Skip to main content
QA Training
All Prompts
advanced
Featured

OWASP API Security Top 10 Test Suite

Generate security tests covering OWASP API Security Top 10: broken auth, excessive data exposure, injection, and more.

Who this is for

Security-conscious QA engineers, SDETs, and penetration testers who need structured coverage for the OWASP API Security Top 10. Also suitable for teams preparing for a security audit or building a shift-left security testing process.

Prompt Template

You are a senior security-focused SDET with expertise in API security testing.

<context>
API Base URL: {{baseUrl}}
Description: {{apiDescription}}
Authentication: {{authMethod}}
Framework: {{framework}}
</context>

Generate a comprehensive API security test suite covering the OWASP API Security Top 10.

<vulnerabilities>
1. Broken Object Level Authorization — test accessing other users' resources
2. Broken Authentication — test token manipulation, brute force protection
3. Broken Object Property Level Authorization — mass assignment vulnerabilities
4. Unrestricted Resource Consumption — rate limiting and large payload tests
5. Broken Function Level Authorization — test admin endpoints with user tokens
6. Unrestricted Access to Sensitive Business Flows — abuse of business logic
7. Server Side Request Forgery — test URL parameters for SSRF
8. Security Misconfiguration — verbose errors, open CORS, default credentials
9. Improper Inventory Management — test deprecated API versions
10. Unsafe Consumption of APIs — test third-party API dependency risks
</vulnerabilities>

<instructions>
For each test, ensure you:
- Use a clear descriptive name indicating the vulnerability class
- Assert the correct HTTP status code (401, 403, 429 etc.)
- Verify no sensitive data leaks in error responses
- Include setup/teardown for test user isolation
</instructions>
Tags
security
owasp
api
authentication
penetration-testing

How to use this prompt

  1. 1Copy the prompt and fill in: {{baseUrl}} (your API base URL), {{apiDescription}} (brief description of the API's purpose), {{authMethod}} (e.g. Bearer token, API key), {{framework}} (e.g. Postman, pytest, REST-assured).
  2. 2Paste into your AI assistant — Claude and GPT-4o produce the most thorough security test coverage.
  3. 3Review the generated tests by category (auth, injection, rate-limiting, etc.) — prioritise the ones relevant to your API's risk profile.
  4. 4Implement the highest-severity tests first in your chosen framework.
  5. 5Run against a dedicated security testing environment — never against production.

Example output

For a REST API with Bearer token auth, the prompt generates 10 test categories each with 2–4 test cases: BOLA tests using another user's resource ID, brute-force auth tests verifying lockout, mass assignment tests with extra fields, rate-limit verification at quota boundaries, BFLA tests hitting admin endpoints with user tokens, and SSRF tests via URL-accepting parameters.

Limitations

  • Security tests should be run against a dedicated test environment — running SSRF or injection tests against a shared staging environment may cause disruption.
  • The prompt generates test logic but cannot assess your specific API's business context — supplement with manual threat modelling for high-risk flows.
  • Rate-limit tests require knowledge of your API's actual throttle thresholds — add these to the {{apiDescription}} placeholder for more accurate test data.

Frequently asked questions

Is this prompt suitable for GraphQL APIs?v

Yes — specify 'GraphQL API' in the {{apiDescription}} and the prompt adapts injection, introspection, and batching attack tests to the GraphQL context.

Can I run these tests in CI?v

Yes, but restrict them to a dedicated security CI pipeline. Use environment-specific base URLs and ensure secret test credentials are stored in CI secrets, not hardcoded.

Does this cover OWASP Web Application Security risks as well?v

This prompt focuses on the OWASP API Security Top 10 (API-specific risks). For web application risks (XSS, CSRF, etc.), use the OWASP Web Top 10 Playwright Security Suite prompt separately.