BIPI
BIPI

REST API Pentesting Methodology: Auth, Mass Assignment, Excessive Data Exposure

Cybersecurity

Practical REST API pentest playbook covering authentication weaknesses, BOLA and BFLA, mass assignment, and the OWASP API Top 10 findings that always pay out.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 21, 2024 · 10 min read

#rest-api#pentest#owasp-api#bola#mass-assignment

REST API testing is where bug bounty hunters earn rent. The OWASP API Top 10 has been remarkably stable, and the same handful of flaws keep paying out: broken object level authorization, broken function level authorization, mass assignment, and excessive data exposure. Methodology matters more than tool choice.

Discovering the Attack Surface

  • Pull the OpenAPI or Swagger spec from /swagger.json, /openapi.json, /api/docs, /v2/api-docs
  • Search GitHub for org:target swagger or org:target openapi for leaked private specs
  • Burp's content discovery and ffuf with api wordlists find unlinked v1, v2, v3, internal, admin endpoints
  • Mobile app traffic reveals routes never documented for public consumption, always test the mobile API surface
  • JS files often reveal endpoint constants, use linkfinder or jsluice against bundle.js and chunk hashes

Authentication Tests

Start with the basics: send no Authorization header, send an empty one, send a malformed JWT, send a JWT signed with alg none, send one signed with HS256 using the public RSA key as the secret. JWT_tool automates the alg confusion and key confusion attacks. Test refresh token rotation by replaying the same refresh twice, weak implementations return new access tokens both times.

  • alg=none in JWT header, classic but still works on niche libraries and custom validators
  • kid header SQL injection or path traversal, kid=../../../dev/null produces predictable signing key
  • JWK injection: embed your own JWK in the token header, weak verifiers will trust it
  • Session fixation in OAuth state parameter, weak entropy or predictable values

BOLA: Broken Object Level Authorization

Number one in OWASP API Top 10 for a reason. Replace the user_id in /api/users/123/profile with 124. Replace UUIDs harvested from your own account with UUIDs from another account. Test PUT and DELETE methods too, many apps protect GET but forget the write paths. Burp's Autorize extension automates this at scale by replaying every authenticated request as user B and diffing responses.

Mass Assignment

PATCH /api/users/me with body containing fields you should not be able to set: role, is_admin, account_balance, kyc_verified, email_verified, organization_id. Rails, Express with body-parser, and Spring DTOs without explicit field whitelisting all eat this. Even Django REST Framework serializers can leak it if fields=__all__ is set lazily.

Mass assignment is the gift that keeps giving. In 2024 we have closed mass-assign findings on financial APIs, healthcare patient records, and a SaaS HRIS, all because a PATCH endpoint accepted fields the UI never sent.

Excessive Data Exposure

  • GET /api/users/me often returns the full ORM model, password_hash, mfa_secret, internal_notes included
  • List endpoints returning all rows for a tenant when only own-records were authorized
  • Embedded relations leaking sibling object data, GET /api/orders includes user.email and user.address for all users
  • Verbose error stack traces revealing framework version, DB driver, and file paths

Rate Limiting and BFLA

Function level authorization means a regular user calling /api/admin/users/123 or POST /api/internal/feature-flags. Brute force the API verb (GET to PUT, POST to DELETE) and the path (replace users with admin, internal, debug). For rate limits, test per-IP, per-user, per-API-key separately, and try X-Forwarded-For, X-Real-IP, X-Originating-IP header bypass.

Recent API CVEs

  • CVE-2024-3273 D-Link NAS API auth bypass, exploited at scale in botnet campaigns
  • CVE-2024-1709 ConnectWise ScreenConnect API auth bypass via path traversal in setup wizard
  • CVE-2024-27198 JetBrains TeamCity REST API auth bypass, full admin via crafted endpoint
  • CVE-2024-29849 Veeam Backup Enterprise Manager API auth bypass scored 9.8 CVSS

Tooling Stack

  1. Burp Suite Pro with Autorize, JWT Editor, Param Miner, and Active Scan++
  2. Postman or Bruno collections imported from OpenAPI for repeatable harness
  3. ffuf for path and parameter fuzzing with curated API wordlists from SecLists
  4. mitmproxy for scripted request replay and tampering with custom Python addons
  5. jwt_tool for token attacks, kiterunner for contextual API endpoint discovery

Defense Quick Wins

  • Whitelist fields on every write endpoint, never use ModelSerializer fields __all__ or Mass-Assign DTOs
  • Authorization on every object, every method, enforced by middleware not controller logic
  • Strict JWT validation: pin alg, verify signature, validate aud and iss, short TTL with rotation
  • Rate limit per identity not per IP, use sliding window or token bucket on the gateway

REST APIs do not have novel vulnerability classes, they have repeat offenders. Knowing the playbook and running it consistently beats any auto-scanner.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.