=$(curl -s -o /dev/null -w "%{http_code}" \
"https://api.target.example.com/api/$v/users")
echo "$v: $status"
done
# Check for GraphQL endpoint
for path in graphql graphiql playground query gql; do
status=$(curl -s -o /dev/null -w "%{http_code}" \#mukul-cybersecurity-skills#security#cybersecurity#applicationcurljqburpsuitepostmanffuf