API Security Review -- OWASP API Security Top 10:2023

A structured, repeatable process for reviewing REST and GraphQL APIs against the OWASP API Security Top 10:2023. This skill produces findings mapped to API1 through API10 with associated CWE identifiers, severity ratings, and actionable remediation guidance. It applies to OpenAPI/Swagger specifications, API endpoint source code, GraphQL schemas, and API gateway configurations.

Step 1: API Inventory and Scope

If a target is provided via arguments, focus the review on: $ARGUMENTS

Before analyzing any endpoint, establish a complete inventory of the API surface under review.

1. Identify the API style -- REST (OpenAPI/Swagger), GraphQL, gRPC, or hybrid. Each style has distinct attack patterns.
2. Catalog all endpoints and operations -- For REST, list every path and HTTP method. For GraphQL, list all queries, mutations, and subscriptions.
3. Map authentication mechanisms -- OAuth 2.0 flows, API keys, JWTs, session cookies, mTLS, or custom tokens. Note which endpoints require authentication and which are public.
4. Identify authorization models -- RBAC, ABAC, ownership-based, or no authorization. Document how object-level and function-level access control decisions are made.
5. Catalog data objects -- List the resources/entities exposed by the API and their sensitivity classification (PII, financial, internal, public).
6. Note rate limiting and quota configurations -- Document any existing throttling, quota, or cost-control mechanisms at the gateway or application layer.
7. Identify downstream dependencies -- Third-party APIs, internal microservices, or webhooks that the API consumes.