APIs rarely have browser protections. Most exposed surface.
Reconnaissance
Sources: OpenAPI/Swagger, GraphQL introspection, gRPC reflection, client JS, mobile traffic.
Hidden endpoints:
ffuf -u https://api.example.com/api/FUZZ -w api-endpoints.txt -mc 200,401,403
401/403 = exists, needs auth.
REST testing
Auth bypass: Test every endpoint without token.
BOLA (#1 API vuln):
GET /api/users/102/documents/5002 # With user 101's token
# Should 403, not 200
Function-level: Regular user tries POST /api/admin/users.
Mass assignment: PATCH /api/users/me {"role": "admin"} - accepted?
Rate limiting: 100 requests - any 429?
Excessive exposure: Response includes passwordHash, internal IDs?
GraphQL
Introspection: { __schema { types { name } } } - should be disabled in prod.
Depth attacks: Nested queries to exhaust server.
Batch attacks: Multiple mutations in one request bypass rate limits?
Resolver authz: Access via relationship might skip checks.
gRPC
grpcurl -plaintext localhost:50051 list
grpcurl -d '{"user_id": 102}' -H "auth: $USER_A_TOKEN" localhost:50051 myapp.UserService/GetUser
The takeaway
Map all endpoints including undocumented. Test auth bypass. BOLA on every ID. Function-level access. Mass assignment. Rate limits. Data exposure. Test systematically using OWASP API Security Top 10.