OWASP API Security Top 10 — 2023

API Security
Testing Framework

10 automated test modules that scan REST APIs for authentication flaws, injection vulnerabilities, SSRF, misconfigurations, and authorization bypasses. Open source. On-premises deployable.

View Repository Download

OWASP Modules

50+

Endpoint Discovery

Injection Types

Report Formats

Live Output

Scan in action

Authenticated scan against a target API. Color-coded findings with severity classification and per-check remediation.

$ python3 apishield.py -u https://api.target.com -H "Authorization: Bearer eyJ..." [PASS] Target: https://api.target.com — Status: 200 ═══════════════════════════════════════════════════════════ [INFO] API1:2023 — Broken Object Level Authorization (BOLA) [VULN] /api/users/124 returned 200 with manipulated ID [PASS] /api/orders/999 properly returned 403 ═══════════════════════════════════════════════════════════ [INFO] API4:2023 — Unrestricted Resource Consumption [VULN] No rate limiting detected on /api/users (20 requests) [WARN] Large payload (100KB) accepted at /api/users ═══════════════════════════════════════════════════════════ [INFO] API8:2023 — Security Misconfiguration [VULN] CORS misconfiguration: Access-Control-Allow-Origin: * [WARN] Missing: Strict-Transport-Security [WARN] Server header discloses: nginx/1.24.0 ═══════════════════════════════════════════════════════════ [INFO] API9:2023 — Improper Inventory Management [VULN] Exposed: /swagger.json [documentation] [VULN] Exposed: /actuator/health [debug] ═══════════════════════════════════════════════════════════ APIShield Scan Complete Target: https://api.target.com Tests: 10 Vulnerabilities: 11 Score: 45% Reports: ./apishield_reports/ ═══════════════════════════════════════════════════════════

Test Coverage

10 OWASP modules

Each module targets a specific OWASP API Security Top 10 (2023) category. Every finding includes severity, risk description, and remediation guidance.

API1

Broken Object Level Authorization

Manipulates object identifiers — numeric increment, UUID substitution, MongoDB ObjectID — to detect IDOR vulnerabilities where resources belonging to other users are accessible.

Techniques: ID manipulation, response diffing, 403 vs 200 analysis

Critical

API2

Broken Authentication

Probes login endpoints with common credential pairs, detects missing authentication on sensitive paths, and identifies token leakage in API responses.

Techniques: 5 credential pairs, auth bypass, token detection in response body

Critical

API3

Broken Object Property Level Authorization

Scans responses for 16 sensitive field patterns (password, token, ssn, api_key, role). Tests writable endpoints for mass assignment by injecting privilege-escalation properties.

Techniques: 16 field signatures, role/admin injection, mass assignment

High

API4

Unrestricted Resource Consumption

Sends 20 rapid requests to detect missing rate limiting. Checks for rate limit headers, tests 100KB payload acceptance, and probes pagination bypass with limit=999999.

Techniques: Burst testing, header analysis, payload size, pagination abuse

High

API5

Broken Function Level Authorization

Discovers accessible admin and debug endpoints across 25 common paths. Tests HTTP method tampering — sending DELETE and PUT to GET-only endpoints to detect missing method restrictions.

Techniques: 25 admin paths, method tampering (GET/PUT/DELETE/PATCH)

Critical

API6

Unrestricted Access to Sensitive Flows

Identifies business-critical operations (purchase, transfer, registration, OTP, password reset) and checks for CAPTCHA, CSRF tokens, or step-up authentication controls.

Techniques: 16 sensitive flow patterns, CAPTCHA/CSRF detection

Medium

API7

Server Side Request Forgery

Injects internal targets (localhost, AWS IMDS 169.254.169.254, GCP and Azure metadata) through 16 URL parameter names. Detects cloud metadata indicators in responses.

Techniques: 16 URL params × 3 cloud targets, IMDS indicator detection

High

API8

Security Misconfiguration

Audits CORS policy (wildcard, origin reflection), 6 security headers, server version disclosure, verbose error responses with stack traces, and dangerous HTTP methods (TRACE/TRACK).

Techniques: CORS origin test, 6 headers, error probing, method audit

Medium

API9

Improper Inventory Management

Concurrently scans 50+ paths for exposed Swagger/OpenAPI docs, GraphQL endpoints, Spring Boot Actuator, .git/.env files, and legacy API versions (/v1, /v2, /beta, /staging).

Techniques: 50+ path brute, concurrent scanning, endpoint classification

Medium

API10

Unsafe Consumption of APIs

Sends injection payloads through query parameters and JSON body — SQL (4 payloads), NoSQL (3), XSS (2), SSTI (3), command injection (4), and path traversal (2). Matches response indicators per category.

Techniques: 18 payloads across 6 injection categories, dual vector (params + body)

High

Deployment

Quick start

Python 3.8+ with the requests library. No API keys, cloud services, or external accounts required.

# Install
git clone https://github.com/SiteQ8/APIShield.git
cd APIShield && pip install requests

# Full OWASP scan
python3 apishield.py -u https://api.example.com

# Authenticated scan
python3 apishield.py -u https://api.example.com -H "Authorization: Bearer TOKEN"

# Target specific endpoints
python3 apishield.py -u https://api.example.com -e /users,/orders,/admin

# Run only specific OWASP categories
python3 apishield.py -u https://api.example.com --tests API1,API4,API8

# Internal API (skip TLS verification)
python3 apishield.py -u https://staging.internal:8443 --no-verify

Reference

Parameters

Flag	Description
-u, --url	Base URL of the target API (required)
-e, --endpoints	Comma-separated paths to test (e.g., /users,/orders)
-H, --header	Custom HTTP header — repeatable (e.g., "Authorization: Bearer token")
--tests	Specific OWASP categories to run (e.g., API1,API4,API8)
--timeout	Request timeout in seconds (default: 10)
--no-verify	Skip TLS certificate verification
--version	Display version and exit

Output

Reporting

Every scan generates two report formats automatically. Each finding includes severity, risk description, and actionable remediation.

JSON

Structured data with full metadata, per-test findings, severity levels, and remediation steps. Designed for CI/CD pipeline integration, SIEM ingestion, and GRC platform import.

HTML

Visual report with color-coded severity, compliance score, and finding details. Suitable for management review, audit evidence, and stakeholder communication.

Internals

Architecture

apishield.py ├── Session HTTP client — retry logic, auth propagation, timeout ├── TestBOLA API1 Broken Object Level Authorization ├── TestBrokenAuth API2 Broken Authentication ├── TestBOPLA API3 Object Property Level Authorization ├── TestResourceConsump API4 Unrestricted Resource Consumption ├── TestBFLA API5 Broken Function Level Authorization ├── TestSensitiveFlows API6 Sensitive Business Flows ├── TestSSRF API7 Server Side Request Forgery ├── TestMisconfig API8 Security Misconfiguration ├── TestInventory API9 Improper Inventory Management ├── TestUnsafeConsump API10 Unsafe Consumption of APIs └── Reporter JSON + HTML generation with scoring

API SecurityTesting Framework

JSON

HTML

API Security
Testing Framework