No multiple tools. No confusion. Just one tool and a clear process.
Why Only Burp Suite?
Because you can do everything in one place:
- Capture requests (Proxy)
- Modify requests (Repeater)
- Test abuse (Intruder)
This makes it perfect for beginners and real-world testing.
API Key Testing Workflow
Start ↓ Capture Request (Proxy) ↓ Send to Repeater ↓ Test API Key Validity ↓ Test Restrictions ↓ Test Permissions ↓ Abuse Testing (Intruder) ↓ Report Findings
Report Finding Step 1: Capture the API Request
- Open Burp Suite → turn Intercept ON
- Browse the target website
- Look for API calls containing:
Authorization: Bearerx-api-key
Once found → Right-click → Send to Repeater
Step 2: Validate the API Key
Go to Repeater:
Send the request as-is
Check:
- Do you get a valid response?
- Is data returned?
If YES → API key is active
Step 3: Test Restrictions
Now modify the request:
Try:
Change headers: Origin: evil.com
- Remove headers
- Use VPN (different IP)
If the API still works:
No restriction = Vulnerability
Step 4: Test Permissions
Still in Repeater, modify endpoints:
/api/user → /api/admin
Change methods:
- GET → POST → DELETE
Look for:
- Access to sensitive data
- Admin functionality
- This often leads to Broken Access Control
Step 5: Abuse Testing (Intruder)
Send request to Intruder:
- Add API key as payload (or repeat requests)
- Start attack
Check:
- Rate limiting
- Response changes
- Server behavior
If no limits: Abuse possible (DoS / cost impact)
Final Thought
Don't just test if an API key works — test what it shouldn't be able to do.
Closing If you're learning API security, start small, stay practical, and tools like Burp Suite are more than enough. Stay connected for more cyber security guide from me.