API Security Testing: What DAST Misses and How to Fill the Gap

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The modern application is predominantly API surface. Mobile applications, single-page web apps, third-party integrations, and microservices architectures communicate through REST, GraphQL, and gRPC APIs that generate the vast majority of application traffic. Traditional DAST tools were built for a different era: they spider HTML pages, submit forms, follow links, and identify input fields. They have no capability to authenticate to an API using a bearer token, construct valid JSON request bodies, understand an API's resource model, or test for authorization flaws between objects. The result is a systematic testing blind spot. Organizations that run DAST scans against their applications regularly believe they have covered their external attack surface. In practice, they have tested their HTML pages and missed the API layer entirely. This guide addresses the API security testing gap methodically: inventory discovery to find the full API surface, OWASP API Top 10 methodology for structured vulnerability testing, authenticated testing workflows with Burp Suite and Postman, and the business logic and authorization vulnerabilities that require manual testing regardless of the tools used.
The API Testing Gap and API Inventory Discovery
Understanding why standard DAST misses APIs requires understanding how DAST crawling works. A DAST crawler starts at a URL, parses the HTML response, extracts links, forms, and JavaScript references, and follows them recursively to build a site map of testable inputs. API endpoints typically do not appear in HTML. They are called by JavaScript code, mobile applications, or backend services using HTTP requests that the crawler never generates. Even if a DAST crawler identifies an API endpoint URL from a JavaScript bundle, it cannot construct an authenticated request with a valid JWT, cannot produce a structurally valid JSON body that the API accepts, and cannot understand the resource relationships that authorization testing depends on.
API inventory is the prerequisite for API security testing. An organization cannot test what it does not know exists. Four complementary discovery methods cover the range of API exposure points. Network traffic analysis from a web application proxy or API gateway captures all API calls made by real users and applications, revealing endpoints that may not be documented anywhere. OpenAPI/Swagger specification files, if they exist, provide the most complete inventory of intended API surface; the presence of a spec file at /api/openapi.json, /swagger.json, or /v2/api-docs is a reliable indicator. API gateway logs from AWS API Gateway, Kong, Apigee, or similar platforms capture every API call including path, method, and response codes, making them a comprehensive source for endpoint enumeration. JavaScript bundle analysis extracts API base URLs and endpoint patterns from client-side code; tools like LinkFinder and JSParser automate this extraction.
Inventory completeness is a measurement challenge. After running all four discovery methods, compare the resulting endpoint list against what the development team believes exists. The gap between discovered endpoints and documented endpoints is the shadow API surface: endpoints that exist in production but are not in the official inventory. Shadow APIs are typically older endpoints that were never removed, internal endpoints accidentally exposed to external networks, or development and staging endpoints reachable from production. Each category carries a distinct risk profile but all require inclusion in the security testing scope.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
OWASP API Security Top 10: The Exploitable Categories
The OWASP API Security Top 10 2023 defines the most common and impactful API vulnerability categories. Three categories dominate real-world API breaches and warrant the most testing investment: Broken Object Level Authorization (API1:2023), Broken Authentication (API2:2023), and Unrestricted Access to Sensitive Business Flows (API6:2023).
Broken Object Level Authorization (BOLA), also called Insecure Direct Object Reference (IDOR), occurs when an API endpoint accepts a resource identifier from the client and returns or modifies that resource without verifying that the requesting user is authorized to access it. A typical pattern: GET /api/orders/12345 returns an order. The API authenticates the user but does not check whether order 12345 belongs to the authenticated user. An attacker who enumerates order IDs can access every order in the system regardless of ownership. BOLA is the most prevalent API vulnerability class because it requires explicit per-resource authorization checks at every endpoint, and this check is easy to forget, particularly for internal or administrative APIs where the assumption is that only authorized internal clients will call them.
Broken Authentication covers weak token implementation, missing token validation, and predictable token formats. Common findings include JWT tokens with alg:none accepted by the server (the signature is bypassed entirely), API keys transmitted in query parameters that appear in server access logs, missing token expiration enforcement, and refresh tokens with indefinitely long validity periods. Testing authentication requires attempting authentication bypass at each endpoint rather than only testing the login flow.
Mass Assignment (API6:2023 maps to excessive data exposure, but mass assignment is equally critical) occurs when an API endpoint accepts and applies object properties beyond those it should expose to client modification. A user profile update endpoint that accepts a JSON body and applies all properties to the user object may inadvertently accept and apply privileged properties like isAdmin: true or accountBalance: 999999. Testing requires examining the API's data model, identifying privileged or read-only properties, and verifying that the endpoint rejects or ignores unauthorized property modifications.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
BOLA Testing Methodology in Depth
BOLA is not a single vulnerability but a pattern that must be tested at every endpoint that processes resource identifiers. A systematic BOLA testing methodology requires multiple test accounts and a structured approach to identifier substitution.
The setup phase creates two or more test accounts at different privilege levels: two regular user accounts (User A and User B) and ideally an administrator account. Authenticate each account and capture their session tokens. Create test resources under each account (orders, documents, profiles, messages, or whatever resource types the application manages) and record the resource identifiers associated with each account's resources.
The testing phase attempts horizontal privilege escalation: use User A's session token to request User B's resource identifiers. A vulnerable API returns User B's data. A properly secured API returns HTTP 403. Test every endpoint that accepts a resource identifier: GET (read), PUT/PATCH (modify), DELETE (delete). Read-only BOLA is impactful (data exposure) but modification and deletion BOLA are more severe. Also test vertical privilege escalation: use a regular user's session token to access administrative or system-level resources.
Identifier enumeration is often necessary to construct valid BOLA test cases. Sequential numeric IDs (order ID 1001, 1002, 1003) are the easiest to enumerate. UUIDs are harder but not necessarily safe: if a list endpoint returns resource IDs for the authenticated user and the application also has admin accounts whose UUIDs can be harvested, UUID-based BOLA is still exploitable. Test whether list endpoints for administrative functions expose identifiers of other users' resources, which creates a two-step exploitation path even for UUID-protected resources.
Documenting BOLA findings requires specifying the request (endpoint, method, identifier substituted), the expected response (403 or empty response), and the actual response (data returned or action taken). Business impact assessment should address what data was exposed or what action was permitted: an order IDOR that exposes shipping addresses is a privacy incident; a financial account IDOR that allows balance transfers is a fraud incident. The severity assessment drives remediation priority.
Authenticated API Testing with Burp Suite
Burp Suite Professional is the standard tool for authenticated API testing. The workflow for API testing differs from web application testing in several ways: API testing requires importing a specification or building a request collection rather than relying on crawler discovery, authentication must be explicitly configured to apply to all test requests, and the testing workflow is more manual and targeted than automated scanning.
Importing an OpenAPI specification into Burp Suite (via the OpenAPI Parser extension or the built-in import in BApp Store versions) creates a structured set of requests corresponding to each documented endpoint. This provides the foundation for systematic testing but does not replace traffic capture: import the spec, then also run the application to capture real traffic, and compare the two to identify endpoints present in traffic but not in the spec.
Authentication configuration for API testing uses Burp's session handling rules or the new Bambdas Java scripting feature in Burp Suite Pro. For JWT-based APIs, create a session handling rule that adds the Authorization: Bearer <token> header to all requests in scope. For APIs that use short-lived tokens, configure a macro that refreshes the token by calling the authentication endpoint and extracts the new token from the response for use in subsequent requests. Getting authentication right before starting testing is critical: a testing session where half the requests are returning 401 because the token expired produces unreliable results and wastes testing time.
For authorization testing, Burp's Autorize extension (available in the BApp Store) automates horizontal privilege escalation testing. Configure Autorize with a second user's session token; it will automatically re-issue every request you make with the second user's credentials and flag responses where the second user receives a 200 response for a resource that should be restricted to the first user. This does not replace manual testing but catches a significant fraction of BOLA vulnerabilities with low additional effort. The Param Miner extension is valuable for discovering undocumented API parameters, which is particularly useful for identifying mass assignment targets.
GraphQL-Specific Testing Techniques
GraphQL APIs present a different testing surface than REST APIs. The key differences are: GraphQL uses a single endpoint (/graphql) for all operations, the schema is self-describing via introspection, and the query language allows clients to request nested data structures that can cause excessive data exposure and resource consumption issues not possible with REST.
Introspection is the starting point for GraphQL testing. The introspection query enumerates the entire schema including all types, fields, queries, mutations, and subscriptions. Send the following query to enumerate the schema:
{
__schema {
types {
name
fields {
name
type {
name
}
}
}
}
}
If introspection is enabled (it should be disabled in production), the response reveals the entire API surface. If introspection is disabled, field suggestion errors ("Did you mean X?") often leak schema information through error messages when querying non-existent fields. Clairvoyance is a tool that exploits field suggestions to reconstruct the schema even when introspection is disabled.
Broken authorization in GraphQL is tested at the field and resolver level rather than the endpoint level. Each field in a GraphQL query may resolve through a different resolver function, and each resolver must independently verify authorization. A user who can query their own profile object should not be able to add the adminNotes field to that query and receive the admin-only data. Test by requesting fields that should be restricted to higher-privilege users and verifying the response returns an authorization error, not the data.
Batching attacks exploit GraphQL's ability to execute multiple operations in a single HTTP request, potentially bypassing rate limiting that operates at the HTTP request level rather than the operation level. If the authentication endpoint accepts batched queries, an attacker can brute-force credentials at a rate determined by the batch size rather than the HTTP request rate limit. Test by sending a batch of mutations or queries and verifying that rate limiting applies to individual operations, not just HTTP requests.
API Fuzzing and Automated Test Coverage
Manual testing covers the vulnerability categories that require contextual judgment (BOLA, business logic, authorization). Automated fuzzing addresses a different category: injection vulnerabilities, unexpected input handling, and error conditions that manual testing typically undercovers due to the breadth of the input space.
OWASP ZAP's API Scan is a command-line-friendly option for automated API security testing against OpenAPI specifications. Invoke it as:
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t https://api.example.com/openapi.json \
-f openapi \
-r api-scan-report.html
ZAP generates requests for each endpoint defined in the spec, fuzzes input parameters with common injection payloads (SQL injection, command injection, path traversal, XML injection), and reports on responses that indicate vulnerability. The results are most valuable for identifying injection issues and verbose error messages that leak internal details. ZAP's coverage of authorization issues is limited because it cannot reason about the business logic of which user should access which resource.
RESTler is a stateful REST API fuzzer from Microsoft Research that goes beyond ZAP's stateless approach by inferring producer-consumer relationships between API endpoints (a POST to /users that returns a user ID consumed by subsequent requests to /users/{id}) and generating test sequences that exercise the API in realistic ways. RESTler discovers vulnerabilities that stateless fuzzers miss because many API bugs only manifest in specific sequences of operations.
For organizations with CI/CD pipelines, integrating API security testing into the pipeline catches new vulnerabilities at the point of introduction rather than during periodic assessments. A practical pipeline integration: ZAP API scan runs on each pull request against a staging environment, reports new HIGH and CRITICAL findings as blocking checks, and posts the full report as a PR artifact. Manual testing (BOLA, authorization, business logic) runs on a scheduled basis against the production environment or a production-equivalent staging environment.
The bottom line
API security testing requires a fundamentally different approach than web application testing. The inventory problem is first: without a complete map of the API surface including shadow endpoints and deprecated versions, testing coverage is undefined. The methodology problem is second: BOLA and authorization testing require multi-account test setups and manual verification that automated tools cannot replace. Start with API inventory discovery using all four methods (traffic capture, spec files, gateway logs, JS bundle analysis). Build a two-account test environment for BOLA testing across every endpoint that accepts resource identifiers. Import your OpenAPI spec into Burp Suite and configure authenticated sessions before testing. Run ZAP API scan in your CI pipeline for injection coverage. The investment in proper API security testing methodology pays for itself with the first authorization vulnerability found before a breach rather than after.
Frequently asked questions
Should API security testing be done by the application security team or the development team?
Both, at different stages and different depths. Development teams should run automated API security tests (ZAP API scan, unit tests for authorization logic) as part of their CI/CD pipeline and should understand OWASP API Top 10 well enough to avoid common patterns during development. The application security team should conduct deeper manual testing (BOLA testing, GraphQL schema analysis, business logic review) on a scheduled basis and for significant feature releases. The division of labor that works best in practice: dev teams own automated gating checks in the pipeline, AppSec owns periodic manual assessments, and the feedback loop from manual findings drives improvements to automated checks.
What is the difference between testing a REST API and a GraphQL API from a security perspective?
REST APIs have a one-to-one mapping between URL paths and resources, which makes endpoint enumeration and authorization testing straightforward: find every path, test whether each user can perform each operation on each resource they should not own. GraphQL APIs have a single endpoint with a query language that allows the client to specify exactly what data to retrieve. Authorization must be enforced at the field and resolver level rather than the endpoint level, making authorization testing more granular. GraphQL also introduces batching and nested query depth issues that have no REST equivalent. The practical impact is that REST API BOLA testing can be largely structured around identifier substitution, while GraphQL testing requires field-level authorization analysis and query complexity testing.
How do you test API authorization without having two real user accounts?
You need two accounts for proper horizontal privilege escalation testing; there is no reliable substitute. Create dedicated test accounts in the test or staging environment specifically for security testing. If the application's user model allows self-registration, creating test accounts is straightforward. If it requires administrative provisioning, work with the application team to create at least two test accounts at each privilege level in the testing environment. Testing authorization in production requires care to avoid accessing real user data; use accounts with synthetic test data and coordinate with the application owner. Testing in a staging environment that mirrors production authorization logic is preferable.
How should API version management affect security testing scope?
Every supported API version is in scope for security testing. Organizations frequently maintain v1, v2, and v3 of an API simultaneously, and older versions commonly have weaker security controls because they predate current security requirements. V1 APIs that are "deprecated but still available for legacy clients" are particularly high-risk: they often lack authentication improvements added in v2, and the teams responsible for them may not consider them part of the active security testing scope. Include API version enumeration as part of inventory discovery by testing common versioning patterns (`/v1`, `/v2`, `/api/v1`, `/api/v2`) and scanning JavaScript bundles for version strings.
What should a minimal API security testing checklist include for a development team that does not have a dedicated AppSec function?
A development team without dedicated AppSec should focus on the five highest-impact checks: (1) BOLA testing on every endpoint that accepts a resource ID, using two test accounts to verify per-resource authorization. (2) Authentication required on every endpoint, with no unauthenticated access to sensitive operations. (3) Input validation on all parameters, with structured payloads rejected for malformed input. (4) Rate limiting on authentication and sensitive operation endpoints. (5) Error handling that does not return stack traces, internal paths, or database error messages to clients. These five checks catch the most exploitable vulnerabilities with the least security expertise required. Add ZAP API scan to the CI pipeline for automated injection coverage, and schedule a manual assessment with an external team annually.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
