The OWASP API Security Top 10 is a useful starting point. It is not a comprehensive testing methodology. In practice, we consistently find critical vulnerabilities in APIs that pass automated scanning and don't map neatly to any OWASP category.
JWT Algorithm Confusion
When a server accepts both RS256 (asymmetric) and HS256 (symmetric) JWT algorithms, an attacker can forge tokens by treating the public key as the HMAC secret — signing with the known public key using HS256 and submitting it to an endpoint that accepts either algorithm.
GraphQL Introspection Abuse
Introspection enabled in production exposes the complete schema of your API — every type, field, query, and mutation. This is the API equivalent of having your application source code readable by unauthenticated users. We routinely use introspection data to identify undocumented admin mutations and internal-only endpoints.
Mass Assignment in Nested Objects
Standard mass assignment checks test top-level fields. Nested object assignment — user.subscription.tier, user.permissions.admin — is frequently missed by both developers and security scanners. Always test assignment at every level of object nesting.
Race Conditions in Business Logic
Concurrent request attacks against non-atomic operations — balance checks, inventory reservations, coupon redemptions — can allow a value to be used multiple times before the server reconciles state. These vulnerabilities are invisible to automated scanners and require manual timing attacks with tools like Burp's Turbo Intruder.
OAuth Scope Escalation
OAuth implementations that don't strictly validate requested scopes against granted scopes can allow a token issued for read access to perform write operations, or a token issued for one resource to access another.