Security specialty

Api Security

Browse every cataloged workflow for api security, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

28 skills

cybersecuritySkill

Detecting API Enumeration Attacks

Detect and prevent API enumeration attacks including BOLA and IDOR exploitation by monitoring sequential identifier access patterns and authorization failures.

Api Security
access-controlapi-securitybolabroken-object-level-authorization+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Broken Object Property Level Authorization

Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive data exposure and mass assignment attacks.

Api Security
api-securityapi-testingboplaexcessive-data-exposure+4
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Shadow API Endpoints

Discover and inventory shadow API endpoints that operate outside documented specifications using traffic analysis, code scanning, and API discovery platforms.

Api Security
api-discoveryapi-governanceapi-inventoryapi-security+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Exploiting API Injection Vulnerabilities

Tests APIs for injection vulnerabilities including SQL injection, NoSQL injection, OS command injection, LDAP injection, and Server-Side Request Forgery (SSRF) through API parameters, headers, and request bodies. The tester crafts malicious payloads targeting different backend technologies and injection contexts to extract data, execute commands, or access internal services. Maps to OWASP API8:2023 Security Misconfiguration and API7:2023 SSRF. Activates for requests involving API injection testing, SQLi in APIs, NoSQL injection, SSRF testing, or API input validation assessment.

Api Security
api-securitycommand-injectioninjectionnosql+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Exploiting Broken Function Level Authorization

Tests APIs for Broken Function Level Authorization (BFLA) vulnerabilities where regular users can invoke administrative functions or access privileged API endpoints by directly calling them. The tester identifies admin and privileged endpoints, then attempts to access them with regular user credentials by manipulating HTTP methods, URL paths, and request parameters. Maps to OWASP API5:2023 Broken Function Level Authorization. Activates for requests involving BFLA testing, admin endpoint bypass, function-level access control testing, or API privilege escalation.

Api Security
access-controlapi-securityauthorizationbfla+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Exploiting Excessive Data Exposure in API

Tests APIs for excessive data exposure where endpoints return more data than the client application needs, relying on the frontend to filter sensitive fields. The tester intercepts API responses and analyzes them for leaked PII, internal identifiers, debug information, or sensitive business data that the UI does not display but the API transmits. This maps to OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving API data leakage testing, excessive data exposure, response filtering bypass, or API over-fetching.

Api Security
api-securitydata-exposureowasppii-leakage+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Exploiting JWT Algorithm Confusion Attack

Exploits JWT algorithm confusion vulnerabilities where the server's token verification library accepts the algorithm specified in the JWT header rather than enforcing a fixed algorithm. The tester manipulates the alg header to switch from RS256 to HS256 (using the RSA public key as the HMAC secret), sets alg to none to bypass signature verification, or exploits kid/jku/x5u header injection to supply attacker-controlled keys. Activates for requests involving JWT algorithm confusion, alg none attack, key confusion attack, or JWT signature bypass.

Api Security
algorithm-confusionapi-securitycryptographic-attackjwt+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing API Abuse Detection with Rate Limiting

Implement API abuse detection using token bucket, sliding window, and adaptive rate limiting algorithms to prevent DDoS, brute force, and credential stuffing attacks.

Api Security
api-abuseapi-gatewayapi-securitybrute-force-prevention+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing API Gateway Security Controls

Implements security controls at the API gateway layer including authentication enforcement, rate limiting, request validation, IP allowlisting, TLS termination, and threat protection. The engineer configures API gateways (Kong, AWS API Gateway, Azure APIM, Apigee) to act as a centralized security enforcement point that validates, throttles, and monitors all API traffic before it reaches backend services. Activates for requests involving API gateway security, API management security, gateway authentication, or centralized API protection.

Api Security
api-gatewayapi-securityaws-api-gatewaykong+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing API Key Security Controls

Implements secure API key generation, storage, rotation, and revocation controls to protect API authentication credentials from leakage, brute force, and abuse. The engineer designs API key formats with sufficient entropy, implements secure hashing for storage, enforces per-key scoping and rate limiting, monitors for leaked keys in public repositories, and builds key rotation workflows. Activates for requests involving API key management, API key security, key rotation policy, or API credential protection.

Api Security
api-keysapi-securitycredential-managementkey-rotation+1
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Implementing API Rate Limiting and Throttling

Implements API rate limiting and throttling controls using token bucket, sliding window, and fixed window algorithms to protect against brute force attacks, credential stuffing, resource exhaustion, and API abuse. The engineer configures per-user, per-IP, and per-endpoint rate limits using Redis-backed counters, API gateway plugins, or application middleware, and implements proper HTTP 429 responses with Retry-After headers. Activates for requests involving rate limiting implementation, API throttling setup, request quota management, or API abuse prevention.

Api Security
abuse-preventionapi-securityrate-limitingredis+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing API Schema Validation Security

Implement API schema validation using OpenAPI specifications and JSON Schema to enforce input/output contracts and prevent injection, data exposure, and mass assignment attacks.

Api Security
api-gatewayapi-securitydata-leakage-preventioninput-validation+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing API Security Posture Management

Implement API Security Posture Management to continuously discover, classify, and score APIs based on risk while enforcing security policies across the API lifecycle.

Api Security
api-discoveryapi-governanceapi-inventoryapi-posture-management+4
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing API Security Testing with 42Crunch

Implement comprehensive API security testing using the 42Crunch platform to perform static audit and dynamic conformance scanning of OpenAPI specifications.

Api Security
42crunchapi-auditapi-scanapi-security+5
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing API Threat Protection with Apigee

Implement API threat protection using Google Apigee policies including JSON/XML threat protection, OAuth 2.0, SpikeArrest, and Advanced API Security for OWASP Top 10 defense.

Api Security
api-gatewayapigeegoogle-cloudjson-threat-protection+5
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing API Fuzzing with RESTler

Uses Microsoft RESTler to perform stateful REST API fuzzing by automatically generating and executing test sequences that exercise API endpoints, discover producer-consumer dependencies between requests, and find security and reliability bugs. The tester compiles an OpenAPI specification into a RESTler fuzzing grammar, configures authentication, runs test/fuzz-lean/fuzz modes, and analyzes results for 500 errors, authentication bypasses, resource leaks, and payload injection vulnerabilities. Activates for requests involving API fuzzing, RESTler testing, stateful API testing, or automated API security scanning.

Api Security
api-securityautomated-testingfuzzingopenapi+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing API Inventory and Discovery

Performs API inventory and discovery to identify all API endpoints in an organization's environment including documented, undocumented, shadow, zombie, and deprecated APIs. The tester uses passive traffic analysis, active scanning, DNS enumeration, JavaScript analysis, and cloud resource inventory to build a comprehensive API catalog. Maps to OWASP API9:2023 Improper Inventory Management. Activates for requests involving API discovery, shadow API detection, API inventory audit, or attack surface mapping.

Api Security
api-discoveryapi-securityattack-surfaceinventory+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing API Rate Limiting Bypass

Tests API rate limiting implementations for bypass vulnerabilities by manipulating request headers, IP addresses, HTTP methods, API versions, and encoding schemes to circumvent request throttling controls. The tester identifies rate limit headers, determines enforcement mechanisms, and attempts bypasses including X-Forwarded-For spoofing, parameter pollution, case variation, and endpoint path manipulation. Maps to OWASP API4:2023 Unrestricted Resource Consumption. Activates for requests involving rate limit bypass, API throttling evasion, brute force protection testing, or API abuse prevention assessment.

Api Security
api-securitybrute-forcedos-preventionowasp+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing API Security Testing with Postman

Uses Postman to perform structured API security testing by building collections that test for OWASP API Security Top 10 vulnerabilities including authentication bypass, authorization flaws, injection, and data exposure. The tester creates environments with multiple user roles, writes test scripts for automated security validation, and integrates Postman with OWASP ZAP and Newman for CI/CD security testing. Activates for requests involving Postman security testing, API security collection, automated API testing, or OWASP API testing with Postman.

Api Security
api-securityautomated-testingowasppostman+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing GraphQL Depth Limit Attack

Execute and test GraphQL depth limit attacks using deeply nested recursive queries to identify denial-of-service vulnerabilities in GraphQL APIs.

Api Security
api-securitydenial-of-servicedepth-limitgraphql+4
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing GraphQL Introspection Attack

Performs GraphQL introspection attacks to extract the full API schema including types, queries, mutations, subscriptions, and field definitions from GraphQL endpoints. The tester uses introspection queries to map the attack surface, identifies sensitive fields and mutations, tests for query depth and complexity limits, and exploits GraphQL-specific vulnerabilities including batching attacks, alias-based brute force, and nested query DoS. Activates for requests involving GraphQL security testing, introspection attack, GraphQL enumeration, or GraphQL API penetration testing.

Api Security
api-securitygraphqlintrospectionquery-abuse+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing JWT None Algorithm Attack

Execute and test the JWT none algorithm attack to bypass signature verification by manipulating the alg header field in JSON Web Tokens.

Api Security
authentication-bypassjwtnone-algorithmowasp+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing SOAP Web Service Security Testing

Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, WS-Security bypass, and SOAPAction spoofing.

Api Security
penetration-testingsoapsoapaction-spoofingweb-services+5
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Testing API Authentication Weaknesses

Tests API authentication mechanisms for weaknesses including broken token validation, missing authentication on endpoints, weak password policies, credential stuffing susceptibility, token leakage in URLs or logs, and session management flaws. The tester evaluates JWT implementation, API key handling, OAuth flows, and session token entropy to identify authentication bypasses. Maps to OWASP API2:2023 Broken Authentication. Activates for requests involving API authentication testing, token validation assessment, credential security testing, or API auth bypass.

Api Security
api-securityauthenticationcredential-securityjwt+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Testing API for Broken Object Level Authorization

Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) vulnerabilities where an authenticated user can access or modify resources belonging to other users by manipulating object identifiers in API requests. The tester intercepts API calls, identifies object ID parameters (numeric IDs, UUIDs, slugs), and systematically replaces them with IDs belonging to other users to determine if the server enforces per-object authorization. This is OWASP API Security Top 10 2023 risk API1. Activates for requests involving BOLA testing, IDOR in APIs, object-level authorization testing, or API access control bypass.

Api Security
api-securityauthorizationbolaidor+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Testing API for Mass Assignment Vulnerability

Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify object properties they should not have access to by including additional parameters in API requests. The tester identifies writable endpoints, adds undocumented fields to request bodies (role, isAdmin, price, balance), and checks if the server binds these to the data model without filtering. Part of OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving mass assignment testing, parameter binding abuse, auto-binding vulnerability, or API over-posting.

Api Security
api-securityauto-bindingmass-assignmentowasp+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Testing OAuth2 Implementation Flaws

Tests OAuth 2.0 and OpenID Connect implementations for security flaws including authorization code interception, redirect URI manipulation, CSRF in OAuth flows, token leakage, scope escalation, and PKCE bypass. The tester evaluates the authorization server, client application, and token handling for common misconfigurations that enable account takeover or unauthorized access. Activates for requests involving OAuth security testing, OIDC vulnerability assessment, OAuth2 redirect bypass, or authorization code flow testing.

Api Security
api-securityauthenticationoauth2oidc+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Testing WebSocket API Security

Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket upgrade, Cross-Site WebSocket Hijacking (CSWSH), injection attacks through WebSocket messages, insufficient input validation, denial-of-service via message flooding, and information leakage through WebSocket frames. The tester intercepts WebSocket handshakes and messages using Burp Suite, crafts malicious payloads, and tests for authorization bypass on WebSocket channels. Activates for requests involving WebSocket security testing, WS penetration testing, CSWSH attack, or real-time API security assessment.

Api Security
api-securityauthenticationcswshinjection+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings