API security · Apr 09, 2024

API Security Testing Beyond the OWASP Top 10

Why authorization, workflow abuse, and business context decide API risk.

HackStack Security insight

API risk lives in how the product works.

Checklists help establish coverage, but the most damaging API weaknesses often depend on roles, object relationships, transaction state, and assumptions made by the application.

Authorization needs a data model

Object-level authorization testing starts by mapping users, tenants, roles, resources, and relationships. Changing a numeric identifier is only one test. An assessor should also vary nested identifiers, indirect references, export jobs, bulk operations, file keys, and parent-child relationships to determine whether the server consistently enforces ownership and scope.

Function-level authorization deserves the same attention. Administrative behavior is sometimes exposed through alternate HTTP methods, legacy versions, mobile endpoints, or fields that are hidden by the user interface but accepted by the API.

Workflows can be valid and still be unsafe

Many high-impact API weaknesses do not look like malformed requests. The attacker uses a legitimate operation at the wrong time, in the wrong sequence, or at a scale the product did not anticipate. Examples include replaying a one-time action, bypassing an approval step, manipulating a quantity after a price calculation, or automating a resource-intensive business flow.

Testing should model state transitions and invariants: what must be true before an operation, what must remain true afterward, and which actor is allowed to cause the change.

Inventory and protocol differences create blind spots

Older versions, undocumented endpoints, partner APIs, GraphQL schemas, and internal services can remain reachable after the primary interface is hardened. Compare control behavior across every deployed surface. Authentication, authorization, validation, and rate limits should not become weaker because a request arrived through a different protocol or client.

Test the complete trust boundary

Tokens, session revocation, backend integrations, error behavior, sensitive data handling, and resource consumption should be evaluated together. A useful API security report connects the request and response evidence to the affected business action, explains the preconditions, and gives engineers a server-side control they can verify during retesting.

Research notes

Questions that turn guidance into a review.

Use these prompts to challenge assumptions, collect evidence, and make the article actionable for engineering and security teams.

Review questions
  1. Can a user read or modify an object by changing its identifier, relationship, or tenant context?
  2. Can privileged functions or hidden properties be reached through alternate methods or endpoints?
  3. Can a valid workflow be automated, replayed, reordered, or manipulated for business abuse?
  4. Do REST, GraphQL, mobile, partner, and legacy API surfaces enforce the same controls?
Evidence and signals
  • Object-level and function-level authorization differences across roles
  • Mass assignment, excessive data exposure, token lifecycle, and session revocation behavior
  • Rate-limit coverage by identity, endpoint, resource, and business action
  • Undocumented versions, debug routes, schema exposure, and third-party trust assumptions
Primary references

References support the review approach; they do not replace architecture-specific threat modeling or validation.

Start with a focused conversation

Ready to test what matters before attackers do?

Tell us what you are building, changing, or concerned about. We will help you define the right security review.

Request a security review Explore services