API Testing
How ModernPentest tests REST APIs using OpenAPI specifications
API Testing
Learn how ModernPentest tests REST APIs through the API surface of your application.
Overview
When you enable the API surface for your application, we test it using a pipeline optimized for programmatic interfaces. Providing an OpenAPI specification gives us deeper understanding of your API structure, enabling more thorough testing.
The API Testing Pipeline
OpenAPI Analysis
Parse and understand your API specification:
- Extract all endpoints and methods
- Understand parameter types and constraints
- Map authentication requirements
- Identify data models and relationships
Endpoint Grouping
Group endpoints by functionality for focused testing:
- Authentication —
/login,/register,/logout - User Resources —
/users/:id,/profile - Data Resources —
/products,/orders,/invoices - Admin Functions —
/admin/*,/settings
Parallel Testing
Specialized API agents test in parallel:
- API Auth Agent — JWT testing, session security, auth bypass
- API BOLA Agent — Object authorization, ID fuzzing, cross-user access
- API Injection Agent — SQL injection, NoSQL injection, command injection
Consolidation
- Deduplicate findings across endpoints
- Validate with actual exploitation
- Enrich with API-specific context
- Generate API-focused remediation
Stage 1: OpenAPI Analysis
When you provide an OpenAPI (Swagger) specification, we extract:
Endpoint Information
- All paths and HTTP methods
- Path parameters (e.g.,
/users/{id}) - Query parameters with types
- Request body schemas
Authentication Details
- Security schemes (Bearer, API Key, OAuth)
- Per-endpoint authentication requirements
- Scopes and permissions
Data Models
- Response schemas
- Object relationships
- Required vs optional fields
No OpenAPI spec? We can still test your API through reconnaissance, but coverage will be more limited. We recommend providing a spec for best results.
Stage 2: Endpoint Grouping
Endpoints are grouped by functionality for efficient parallel testing:
| Group | Endpoints | Agent Focus |
|---|---|---|
| Authentication | /login, /logout, /token | Auth bypass, session security |
| User Resources | /users/*, /profile/* | BOLA, privilege escalation |
| Data Resources | /products/*, /orders/* | Authorization, injection |
| Admin Functions | /admin/*, /settings/* | Access control, privilege escalation |
This grouping allows:
- Focused testing - Each agent specializes in related endpoints
- Context awareness - Agents understand the purpose of endpoints
- Efficient coverage - Related vulnerabilities found together
Stage 3: Parallel API Testing
API Authentication Agent
Tests authentication security:
JWT Security
- Algorithm confusion attacks
- Signature verification bypass
- Token expiration handling
- Claims manipulation
Session Management
- Token revocation effectiveness
- Concurrent session handling
- Session fixation
- Token binding
Authentication Bypass
- Missing authentication
- Weak authentication
- Token replay attacks
API BOLA Agent
Tests object-level authorization (OWASP API1:2023):
Horizontal Access
- Accessing other users' resources
- ID enumeration attacks
- Cross-account data access
Vertical Access
- Regular user accessing admin resources
- Privilege escalation through API
Testing Methodology
- Establish baseline with valid credentials
- Attempt access with different user credentials
- Test with no credentials
- Fuzz object IDs
API Injection Agent
Tests for injection vulnerabilities:
SQL Injection
- Parameter injection
- JSON property injection
- Error-based detection
- Time-based blind detection
NoSQL Injection
- MongoDB operator injection
- Array injection
- Object injection
Other Injection Types
- Command injection
- XXE (XML External Entity)
- Path traversal
- SSRF
What We Test
OWASP API Security Top 10 (2023)
| Category | What We Check |
|---|---|
| API1 - BOLA | Object-level authorization bypass |
| API2 - Broken Authentication | JWT issues, session problems |
| API3 - Object Property Authorization | Excessive data exposure |
| API4 - Unrestricted Resource Consumption | Rate limiting, resource quotas |
| API5 - Broken Function Authorization | Missing admin/privilege checks |
| API6 - Server Side Request Forgery | SSRF vulnerabilities |
| API7 - Security Misconfiguration | CORS, headers, debug modes |
| API8 - Lack of Protection | Missing bot protection |
| API9 - Improper Asset Management | Deprecated endpoints, versioning |
| API10 - Unsafe API Consumption | Third-party API trust issues |
Additional Testing
- Mass assignment vulnerabilities
- GraphQL-specific issues (if applicable)
- Rate limiting effectiveness
- Error handling information leaks
Combined Testing
Most modern applications have both web and API surfaces that share users, data, and business logic. When you configure both surfaces, we test them in parallel.
Web Pipeline and API Pipeline run simultaneously, then merge into Unified Results:
- All findings consolidated — Web and API vulnerabilities in a single report
- Cross-surface issues — Vulnerabilities that span both surfaces are identified and linked (e.g., an API endpoint with missing auth that the web app relies on)
- Complete coverage report — No gaps between frontend and backend testing
Best Practices
Provide Complete OpenAPI Specs
Include all endpoints, even internal ones you want tested:
- Document all parameters and types
- Include authentication requirements
- Describe response schemas
Use Realistic Test Credentials
Provide credentials at different privilege levels:
- Standard user account
- Admin account (if testing admin endpoints)
- Multiple users (for BOLA testing)
Next Steps
Last updated: December 8, 2025