Monday, December 1, 2025

The API Vulnerabilities I Keep Finding in Web App Pen Tests (With Step-By-Step Testing)





Modern web applications depend heavily on backend APIs, yet these APIs are often the least tested and most vulnerable part of the attack surface. As a penetration tester, these are the API flaws I repeatedly find during real client engagements. Each example below includes the actual requests, responses, and exploitation methodology used to validate the vulnerability.

These issues don’t require fancy zero-days. They’re almost always logic flaws, access control gaps, and unsafe defaults. And they lead to real security problems:

  • Sensitive data exposure

  • Account takeover

  • Unauthorized access

  • Internal network pivoting

  • Credential bypasses

Below are the five API vulnerabilities I most commonly find in real-world client engagements, along with the exact steps I use to test for them.

1. Excessive Data Exposure

APIs often return much more data than the frontend actually needs. Developers assume the app will “hide” fields, but the API response still contains:

  • Full user objects

  • Emails

  • Metadata

  • Internal IDs

  • Role flags

  • Vehicle IDs, account IDs, etc.

This is one of the easiest ways attackers gather pivot points for deeper exploitation (like IDOR).

How I test it

  1. Use the app normally while proxying traffic through Burp Suite.

  2. Capture any API call returning lists or profile data.

  3. Send the request to Repeater.

  4. Compare what the UI displays vs. what the API actually returns.

  5. Mark anything “invisible to UI but present in JSON” as excessive exposure.



Why it matters

Exposed IDs often become the foothold for IDOR, account takeover, or SSRF chaining.

2. IDOR / BOLA (Broken Object Level Authorization)

This is easily the #1 most common API vulnerability I find.

When APIs trust user-supplied identifiers (like userId, vehicleId, orderId), attackers can simply change the ID to access other users’ data.

How I test it

  1. Find any API request referencing an ID.

  2. Send the request to Burp Repeater.

  3. Modify the ID (e.g., 103 → 104).

  4. Send the request.

  5. If I see someone else’s data, it’s a confirmed IDOR.

Why it matters

IDOR often leads to:

  • Viewing other users’ profiles

  • Viewing private location data

  • Downloading other users’ invoices

  • Seeing internal reports or documents

These are high-severity findings in real engagements.





3. SSRF (Server-Side Request Forgery)

SSRF appears when an API allows users to supply a URL — and the server fetches it.

That means you can trick the backend into making requests to:

  • Your controlled server (to confirm SSRF)

  • Internal network resources

  • Cloud metadata endpoints

How I test it

  1. Look for URL parameters (callbackUrl, imageUrl, apiEndpoint, etc.).

  2. Replace the URL with a Burp Collaborator link.

  3. Send the request.

  4. Wait for DNS/HTTP callbacks in Collaborator.

  5. If allowed by scope, test internal targets like:

    • http://127.0.0.1

    • http://169.254.169.254 (cloud metadata)

Why it matters

SSRF is often a pivot point into:

  • Internal admin dashboards

  • Redis/memcached

  • AWS/Azure metadata (temporary credentials)

  • Internal APIs

It’s one of the highest-impact API vulnerabilities.

















4. NoSQL Injection

APIs backed by MongoDB or other NoSQL engines often fail to validate JSON input. Attackers can inject operator objects such as:

{"$ne": 1}

This can bypass validation, fetch unintended data, or manipulate backend queries.

How I test it

  1. Identify JSON-based lookup endpoints (coupon validation, search APIs, etc.).

  2. Replace the value with an operator object:

    {"$ne": 1}

  3. Send the request.

  4. If the API behaves differently (e.g., coupon accepted), it’s vulnerable.

Why it matters

NoSQLi can reveal:

  • Internal records

  • Private coupons

  • User lists

  • Administrative objects

In some cases, it leads to full database access.













5. Broken Authentication

Some APIs don’t actually validate authentication tokens. They accept:

  • Removed Authorization headers

  • Expired tokens

  • Invalid JWTs

  • Or no token at all

This happens more than you’d think, especially when JWT validation is misconfigured.

How I test it

  1. Capture an authenticated API request.

  2. Send it to Burp Repeater.

  3. Remove the Authorization header entirely.

  4. Replace the token with garbage (abc123).

  5. Resend and observe whether the API still returns sensitive data.

Why it matters

Broken authentication allows:

  • Account takeover

  • Access to private data

  • Role escalation

  • Data scraping

  • Unauthenticated internal actions

This is almost always rated Critical.











Final Thoughts

These five vulnerabilities show up again and again across real production APIs. And most of them have nothing to do with complex exploits they’re caused by:

  • Missing authorization checks

  • Overly permissive responses

  • Blindly trusting user input

  • Inconsistent validation

  • Legacy endpoints still in production

If you’re building APIs, these should be part of your core threat model.

If you’re pentesting APIs, this is your core attack playbook.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

The API Vulnerabilities I Keep Finding in Web App Pen Tests (With Step-By-Step Testing)

Modern web applications depend heavily on backend APIs, yet these APIs are often the least tested and most vulnerable part of the attack sur...