This repository contains an API Security Risk Analysis Report conducted on the DummyJSON public API. The purpose of this assessment is to identify common API security risks, evaluate authentication and authorization controls, and explain potential business impacts in clear, non-technical language. All testing was performed in a controlled and ethical manner using publicly available test data.
The following tools were used during the security analysis:
-
Postman Used to test API endpoints, inspect request/response headers, analyze authentication behavior, and identify security issues such as excessive data exposure, missing rate limiting, and weak token handling.
-
Insomnia Used as a secondary API testing tool to validate findings, confirm authorization behavior, and identify additional issues such as CORS misconfigurations and unauthenticated access.
-
Browser Developer Tools Used to review network requests, response headers, and security-related headers for misconfigurations.
Using multiple tools helped ensure findings were accurate, consistent, and comprehensive.
The scope of this security analysis was limited to publicly accessible endpoints of the DummyJSON API. No denial-of-service attacks, destructive testing, or unauthorized data modification was performed.
The following endpoints were included in the assessment:
/users/user/{id}/products/auth/login/carts
The assessment focused on identifying:
- Unauthenticated or weakly protected endpoints
- Excessive data exposure
- Authorization weaknesses (IDOR/BOLA)
- Token and session handling issues
- Rate limiting and abuse prevention gaps
- Input validation weaknesses
The assessment followed a structured, professional testing approach:
-
API Documentation Review The DummyJSON documentation was reviewed to understand expected behavior, authentication requirements, and response structures.
-
Endpoint Testing Each scoped endpoint was tested using Postman and Insomnia to observe authentication requirements, response data, headers, and error handling.
-
Security Risk Identification Findings were mapped to common API security risks such as IDOR, excessive data exposure, weak authentication design, and missing rate limiting.
-
Risk Classification Each identified issue was classified as Low, Medium, or High severity based on potential business impact.
-
Business Impact Analysis Technical findings were translated into business risks, focusing on data privacy, user trust, and potential compliance concerns.
-
Remediation Recommendations Clear, practical remediation steps were provided for each identified risk.
This assessment was conducted for educational and security awareness purposes only using a public test API. No real user data was targeted, and no exploitation beyond basic validation testing was performed.