API Security Testing Framework

Overview about the project

This project is a Red Team focused API security testing framework designed to identify common vulnerabilities in REST APIs.

It simulates real world attack scenarios such as:

• Broken Object Level Authorization (BOLA)
• Rate Limiting Bypass
• API Key Exposure

The framework includes:

• A vulnerable API (Flask-based)
• Automated attack scripts
• Security testing using industry tools

Objectives

• Build a vulnerable API for testing
• Automate API vulnerability scanning
• Simulate real attacker behavior
• Generate security findings

Project Structure

api-security-framework/
|__ main_scanner.py         # Automation script of All three test
│
├── app/                # Vulnerable API
│   └── app.py
│
├── scanner/            # Attack modules
│   ├── bola_test.py
│   ├── rate_limit_test.py
│   └── api_key_test.py            
│  
├── Industrial Tools Used/
|   ├── Postman.md
|   └── Burp Suite.md
|
├── Scanning Report For API testing Framework.pdf  # Scan results
│
├── requirements.txt

Installation

Clone the repo

git clone https://github.com/your-username/api-security-testing-framework.git

Move to the api-security Directory

cd api-security-testing-framework

Create a environment

python3 -m venv venv

Activate the Environment

source venv/bin/activate

Install all the requirement for building the site

pip install -r requirements.txt

Usage

Step 1: Run Vulnerable API

python app/app.py

Step 2: Run Scanner

python scripts/main_scanner.py

Vulnerabilities Tested

1. Broken Object Level Authorization (BOLA)

• Accessing unauthorized user data by modifying user IDs

2. Rate Limiting Bypass

• Sending multiple requests without restriction

3. API Key Exposure

• Sensitive API keys exposed in responses

Tools Used

• Postman
• OWASP ZAP
• Burp Suite
• Python Requests Library

flask
requests
pyjwt

Disclaimer

This project is created for educational and ethical testing purposes only. Do not use this tool on systems without proper authorization.