API security testing methodology
This document provides comprehensive visibility into the access control and security test cases executed during API security scans. Invicti Platform performs automated security testing across multiple vulnerability categories to ensure robust API protection.
Detailed implementation specifics of Invicti's testing algorithms are proprietary. This documentation provides comprehensive visibility into what is tested without exposing how our detection mechanisms work, ensuring both transparency for customers and protection of our intellectual property.
Test categories and coverage
1. JWT authentication security
Invicti Platform performs extensive testing of JSON Web Token (JWT) implementations to identify authentication bypass vulnerabilities:
Security validations:
- Algorithm verification: ensures JWT algorithms are properly validated and secure
- Signature integrity: validates that JWT signatures are correctly verified before granting access
- Header parameter security: tests for proper validation of JWT header parameters
- Key validation: verifies that JSON Web Keys and certificate chains are properly validated
- URL parameter security: ensures external URLs in JWT headers are safely handled
Protection provided:
These validations help prevent token forgery, privilege escalation, user impersonation, and unauthorized application access.
2. Object-level authorization validation (BOLA/IDOR)
Validates that users can only access resources they're authorized to view or modify:
Security validations:
- Horizontal BOLA: verifies that users cannot access resources belonging to other users at the same privilege level
- Vertical BOLA: ensures users cannot access resources belonging to users with different privilege levels
Protection provided:
Prevents unauthorized data access, protects user privacy, and maintains proper data boundaries across user accounts.
3. Function-level authorization validation (BFLA)
Ensures that sensitive operations are properly restricted based on user privileges:
Security validations:
- Horizontal BFLA: verifies that users can only perform functions appropriate to their privilege level
- Vertical BFLA: ensures administrative operations are properly restricted
- Authentication enforcement: validates that sensitive functions require proper authentication
Protection provided:
Prevents unauthorized execution of privileged operations and maintains proper separation of administrative and user functions.
4. Data protection validation
Ensures that sensitive data requires proper authentication:
Security validations:
- Personal data protection: verifies that Personally Identifiable Information requires authentication
- Resource access controls: validates that protected resources enforce proper authentication mechanisms
Protection provided:
Protects personal data privacy, ensures compliance with regulations (GDPR, CCPA, etc.), and maintains data access controls.
5. API version security validation
Verifies security controls across different API versions and environments:
Security validations:
- Environment isolation: ensures proper separation between production, staging, and development environments
Protection provided:
Prevents access to unpatched API versions and maintains proper environment boundaries.
6. Architecture boundary validation
Validates security boundaries in microservice and distributed architectures:
Security validations:
- File system protection: verifies that APIs cannot access unauthorized files or directories
Protection provided:
Protects sensitive system files and maintains proper application boundaries.
Scan execution process
During each security scan, Invicti platform:
- Discovers API endpoints and analyzes their security requirements
- Validates security controls based on detected authentication and authorization mechanisms
- Performs safe security checks using non-destructive testing methods
- Verifies access controls across different user privilege levels
- Reports security gaps with severity ratings and remediation guidance
Continuous testing coverage
Invicti Platform automatically adapts test coverage based on:
- Detected authentication mechanisms (JWT, OAuth, API keys, session tokens)
- API architecture patterns (REST, GraphQL, microservices)
- Authorization model complexity (role-based, attribute-based, resource-based)
- Industry-specific security requirements
Related topics
- Understanding API access control vulnerabilities - Learn about BOLA, BFLA, and IDOR concepts
- Configure API authorization for access control testing - Set up multi-user testing
- API access control testing overview - Complete testing guide
- Overview of scanning APIs - General API scanning information
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center