Comprehensive API security review against OWASP API Security Top 10 (2023). Use when reviewing OpenAPI/Swagger specs, auditing REST/GraphQL/gRPC implementations, testing authentication mechanisms, or checking API gateway configurations. Covers BOLA/IDOR, broken auth, mass assignment, rate limiting, SSRF, and more with real-world attack scenarios.
Comprehensive API security review against OWASP API Security Top 10 (2023). Use when reviewing OpenAPI/Swagger specs, auditing REST/GraphQL/gRPC implementations, testing authentication mechanisms, or checking API gateway configurations. Covers BOLA/IDOR, broken auth, mass assignment, rate limiting, SSRF, and more with real-world attack scenarios.
license
CC-BY-4.0
API Security Review
Perform comprehensive API security assessment following plays/api-security-review.md.
Steps
Discovery & Reconnaissance
Parse OpenAPI/Swagger specs or scan code for endpoints
Identify authentication mechanisms (JWT, OAuth 2.0, API keys, mTLS)
Map API gateway and middleware configurations
Enumerate all API versions and deprecated endpoints