Skip to content

Update: REST Assessment Cheat Sheet – Modern OpenAPI & JWT Coverage #2023

New issue
New issue
Open
Open
Update: REST Assessment Cheat Sheet – Modern OpenAPI & JWT Coverage#2023
Assignees
ShreyasPatil3105
Labels
ACK_OBTAINEDIssue acknowledged from core team so work can be done to fix it.HELP_WANTEDIssue for which help is wanted to do the job.UPDATE_CSIssue about the update/refactoring of a existing cheat sheet.
@ShreyasPatil3105

Description

@ShreyasPatil3105
ShreyasPatil3105
opened on Feb 21, 2026

What is missing or needs to be updated?

The current REST Assessment Cheat Sheet provides strong foundational guidance for assessing RESTful services. However, modern REST APIs have evolved significantly and are now commonly:

  • OpenAPI / Swagger-driven
  • JWT/OAuth2 secured
  • Cloud-native and async
  • Built using frameworks such as FastAPI, Express, Django REST Framework, etc.

The cheat sheet references WSDL/WADL for service description but does not address modern OpenAPI-based attack surface discovery or schema-driven testing approaches.

In addition, several API-specific vulnerabilities that are highly relevant today are not explicitly covered, including:

  • Broken Object Level Authorization (BOLA / IDOR in APIs)
  • Mass Assignment vulnerabilities in JSON APIs
  • JWT signature validation issues
  • OAuth2 scope and role misconfigurations
  • Rate limiting and throttling assessment
  • Schema-based fuzzing using OpenAPI definitions

Since the OWASP API Security Top 10 is now widely adopted, aligning this cheat sheet more closely with modern API assessment practices would make it more relevant for current testing scenarios.

How should this be resolved?

The cheat sheet could be enhanced by adding dedicated sections covering the following areas:

1. Assessing OpenAPI/Swagger-based REST APIs

  • Enumerating endpoints via /openapi.json, /swagger.json, or /docs
  • Leveraging schema definitions for structured fuzzing
  • Testing undocumented or hidden fields

2. JWT and OAuth2 Assessment

  • Verifying proper signature validation
  • Testing expired, malformed, or tampered tokens
  • Validating scope and role enforcement

3. Broken Object Level Authorization (BOLA)

  • IDOR testing patterns in REST endpoints
  • Horizontal and vertical privilege escalation scenarios

4. Mass Assignment in JSON APIs

  • Detecting unintended field binding
  • Testing for privilege escalation via request body manipulation

5. Rate Limiting & Throttling Assessment

  • Identifying missing or weak rate limiting
  • Evaluating burst and abuse handling mechanisms

I would be happy to draft and contribute these sections if this direction aligns with the maintainers’ vision for the cheat sheet.

Metadata

Metadata

Assignees

Labels

ACK_OBTAINEDIssue acknowledged from core team so work can be done to fix it.HELP_WANTEDIssue for which help is wanted to do the job.UPDATE_CSIssue about the update/refactoring of a existing cheat sheet.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions