APIs expose application functionality directly to clients, making them a primary target for attackers. REST and GraphQL APIs both depend on predictable structures, predictable endpoints, and structured data formats. When authentication, authorization, or input validation is missing or inconsistent, attackers exploit these weaknesses to extract sensitive data, manipulate backend logic, or compromise accounts.

API security failures are especially dangerous because APIs often expose raw data models, internal logic, and administrative capabilities that the UI normally hides.

How APIs Work

APIs transfer structured data between client and server. The client makes requests, and the server responds with:

JSON
XML
GraphQL objects
binary data

REST usually exposes endpoint-based logic:

GET /users/1
POST /orders
PATCH /payments/20

GraphQL exposes a single endpoint:

POST /graphql

Clients specify the exact data they want, making over-fetching and under-fetching issues part of the attack surface.

REST API Attack Surface

REST APIs expose individual endpoints and operations. Attackers examine:

HTTP methods
predictable IDs
unprotected routes
hidden admin endpoints
missing authentication
parameter tampering
weak authorization checks

Common REST API Vulnerabilities

1. Broken Authentication

Weak or missing authentication enables direct API access.

Examples:

GET /admin/users
GET /transactions

If accessible without a token → critical vulnerability.

2. Broken Object-Level Authorization (BOLA)

This is the most common REST API vulnerability.
Occurs when an attacker manipulates object identifiers:

GET /users/1001/invoices
→ change to:
GET /users/1002/invoices

If data is exposed → IDOR at API level.

3. Broken Function-Level Authorization (BFLA)

Attacker performs admin-only actions:

POST /admin/deleteUser

If allowed for a normal user, privilege escalation occurs.

4. Excessive Data Exposure

APIs often return full database records:

{
  "id":1,
  "email":"user@example.com",
  "passwordHash":"...",
  "token":"..."
}

Even if UI doesn’t use these fields, attackers can extract them directly.

5. Mass Assignment

APIs bind JSON directly to database models.

Example request:

{"role":"admin"}

If backend does not filter fields, attackers escalate privileges.

6. Parameter Tampering

Changing values in:

query params
JSON bodies
URL paths

Example:

PATCH /orders/10
{"status":"delivered"}

If unauthorized, this is a logic flaw.

7. Rate Limit Bypass

If APIs lack throttling, attackers brute-force:

OTP
tokens
credentials
session IDs

8. Improper Input Validation

APIs accept data that bypasses UI filters.

Example:

POST /comments
{"text":"<script>alert(1)</script>"}

Stored XSS in API response.

9. Weak CORS

If CORS allows all origins:

Access-Control-Allow-Origin: *

Attackers steal API data via malicious sites.

10. Overly Permissive API Keys

Hardcoded API keys in JS or mobile apps give attackers unlimited access to internal APIs.

GraphQL Attack Surface

GraphQL provides a single endpoint:

POST /graphql

Clients specify exactly which fields they want via queries.

This flexibility introduces major security risks.

Common GraphQL Vulnerabilities

1. Introspection Enabled

If introspection is allowed in production, attackers discover:

types
fields
queries
mutations
hidden admin operations

Attackers map the entire API instantly.

2. Missing Authorization

GraphQL resolves fields individually.
If resolvers do not validate authorization consistently:

query {
  user(id:100) {
    passwordHash
    email
    transactions
  }
}

These may expose unauthorized data.

3. Mass Assignment via Mutations

Mutations like:

mutation {
  updateUser(id:1, role:"admin")
}

If backend doesn’t validate fields, attackers escalate privileges directly.

4. Batching Attacks

GraphQL allows multiple queries in a single request.

Attackers exploit batching to brute-force faster:

[
  {"query": "{login(user:\"a\",pass:\"1\")}" },
  {"query": "{login(user:\"a\",pass:\"2\")}" },
  ...
]

5. Field Exploitation (Excessive Data Exposure)

Developers forget to filter deep nested fields:

user {
  accounts {
    creditCard {
      number
      cvv
    }
  }
}

GraphQL exposes everything in its schema.

6. Recursive Queries → DoS

GraphQL allows recursion:

{
  user {
    friends {
      friends {
        friends {
          ...
        }
      }
    }
  }
}

Unbounded recursion exhausts server resources.

7. Alias Attacks

Aliases hide brute-force attacks:

{
  a1: login(user:"a",pass:"1")
  a2: login(user:"a",pass:"2")
  a3: login(user:"a",pass:"3")
}

Single request performing multiple brute-force attempts.

API Authentication Weaknesses

Missing Authentication

Some endpoints are publicly accessible:

/api/v1/profile
/api/v1/orders

Weak Token Validation

Token issues include:

expired tokens accepted
JWT signature not validated
“alg:none” accepted
predictable tokens

API Key Leakage

API keys in:

JavaScript files
mobile app code
config files
GitHub commits

Attackers use leaked keys to access admin endpoints.

API Authorization Weaknesses

Object-Level Access (IDOR)

Changing:

id=1 → id=2

to access other users’ resources.

Missing Role Checks

Normal users can access admin mutations or endpoints.

Inconsistent Authorization

UI checks pass, backend does not.

URL Bypass

/admin/users
/api/admin/users
/v2/admin/users
/internal/users

Different endpoints serve same data but only some enforce authorization.

Parameter and Input Weaknesses

JSON Injection

Insert unexpected fields:

{"vip":true,"role":"admin"}

Array/Type Confusion

GraphQL or REST frameworks may parse types inconsistently:

id=["1","2"]

HTTP Syntax Manipulation

Rewriting body structure to confuse parsers.

Practical API Security Testing Workflow

Step 1: Enumerate Endpoints

For REST:

use Burp
guess common patterns
inspect JavaScript files

For GraphQL:

attempt introspection
read schema
brute-force queries

Step 2: Test Authentication

Modify or remove tokens:

send requests without token
send expired tokens
replace JWT with manipulated one

Step 3: Test Authorization

Try:

accessing other users’ data
performing admin actions
modifying privileged fields

Step 4: Parameter Tampering

Change:

IDs
roles
permissions
prices
email fields
ownership fields

Step 5: Test Rate Limits

Use Burp Intruder or Turbo Intruder to check throttling.

Step 6: Check for Mass Assignment

Send unexpected fields:

{"admin":true}
{"role":"superuser"}
{"balance":999999}

Step 7: Test GraphQL Specific Attacks

deep nested recursion
alias brute-force
batching
schema discovery
unauthorized field access

Step 8: Inspect Response Metadata

APIs reveal stack traces, version info, or debug data:

"error":"StackTrace..."
"framework":"Express"
"version":"1.2.4"

Attackers use this for targeted exploits.

Why APIs Are Vulnerable

APIs fail because:

clients interact directly with backend logic
developers trust the client
inconsistent authorization
excessive data exposure
debugging features left enabled
GraphQL schemas too open
REST endpoints duplicated across versions

APIs expose more internal structure than traditional web apps.

Impact of API Vulnerabilities

API security flaws lead to:

account takeover
data breaches
admin privilege escalation
full schema exposure
business logic abuse
financial fraud
complete system compromise

APIs often store the most sensitive data, making them prime targets.

Intel Dump

API security requires strict authentication, authorization, and validation.
REST APIs commonly suffer from BOLA, BFLA, mass assignment, and parameter tampering.
GraphQL APIs expose schema, deep fields, mutations, recursion, alias attacks, and excessive data exposure.
Weak tokens, missing rate limits, and exposed API keys add critical risk.
Practical testing includes endpoint discovery, token manipulation, role tampering, recursion, batching, and unexpected field injection.
Impact includes full account compromise, admin access, data leakage, and complete system takeover.