What Is API Security Testing? Methods and OWASP Top 10
API security testing is the practice of evaluating an application programming interface to find vulnerabilities an attacker could exploit, focusing on the authentication, authorization, input handling, and exposed business logic of each endpoint.
An attacker does not need to break your code to read another customer's data. They just change the ID in the request. GET /api/accounts/1023 returns your record; GET /api/accounts/1024 returns someone else's, because the endpoint checked that you were logged in but never checked that account 1024 was yours. That is Broken Object Level Authorization, the number one risk on the OWASP API Security Top 10, and no scanner that only reads source code or only crawls a web UI will reliably catch it.
API security testing is the practice built to catch it. APIs do not render pages, so the testing that worked for web apps does not transfer cleanly. There is no DOM to crawl, no form to fuzz through a browser. There is a contract, a set of endpoints, methods, parameters, and expected responses, and most of the serious flaws live in the authorization logic behind that contract, not in the parsing of inputs.
This guide covers what API security testing is, the OWASP API Security Top 10 (2023) threat classes it tests against, the methods used (SAST, DAST, IAST, plus the API-specific ones: schema and spec testing, authorization testing, and fuzzing), a side-by-side comparison of those methods, where each fits in CI/CD, and how a blue team reads the output. It is written for defenders: SOC analysts, AppSec engineers, and DFIR responders who have to turn an API finding into a decision.
What is API security testing?
API security testing is the practice of evaluating an application programming interface to find vulnerabilities an attacker could exploit, focusing on the authentication, authorization, input handling, and exposed business logic of each endpoint. It tests the API directly, by sending crafted requests and inspecting responses, rather than driving a user interface.
The reason it is a distinct discipline from general application security testing comes down to what an API exposes. A web application hides its logic behind rendered pages; an API exposes that logic and raw data directly to any client that knows the endpoint. The dominant flaws are not injection or cross-site scripting, the classic web bugs, but authorization failures: an endpoint that returns objects the caller should not see, accepts fields the caller should not set, or runs functions the caller's role should not reach. These are logic flaws. A request can be perfectly well-formed and still be an attack.
That shifts where testing has to look. Catching BOLA means sending the same request as two different users and confirming each sees only their own data. Catching broken function-level authorization means calling an admin endpoint as a normal user and confirming you are refused. Catching excessive data exposure means reading the actual response body to see whether the API returned a full user object when the client only needed a name. None of this is visible to a tool that reasons about source patterns alone or one that never authenticates.
The output of API security testing, like any application security testing, is not a verdict of secure or insecure. It is a prioritized list of findings, each tied to an endpoint, a method, and a request that demonstrates the flaw. The defender's job is triaging that list: confirming the real authorization bypasses, discarding the false positives, and routing the rest to the team that owns the service.
The OWASP API Security Top 10 (2023)
API security testing tests against a known set of threat classes, and the reference list is the OWASP API Security Top 10. The current edition is the 2023 release, published June 2023, which replaced the original 2019 list. It is API-specific on purpose: the general OWASP Top 10 for web applications does not capture the authorization-and-business-logic flaws that dominate API breaches.
The 2023 edition reorders the list around that reality. Authorization holds the top spot and three of the ten entries. Two 2019 categories, Excessive Data Exposure and Mass Assignment, merged into a single property-level authorization class. The shift is away from infrastructure misconfiguration and toward logic abuse.
| ID | Risk | What testing looks for |
|---|---|---|
| API1:2023 | Broken Object Level Authorization (BOLA) | An endpoint serves objects belonging to other users when the object ID is changed |
| API2:2023 | Broken Authentication | Tokens that can be forged, replayed, or never expire; weak login and reset flows |
| API3:2023 | Broken Object Property Level Authorization | The API returns or accepts object fields the caller should not read or write (the old Excessive Data Exposure + Mass Assignment) |
| API4:2023 | Unrestricted Resource Consumption | No rate or size limits, so requests can exhaust CPU, memory, or third-party billing |
| API5:2023 | Broken Function Level Authorization | A lower-privileged user can call an admin or privileged function |
| API6:2023 | Unrestricted Access to Sensitive Business Flows | A flow (signup, purchase, comment) can be automated and abused at scale |
| API7:2023 | Server Side Request Forgery (SSRF) | The API fetches a user-supplied URL, letting an attacker reach internal services |
| API8:2023 | Security Misconfiguration | Verbose errors, missing headers, permissive CORS, unpatched stacks |
| API9:2023 | Improper Inventory Management | Forgotten, undocumented, or old API versions left exposed (shadow and zombie APIs) |
| API10:2023 | Unsafe Consumption of APIs | The API trusts data from a third-party API it consumes without validating it |
Two patterns matter for how you test. First, authorization is the spine: BOLA, BOPLA, and broken function-level authorization are three of the ten, and they are the flaws automated scanners miss most because judging them requires knowing which user should see which object. Second, inventory is a prerequisite. API9, Improper Inventory Management, is on the list because you cannot test an endpoint you do not know exists. A forgotten /v1/ endpoint left running after /v2/ shipped is a common breach path, and discovery has to come before any other test.
How API security testing works: the methods
API security testing borrows the established application security testing methods (SAST, DAST, IAST) and adds methods specific to the API contract. The general methods catch general flaws; the API-specific ones catch the authorization and logic flaws that define the OWASP API list.
SAST against API code
Static application security testing (SAST) reads the API's source code without running it, flagging injection-prone queries, hardcoded secrets, and unsafe deserialization. It runs earliest, on commit, and points at the exact file and line. Its limit on APIs is the same as everywhere: it reasons about code at rest, so it cannot see whether an endpoint actually enforces an authorization check at runtime. SAST will not find BOLA, because BOLA is the absence of a check, not the presence of a bad pattern.
DAST against the running API
Dynamic application security testing (DAST) tests the deployed API from the outside by sending crafted requests and inspecting responses. For APIs this is more capable than browser-based DAST because it can be pointed at endpoints directly and driven from the API's own specification. It catches security misconfiguration, some injection, verbose error leakage, and missing rate limits, the flaws that surface only at runtime. It struggles with authorization logic on its own, because it does not inherently know which object belongs to which user.
IAST with an instrumented API
Interactive application security testing (IAST) instruments the running API with an agent so it sees code and runtime behavior together while functional tests drive traffic. On APIs this confirms a flaw is reachable and points to the vulnerable line, cutting SAST's false positives. The cost is the agent: runtime overhead and coverage limited to the endpoints your tests actually exercise.
Schema and specification testing
This is the first API-specific method. Most APIs ship a machine-readable contract, an OpenAPI or Swagger specification, that declares every endpoint, method, parameter, and response shape. Schema testing validates the running API against that contract: does it accept undocumented parameters, return undeclared fields, expose methods the spec never listed, or answer on endpoints that should not exist. It is how you find Improper Inventory Management (API9) and Broken Object Property Level Authorization (API3), because the contract tells you what the API is supposed to return and the test confirms what it actually returns.
Authorization and authentication testing
This is the method that catches the top of the OWASP list, and it is inherently multi-user. To test BOLA, you authenticate as two separate users and confirm each can reach only their own objects by ID. To test broken function-level authorization, you call privileged endpoints with a low-privileged token and confirm you are refused. To test broken authentication, you probe token handling: can a token be replayed after logout, does it ever expire, can the reset flow be bypassed. These tests require valid credentials and a notion of expected access, which is why they are hard to fully automate and why they remain the highest-value manual API testing work.
API fuzzing
Fuzzing sends malformed, unexpected, or boundary-case inputs at endpoints to find handling failures: crashes, unhandled exceptions, verbose stack traces, and injection that surfaces only on weird input. Spec-aware fuzzers use the OpenAPI definition to generate inputs that are structurally valid but semantically hostile, which reaches deeper than random noise. Fuzzing is strong on Unrestricted Resource Consumption (API4) and Security Misconfiguration (API8), and it pairs with schema testing because the spec is the map that tells the fuzzer where to aim.
SAST vs DAST vs schema vs auth testing vs fuzzing
No single method covers the OWASP API Top 10. The table maps each method to what it sees, when it runs, and which risk classes it actually catches. Use it to find the gap in your coverage, not to pick one tool.
| SAST | DAST | IAST | Schema/spec testing | Auth testing | Fuzzing | |
|---|---|---|---|---|---|---|
| Analyzes | Source code | Running API, outside | Running API, inside (agent) | API vs its OpenAPI spec | API as multiple users | API on malformed input |
| Needs running API | No | Yes | Yes | Yes | Yes | Yes |
| Needs source | Yes | No | Yes | No | No | No |
| Pipeline stage | Commit / build | Staging | Functional test | Build / staging | Staging / manual | Test / staging |
| Catches well | Injection, secrets, unsafe code | Misconfig, runtime injection, missing limits | Reachable flaws with code location | Inventory (API9), property exposure (API3) | BOLA, function-level auth, broken auth (API1/API2/API5) | Resource consumption (API4), misconfig (API8) |
| Misses | Authorization logic, runtime | Authorization context | Untested endpoints | Logic beyond the contract | Non-auth flaws | Authorization logic |
| Main weakness | False positives; blind to logic | No code pointer, no per-user context | Agent overhead, coverage | Only as good as the spec | Hard to automate fully | Noise without a spec to guide it |
Three takeaways matter more than the cells.
First, authorization testing is the method that catches the flaws the OWASP list ranks highest, and it is the one generic AST tools do worst. A program that runs only SAST and DAST has a structural hole exactly where the most-exploited API risks live. Multi-user authorization testing fills it.
Second, the spec is leverage. Schema testing and spec-aware fuzzing both depend on an accurate OpenAPI definition. An API with no spec, or a stale one, is harder to test well, which is one more reason API9 (inventory) sits on the list: undocumented endpoints are untestable by the methods that scale.
Third, the methods sequence onto the pipeline rather than competing. SAST on commit, schema and fuzz testing in build and test, DAST and authorization testing against staging. Each gate catches what slipped past the last. Wiring those gates into the pipeline is the job of DevSecOps, and API testing tools are its instruments.
Where API security testing fits in CI/CD
API security testing earns its value when its methods are wired into the continuous integration and delivery pipeline, not run as a one-time penetration test before launch. Each method has a natural home.
On commit, SAST and secrets scanning give the developer feedback in seconds against the API's source. This is the cheapest gate, and it keeps code-level flaws out of the build.
In build and test, schema testing validates the running API against its OpenAPI spec, spec-aware fuzzing hammers endpoints with hostile input, and IAST instruments the service while functional tests drive traffic through it. This is where findings gain proof of reachability and where undocumented endpoints surface against the contract.
Against staging, DAST attacks the deployed API the way an external client would, and authorization testing runs the multi-user checks for BOLA and function-level authorization that need a real deployment and real credentials. A failed gate here blocks promotion to production.
In production, the handoff is to runtime defense and monitoring: an API gateway enforcing rate limits and schema validation, a web application and API protection (WAAP) layer, and logging that feeds the SOC. Testing finds the flaw before release; runtime controls contain what slips through. Continuous discovery also runs here, because new and forgotten endpoints (API9) appear in production, not in the build.
The principle is the layered one defenders already use: place a control at every stage so a flaw that clears one gate trips another, and shift detection as early as the flaw allows. A BOLA caught in a staging authorization test costs a code review. The same BOLA found after a breach costs an incident response.
Standards and tooling that anchor API testing
A few open standards and reference tools define the practice, and knowing them keeps you grounded when a vendor's output is ambiguous.
The OWASP Foundation is the center of gravity. The OWASP API Security Top 10 (2023) is the canonical risk list API tests report against. The OWASP API Security Project also publishes guidance on testing each category. For the broader pipeline, the OWASP Application Security Verification Standard (ASVS) provides a tiered checklist of requirements to test toward.
The contract standard is OpenAPI (formerly Swagger). An accurate OpenAPI definition is what makes schema testing and spec-aware fuzzing possible, and producing one is the practical first step toward testable APIs. On the tooling side, the open anchors are worth naming because they are free to learn on. OWASP ZAP (Zed Attack Proxy) is the reference open-source DAST scanner and can import an OpenAPI spec to test API endpoints directly. Postman and similar clients drive request-level authorization tests. Spec-driven fuzzers generate hostile inputs from an OpenAPI definition. Commercial API security platforms bundle discovery, testing, and runtime protection, but the open tools are enough to understand each method and read its output critically.
Standards matter for triage. When a finding references a specific OWASP API category like API1:2023, that is a stable, shared identifier you can map across tools and reports. When it references a CWE, the Common Weakness Enumeration ID, you can look up exactly what class of flaw it is. Findings tied to these shared identifiers are auditable; findings that ride only a vendor's private severity scale are not.
How blue teams read API security testing output
API testing belongs to the build pipeline, but its output lands on the blue team's desk during triage, monitoring, and incident response. Reading it well is a defender skill, and APIs are now a core part of the cloud security attack surface, where every microservice exposes endpoints.
Triage by confirming exploitability. An API scan with hundreds of findings is not hundreds of vulnerabilities. The first job is separating real from noise: is the flagged endpoint actually reachable, does the authorization bypass actually return another user's data, is the missing rate limit on a flow that matters. A flagged BOLA you can reproduce with two test accounts is real; a SAST hit on an unreachable code path is not. The defender who can replay the request makes that call fast.
Map findings to attacker behavior. A confirmed BOLA is not an abstract score, it is an attacker enumerating customer records by incrementing an ID. An SSRF finding is a path to internal services. Reading an API finding as "what does this let an adversary do" is the instinct that turns a scanner result into a risk decision, and it mirrors how an analyst reasons about any API security exposure during threat modeling.
Feed findings into monitoring and response. A known BOLA on an endpoint becomes a detection: alert on a single token enumerating sequential object IDs. The API inventory from discovery scoping tells responders which endpoints exist when a service is breached. The findings that were accepted or deferred are a map of where the weakness likely is. A defender who knows the API's known flaws scopes the investigation faster.
Close the loop. Every confirmed finding should become a control or a detection, the same intelligence-driven loop a SOC runs on intrusions. A recurring authorization bug points to a missing access-control pattern in the framework, not just one endpoint to patch. API security testing is most valuable when its output changes how the next service is built, not only how the last one was patched.
The bottom line
API security testing finds the exploitable flaw in an API before an attacker does, and the flaw that matters most is rarely a parsing bug. It is authorization: an endpoint that hands over another user's object when you change an ID. That is why the practice is distinct from general application security testing, and why the OWASP API Security Top 10 (2023) is led by Broken Object Level Authorization and two more authorization classes.
No single method covers the list. SAST reads the code, DAST and fuzzing attack the running API, schema testing validates it against its OpenAPI contract, and multi-user authorization testing catches the BOLA and function-level flaws the others miss. Wire them into CI/CD so each gate catches what the last one let through. The defender's work is not running the scan, it is reading the output: confirming what is exploitable, mapping it to what an attacker could do, and closing the loop so the next service ships fewer flaws. Anchored in the OWASP API list and the CWE identifiers, those findings stay auditable instead of riding on a vendor's score.
Frequently asked questions
<p>API security testing is the practice of evaluating an application programming interface to find vulnerabilities an attacker could exploit, by sending crafted requests directly to its endpoints and inspecting the responses. It focuses on authentication, authorization, input handling, and exposed business logic, and it tests against the OWASP API Security Top 10. The output is a prioritized list of findings, each tied to a specific endpoint and a request that demonstrates the flaw.</p>
<p>General application security testing targets the classic web flaws like injection and cross-site scripting, often through a user interface. API security testing targets the authorization and business-logic flaws that dominate the OWASP API Top 10, by sending requests straight to endpoints with no UI involved. The biggest difference is the emphasis on multi-user authorization testing, because the top API risk, Broken Object Level Authorization, is invisible to a tool that does not test as more than one user.</p>
<p>The OWASP API Security Top 10 is the industry reference list of the most critical API security risks, with the 2023 edition as the current release. It is API-specific and led by authorization failures: Broken Object Level Authorization (BOLA) is number one, and three of the ten entries are authorization classes. API security tools test for these risks and report findings in terms of them.</p>
<p>Broken Object Level Authorization (BOLA) is a flaw where an API endpoint returns objects belonging to other users when the object ID in the request is changed, because it checks that the caller is authenticated but not that they own the requested object. It is the number one OWASP API risk because it is common, easy to exploit by simply incrementing an ID, and missed by scanners that do not test as multiple users. Catching it requires authorization testing with separate test accounts.</p>
<p>Use several, because no single method covers the OWASP API Top 10. SAST on commit catches code-level flaws; DAST and fuzzing against staging catch runtime and input-handling flaws; schema testing validates the API against its OpenAPI spec and finds undocumented endpoints; and multi-user authorization testing catches the BOLA and function-level authorization flaws that rank highest. The methods sequence onto the CI/CD pipeline rather than competing.</p>
<p>Most of it can. SAST, DAST, schema testing, and fuzzing all run automatically in CI/CD. The exception is authorization testing for flaws like BOLA, which requires knowing which user should access which object, so it relies on real credentials and expected-access logic that is hard to fully automate. That makes authorization testing the highest-value manual and semi-automated work in an API testing program.</p>