API Testing Agents

Agent Overview

Agent	Focus Area	OWASP API Coverage
API Auth Agent	Authentication security	API2 - Broken Authentication
API BOLA Agent	Object authorization	API1 - BOLA
API Injection Agent	Input validation	API8 - Injection

API Auth Agent

Tests for authentication and authorization vulnerabilities in your API.

What It Tests

OWASP API2 - Broken Authentication

Vulnerability	Description
JWT Algorithm Confusion	Exploiting algorithm switching
JWT Signature Bypass	Bypassing signature verification
Token Expiration Issues	Tokens that don't properly expire
Session Management Flaws	Weak session handling
Authentication Bypass	Accessing endpoints without auth

OWASP API5 - Broken Function Authorization

Vulnerability	Description
Admin Function Access	Regular users accessing admin APIs
Privilege Escalation	Elevating permissions through API
Missing Authorization Checks	Functions without permission validation

Session Security Testing

Test	Description
Token Revocation	Does logout actually invalidate tokens?
Concurrent Sessions	Can multiple sessions exist?
Session Fixation	Can tokens be reused inappropriately?
Token Binding	Is the token tied to client characteristics?

Example Finding

❌ Critical: Broken Function-Level Authorization

Endpoint: DELETE /api/api-keys/:id
CWE: CWE-285 (Improper Authorization)
OWASP: API5:2023-Broken Function Level Authorization

Issue: Regular users can delete API keys created by administrators.
       No role-based access control on DELETE operations.

Evidence:
- Admin (admin@acme.com) created API key: c93533da-4cbb-...
- Regular user (bob@acme.com, role: user) sent DELETE request
- Response: 200 OK {"message":"API key revoked"}
- Verification: Admin confirmed key no longer exists

Impact:
- Critical privilege escalation
- Regular users can disrupt operations by deleting admin API keys
- Breaks principle of least privilege
- Enables service disruption attacks

API BOLA Agent

Tests for Broken Object Level Authorization—the #1 API security risk.

What It Tests

OWASP API1 - BOLA (Broken Object Level Authorization)

Vulnerability	Description
Cross-User Data Access	Accessing other users' objects
ID Enumeration	Discovering valid object IDs
Horizontal Access	User A → User B's resources
Vertical Access	User → Admin resources
Mutation Authorization	Unauthorized PUT/DELETE

ID Fuzzing

The agent systematically tests object references:

ID Type	Fuzzing Approach
Sequential	`1, 2, 3, ...`
UUID	Common patterns, guessable prefixes
Encoded	Base64 decode, modify, re-encode
Composite	Multiple parameters combined

Example Finding

❌ Critical: Broken Object Level Authorization

Endpoint: GET /api/emails/{id}
CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
OWASP: API1:2023-Broken Object Level Authorization

Issue: Users can access emails belonging to other organizations
       by manipulating the email ID in the request path.

Evidence:
- Attacker: bob@acme.com (Org: 30484ee6-d0ae-...)
- Victim: admin@techstart.com (Org: 651c50a4-6e85-...)
- Request: GET /api/emails/2580b047-ca95-41ae-acf8-e2daeb699884
- Response: 200 OK with victim's full email data

Data Exposed:
- from, to, subject, text content
- organizationId, status, timestamps

Impact:
- Complete breach of multi-tenant data isolation
- Confidential email content exposed to unauthorized parties
- Attackers can enumerate and read all emails across organizations

API Injection Agent

Tests for injection vulnerabilities specific to APIs.

What It Tests

OWASP API8 - Injection

Vulnerability	Description
SQL Injection	Database manipulation via API parameters
NoSQL Injection	MongoDB operator injection
Command Injection	OS command execution
XXE Injection	XML parsing vulnerabilities
Path Traversal	File system access
Header Injection	HTTP header manipulation

API-Specific Testing

Unlike web injection testing, API injection focuses on:

JSON payloads - Injection in request bodies
Query parameters - URL parameter manipulation
Path parameters - Injection in URL paths
Headers - Authorization, custom headers

NoSQL Injection Testing

For APIs using MongoDB or similar:

// Normal request
{"username": "admin"}

// Injection payloads
{"username": {"$ne": null}}      // Always true
{"username": {"$gt": ""}}        // Greater than empty
{"username": {"$regex": ".*"}}   // Regex match all

Example Finding

❌ High: NoSQL Injection

Endpoint: POST /api/v1/users/login
Parameter: username, password (request body)
CWE: CWE-943 (Improper Neutralization of Special Elements in Data Query Logic)
OWASP: API8:2023-Injection

Issue: Login endpoint accepts MongoDB operators in JSON body,
       allowing authentication bypass without valid credentials.

Evidence:
- Normal request: {"username": "admin", "password": "secret"}
- Attack payload: {"username": {"$ne": null}, "password": {"$ne": null}}
- Response: 200 OK with valid JWT token for first user in database

Verification:
- Decoded JWT shows: {"sub": "507f1f77bcf86cd799439011", "role": "admin"}
- Attacker gained admin access without knowing any credentials

Impact:
- Complete authentication bypass
- Unauthorized access to any account
- Potential data exfiltration as admin user
- No audit trail linking attacker to legitimate user

Parallel API Testing

After OpenAPI analysis, specialized agents run simultaneously:

Agent	Target Endpoints	Focus
API Auth Agent	`/auth/*`, JWT tokens, sessions	Authentication bypass, token security
API BOLA Agent	All endpoints with path params (`/users/{id}`)	Object authorization, cross-user access
API Injection Agent	All parameters	SQL/NoSQL injection, command injection

All findings then flow into the Consolidation phase for deduplication and validation.

OpenAPI Integration

Providing your OpenAPI spec improves testing:

With OpenAPI Spec

✅ All endpoints tested
✅ Correct parameter types
✅ Authentication requirements known
✅ Expected responses validated

Without OpenAPI Spec

⚠️ Limited to discovered endpoints
⚠️ Generic payload types
⚠️ Manual auth configuration
⚠️ Reduced coverage

For best results, provide a complete and up-to-date OpenAPI specification when adding your API to ModernPentest.

Next Steps

Last updated: February 1, 2026

On this page