API Security Risk Analysis (Modern SaaS Skill)
π About the Task
Modern applications donβt just use websites β they rely heavily on APIs.
APIs power:
- mobile apps
- SaaS platforms
- dashboards
- integrations between services
If APIs are insecure, attackers can:
- access sensitive data
- bypass authentication
- abuse endpoints
- overload systems
Thatβs why API security audits are a paid, real-world service offered by:
- cyber security agencies
- SaaS security teams
- AppSec consultants
In this task, you will perform a read-only API Security Risk Analysis and create a professional security report, just like agencies do for SaaS clients.
π― Objective
Your goal is to:
- Analyze public or test APIs
- Identify common API security risks
- Assess authentication and access control
- Explain risks in simple business language
- Suggest clear remediation steps
This task focuses on thinking like a security consultant, not breaking systems.
β οΈ Scope & Ethics
Allowed
- Testing public or demo APIs
- Read-only requests (GET, safe POST where allowed)
- Documentation-based analysis
- Header, token, and response inspection
Not Allowed
- Exploitation or bypass attempts
- Flooding / DoS testing
- Attacking private or production APIs
Always stay ethical and legal.
π οΈ Tools Youβll Use
π§ API Testing & Inspection
- Postman
https://www.postman.com - Insomnia
https://insomnia.rest - Browser DevTools
(Inspect requests, headers, responses)
π Documentation & Reporting
- Google Docs / MS Word / PDF
π§ͺ Sample APIs You Can Safely Use
Use demo or public APIs only:
π JSONPlaceholder (Test API)
https://jsonplaceholder.typicode.com
π ReqRes (API Testing Platform)
https://reqres.in
π Public APIs Collection
https://github.com/public-apis/public-apis
These APIs are specifically meant for testing and learning.
β What Youβll Do (Step-by-Step)
1οΈβ£ Select a demo or public API
2οΈβ£ Review API documentation
3οΈβ£ Test endpoints using Postman / Insomnia
4οΈβ£ Inspect:
- authentication requirements
- headers
- response data
5οΈβ£ Identify security risks
6οΈβ£ Classify risk severity
7οΈβ£ Suggest remediation steps
8οΈβ£ Document everything clearly
β¨ Key Risks You Should Look For
Your analysis should cover:
β Open or unauthenticated endpoints
β Excessive data exposure in API responses
β Weak or missing authentication tokens
β Authorization issues (accessing other usersβ data)
β Missing rate limiting
β Input validation issues
You are identifying risk, not exploiting it.
π GitHub References (Study Only β Verified)
Use these working GitHub resources to understand API security concepts and structure.
β Do NOT copy content.
π OWASP API Security Top 10 (Official Project)
https://github.com/OWASP/API-Security
π API Security Checklist (Practical Reference)
https://github.com/shieldfy/API-Security-Checklist
π Public APIs for Testing & Learning
https://github.com/public-apis/public-apis
π€ Final Deliverable
You must submit:
- An API Security Risk Analysis Report including:
- API tested
- Identified risks
- Risk severity (Low / Medium / High)
- Business impact
- Remediation suggestions
- A public GitHub repository containing:
- report document (PDF / Doc)
- screenshots (Postman requests)
- README explaining:
- tools used
- scope
- methodology
πΌ Why This Task Is High-Value
- APIs are everywhere in SaaS
- API security skills are in high demand
- This is billable agency work
- Strong fit for:
- AppSec Engineer
- Security Analyst
- SaaS Security Consultant
This task proves you understand modern security, not outdated tools.
π Showcase Your Work
After completion:
- Share your dashboard design on LinkedIn
- Explain:
- which agency you designed it for
- how the workflow improves efficiency
- Tag Future Interns