Most organizations test their web application. Fewer test their API. Yet the API is increasingly where the data lives, where authentication happens, and where business logic executes. The majority of modern application breaches exploit API vulnerabilities, not traditional web vulnerabilities.
Traditional DAST scanners are designed for HTML form-based applications. They navigate links, submit forms, and look for reflected output in web pages. This approach fundamentally fails against APIs.
Why Traditional Scanners Fail at APIs
Problem 1: No DOM to Crawl
A traditional scanner crawls HTML pages following href links and form actions. A REST API has no HTML — it returns JSON. The scanner has no idea what endpoints exist, what parameters to send, or how to authenticate.
Problem 2: Authentication is Different
Web apps use cookie-based sessions that scanners can maintain with a login sequence. APIs commonly use:
- Bearer tokens (JWT) that expire
- OAuth 2.0 flows with authorization codes
- API keys in headers or query strings
- mTLS client certificates
A scanner that can't handle JWT expiry will lose authentication mid-scan and start receiving 401 responses — missing all authenticated functionality.
Problem 3: Parameter Structures are Complex
HTML forms have named inputs. API requests have nested JSON:
{
"user": {
"profile": {
"preferences": {
"notification_email": "test@test.com" ← inject here
}
}
}
}
Scanners that enumerate key=value form parameters don't reach deeply nested JSON properties.
Problem 4: API Versions
/api/v1/users/me may have proper access controls. /api/v2/users/me may have different logic. /api/internal/users/me (an internal endpoint exposed by accident) may have no auth at all. Scanners testing a single defined scope miss version enumeration.
The OWASP API Security Top 10
OWASP maintains a separate API Security Top 10 (last updated 2023, widely adopted through 2026):
| # | Category | Description |
|---|---|---|
| API1 | Broken Object Level Authorization | IDOR in API responses |
| API2 | Broken Authentication | Weak tokens, missing expiry |
| API3 | Broken Object Property Level Authorization | Mass assignment, overexposure |
| API4 | Unrestricted Resource Consumption | Rate limiting absent |
| API5 | Broken Function Level Authorization | Admin functions accessible to users |
| API6 | Unrestricted Access to Sensitive Business Flows | Abuse of API for automation/scraping |
| API7 | Server Side Request Forgery | Via API URL parameters |
| API8 | Security Misconfiguration | Overly permissive CORS, verbose errors |
| API9 | Improper Inventory Management | Deprecated API versions exposed |
| API10 | Unsafe Consumption of APIs | Trusting third-party API data excessively |
API1 (Broken Object Level Authorization) and API3 (Broken Object Property Level Authorization) are the two most commonly exploited API-specific vulnerabilities.
API1: Broken Object Level Authorization (BOLA)
BOLA is IDOR applied to APIs. The access pattern:
GET /api/v1/accounts/1001/transactions ← your account
GET /api/v1/accounts/1002/transactions ← different user's account (BOLA)
Detection requires making requests as multiple users and testing cross-user access. Without multi-account test configuration, this class of vulnerability is invisible to automated scanning.
API3: Broken Object Property Level Authorization (BOPLA)
This covers two distinct vulnerabilities:
Mass Assignment: The API accepts and processes properties that should be internal:
PATCH /api/users/me
{
"email": "new@email.com",
"role": "admin", ← should be ignored but isn't
"subscription": "enterprise" ← can escalate own plan
}
Excessive Data Exposure: The API returns more data than the endpoint should expose:
GET /api/users/me
{
"id": 42,
"email": "user@example.com",
"internal_user_id": "usr_9f3k", ← internal ID shouldn't be exposed
"payment_method_last4": "4242",
"admin_notes": "flagged for review" ← internal notes exposed
}
Detection: send PATCH requests with additional fields beyond what the UI sends and observe whether they're accepted. Compare API response fields against expected public schema.
API5: Broken Function Level Authorization
Admin or privileged operations accessible to standard users:
POST /api/admin/users ← listed as admin-only in docs
Authorization: Bearer {standard-user-token}
→ 201 Created ← should be 403
Common in APIs that expose a single namespace for all operations (/api/*) without segregating admin operations into a separate, more restricted path.
Detection: Enumerate API endpoints from documentation, OpenAPI schema, or JavaScript analysis. Replay each admin-level endpoint with a standard user token.
Proper API Security Assessment Workflow
Step 1: Schema Discovery
Collect the API's full specification:
- Check
/.well-known/openapi.json,/swagger.json,/api/v1/openapi.yaml - Extract API calls from JavaScript (network interception during crawler run)
- Review developer documentation and API reference
Step 2: Authentication Configuration
Configure the scanner with:
- Primary user token (standard access)
- Secondary user token (different standard user — for BOLA testing)
- Admin user token (for function-level auth testing)
- Token refresh mechanism (so auth doesn't expire mid-scan)
Step 3: Endpoint Coverage
For each endpoint in the schema:
- Test all CRUD operations the endpoint supports
- Inject fuzz payloads into all parameters (body, query, path, header)
- Test with each authentication level
- Test BOLA: access resources belonging to another user
Step 4: Business Logic Testing
This cannot be fully automated. Human review of:
- Rate limiting: is there a limit on sensitive operations (login attempts, password resets, OTP submission)?
- Workflow bypass: can you skip steps in multi-step processes?
- Amount manipulation: can you send negative amounts, zero values, maximum integers?
Step 5: GraphQL-Specific Tests
If the API uses GraphQL:
- Introspection enabled? (
{ __schema { types { name } } }) - Query depth limits enforced? (nested queries can be computationally expensive)
- Query complexity limits enforced?
- Field-level authorization checks? (can a standard user query admin fields?)
- Batch query abuse? (sending 1000 mutations in one request)
Building API Security Into Your SDLC
The most effective intervention is schema-based security review at design time:
API design (OpenAPI spec) → Security review checklist:
✓ Authentication required on all non-public endpoints
✓ Authorization scheme documented per endpoint
✓ Sensitive fields excluded from response schemas
✓ Rate limiting specified for sensitive operations
✓ Input validation schema defined for all request bodies
Then enforce the spec with automated testing:
- Contract testing validates responses match the spec
- Security testing validates auth/authz matches documented behavior
API security that starts at design time is dramatically cheaper than API security that starts after a breach.
PentestCheck DAST Engine supports OpenAPI 3.0 schema import for comprehensive API security testing with multi-user authorization validation.