Application Security Services

API Security Review

  • May 8, 2025
  • 0

Sherlocked Security – API Security Review

Ensure Your APIs Are Secure, Authenticated, and Properly Controlled

1. Statement of Work (SOW)

Service Name: API Security Review
Client Type: SaaS Providers, FinTechs, Mobile Backends, Cloud Platforms
Service Model: Manual + Automated API Penetration Testing
Compliance Coverage: OWASP API Security Top 10, PCI-DSS, GDPR, SOC 2, ISO 27001

Assessment Types:

  • REST, GraphQL, and SOAP API Testing
  • Authenticated and Role-Based Testing
  • Endpoint Enumeration and Fuzzing
  • Business Logic Abuse in API Workflows
  • Broken Access Control & IDOR Testing
  • Secure Token and Session Review

2. Our Approach

[API Enumeration] → [Authentication & Token Analysis] → [Access Control Validation] → [Input Fuzzing & Injection Testing] → [Business Logic Review] → [Reporting] → [Remediation Support] → [Revalidation]

3. Methodology

[Swagger/OpenAPI Analysis] → [Authentication & Token Handling] → [Access Control Matrix Testing] → [Custom Payload Injection] → [Rate Limiting & Abuse Testing] → [Logic Flow Abuse] → [CVE/CWE Mapping] → [Reporting & Advisory]

4. Deliverables to the Client

  1. API Security Assessment Report
  2. OWASP API Top 10 & CWE Mapped Vulnerabilities
  3. Endpoint Inventory with Method and Auth Mapping
  4. Proof-of-Concept (PoC) Requests and Responses
  5. Business Logic Risk Evaluation
  6. Secure Token Usage Review
  7. Remediation Guidelines with Fix Examples
  8. Revalidation Report Post-Patching
  9. Optional: API Gateway Security Configuration Review

5. What We Need from You (Client Requirements)

  • Base URL(s) of the API and relevant documentation (Postman, Swagger, GraphQL schema, etc.)
  • Test credentials for all user roles (admin, user, guest, etc.)
  • API key/token or OAuth credentials for auth-protected APIs
  • Rate limits, quotas, or DoS protection configurations (if any)
  • NDA and scope sign-off prior to engagement

6. Tools & Technology Stack

  • Postman / Insomnia (manual testing)
  • Burp Suite Pro (with extensions for API fuzzing)
  • GraphQL Voyager / introspection tools
  • OWASP Amass / Nuclei / ffuf for endpoint discovery
  • JWT.io / Charles Proxy / Mitmproxy for token inspection
  • API Gateway Review (e.g., Kong, Apigee, AWS API Gateway)
  • Custom API Fuzzers & Payload Libraries
  • Swagger/OpenAPI Spec Parsers and Validators

7. Engagement Lifecycle

1. Kickoff & Documentation Gathering → 2. Endpoint Discovery & Mapping → 3. Auth & ACL Testing → 4. Injection & Fuzzing → 5. Report Draft → 6. Developer Advisory → 7. Revalidation → 8. Final Report Delivery

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Deep API Business Logic Testing Uncovers subtle flaws in multi-step workflows
Role-Based ACL Validation Confirms secure separation of privileges across users
Advanced Token Analysis JWT, OAuth, API keys analyzed for implementation flaws
GraphQL & REST Expertise Broad support for modern and legacy API formats
OWASP API Top 10 Coverage Testing aligned with evolving OWASP API standards
Revalidation Included Post-fix testing ensures issues are correctly mitigated

9. Real-World Case Studies

FinTech: Broken Function-Level Authorization

Issue: Users were able to access administrative API endpoints.
Impact: Data exposure and unauthorized privilege escalation.
Our Role: Discovered through role-based token fuzzing and ACL bypass testing.
Outcome: Implemented RBAC controls and fine-grained endpoint ACLs.

SaaS Provider: Insecure Direct Object Reference (IDOR)

Client: Project Management Tool
Findings: Task IDs could be modified in requests to access data from other user accounts.
Outcome: Input validation and access control checks were enforced at the object level.

10. SOP – Standard Operating Procedure

  1. Scope & Auth Setup
  2. API Endpoint Discovery (Swagger, GraphQL, fuzzing)
  3. Authentication & Token Handling Review
  4. Role-Based Access Control Testing
  5. Injection & Input Fuzzing (JSON/XML/GraphQL)
  6. Business Logic Testing
  7. Rate Limiting, Throttling, and Abuse Scenarios
  8. Misconfigurations and Security Header Testing
  9. Reporting & Risk Categorization
  10. Fix Verification & Revalidation Testing

11. API Security Review – Detailed Checklist

1. API Discovery & Mapping

  • Extract endpoints from Swagger/OpenAPI, Postman, GraphQL introspection
  • Manually crawl mobile/web clients to identify undocumented endpoints
  • Analyze HTTP methods (GET, POST, PUT, DELETE, PATCH)
  • Enumerate nested resources and path parameters (e.g., /user/1234/orders)
  • Identify public vs. authenticated endpoints
  • Check CORS policies for potential cross-domain exposure

2. Authentication & Token Handling

  • Analyze JWT tokens: header, payload, and signature algorithms
  • Test for weak signing algorithms (none, HS256 with public key)
  • Evaluate token expiration (exp, iat, nbf) and revocation on logout
  • Check for token leakage in URLs, headers, or logs
  • Assess OAuth 2.0/OpenID Connect flows: redirect URI injection, CSRF tokens
  • Test for refresh token misuse or long-lived access tokens

3. Access Control Testing (Authorization)

  • Validate vertical privilege escalation (user → admin)
  • Validate horizontal privilege escalation (user A accessing user B’s data)
  • Fuzz path/resource IDs for IDOR vulnerabilities
  • Attempt function-level access to endpoints protected by role
  • Check token scope and permissions for over-privileged users
  • Ensure multi-tenancy boundaries are enforced in backend logic

4. Input Validation & Injection Testing

  • Test all input fields for SQL/NoSQL injection
  • Attempt XML External Entity (XXE) and SSRF in XML/JSON payloads
  • Fuzz GraphQL queries for access to internal schema
  • Analyze GraphQL error messages and schema introspection for leakage
  • Test for insecure deserialization in serialized input formats (e.g., base64 payloads)
  • Validate input sanitization in file uploads, filters, and search queries

5. Rate Limiting, Replay & DoS Scenarios

  • Check for absence of rate limiting headers (X-RateLimit-*)
  • Test APIs for brute-force protection on login or OTP endpoints
  • Perform replay attack tests with intercepted tokens and requests
  • Test for resource exhaustion vectors (e.g., large file uploads, complex queries)
  • Identify rate limiting inconsistencies across endpoints or methods

6. Business Logic Abuse

  • Test for order manipulation, duplicate transactions, or skipped steps
  • Bypass multi-step workflows by manipulating intermediate states
  • Modify response values to escalate privileges or bypass validation
  • Fuzz e-commerce or fintech logic: discounts, transfer amounts, quota abuse
  • Replay transaction endpoints to test for duplicate or fraudulent behavior

7. Security Headers & Misconfigurations

  • Check for missing or misconfigured headers:
    • Strict-Transport-Security
    • X-Content-Type-Options
    • Content-Security-Policy
    • Cache-Control for sensitive endpoints
  • Analyze error messages and HTTP codes for internal leakage
  • Look for verbose banners or headers exposing server tech stack
  • Ensure only intended HTTP methods are accepted

8. Reporting & Remediation

  • Provide complete request/response samples with redacted PoCs
  • Include OWASP API Top 10 and CWE IDs per vulnerability
  • Prioritize issues by exploitability and business impact
  • Recommend specific fixes, with config or code examples
  • Provide revalidation feedback and delta report post-fix
Browser Security & Extension Audits