Broken Object Level Authorization: Access to other users' data
Broken User Authentication
Low Entropy tokens
Broken Function Level Authorization: Performing actions in the context of other users
Excessive Data Exposure
Lack of Resources and Rate Limiting (For monetized APIs e.g. twitter)
Mass assignment
Injections
Security Misconfigurations
Enumerating valid endpoints and requests using X-Response-Time headers
Lack of input sanitization: file upload, XSS, etc...
Default accounts and credentials
Improper Assets Management:
Exposed retired APIs
Exposed In-Development APIs
Check for API documentation that has not been updated along with the APIβs endpoints
Distinguish between older and newer versions, such as /v1/, /v2/, /v3/, and so on
APIs still in developement often use paths such as /alpha/, /beta/, /test/, /uat/, and /demo/.
Business Logic Vulnerabilities
Search API documentation for signs of business logic vulnerabilities.
Statements like the following: βOnly use feature X to perform function Y.β βDo not do X with endpoint Y.β βOnly admins should perform request X.β
These statements may indicate that the API provider is trusting that you wonβt do any of the discouraged actions, as instructed. When you attack their API, make sure to disobey such requests to test for the presence of security controls.