loading
Loading content
loading
API security focuses on the machine-facing endpoints that power modern applications. A REST or GraphQL API exposes the same business logic as a web UI but without the front end that constrains how users interact with it. An attacker calls the endpoints directly, manipulates parameters freely, and ignores any client-side checks. That freedom makes APIs a prime target.
The dominant API weaknesses involve authorization rather than injection. Broken access control tops the list: an endpoint authenticates a user but fails to verify they own the requested object, which produces IDOR bugs where changing an ID in the request returns someone else's data. Excessive data exposure is close behind, where an API returns full objects and trusts the client to hide sensitive fields. Missing rate limits open the door to enumeration and credential stuffing.
API testing extends web application security but needs different inputs, since there is no HTML to crawl. You drive tests from a spec like OpenAPI, recorded traffic, or discovered endpoints, then run a dynamic application security testing pass against each route.
In an automated workflow, you parse an API definition, generate requests for every endpoint and method, and replay them as multiple user roles to catch authorization flaws no single-user scan would see.
Related terms