Scanning API Security

Overview

Detect API security vulnerabilities by scanning endpoint implementations, authentication flows, and data handling against the OWASP API Security Top 10. Identify injection vectors, broken authentication, excessive data exposure, mass assignment, and missing rate limiting through static analysis of route handlers, middleware chains, and request validation logic.

Prerequisites

• API source code with route definitions and controller/handler implementations accessible
• OpenAPI specification for cross-referencing documented vs. implemented security controls
• OWASP API Security Top 10 (2023) checklist familiarity
• Security scanning tools: OWASP ZAP, Burp Suite, or nuclei for dynamic testing
• Dependency vulnerability scanner: npm audit, safety (Python), or govulncheck

Instructions

1. Scan all route definitions using Grep to build a complete inventory of endpoints, HTTP methods, and middleware chains applied to each route.
2. Audit authentication middleware to verify every mutation endpoint (POST, PUT, PATCH, DELETE) has auth enforcement and that no endpoints accidentally bypass auth through route ordering.
3. Check for Broken Object Level Authorization (BOLA) by verifying that resource access checks compare the authenticated user's ID/role against the requested resource ownership, not just valid authentication.
4. Identify excessive data exposure by comparing response serialization against API contracts -- flag endpoints returning full database records instead of explicit field whitelists.