Test like an attacker, in C#
Fire real HTTP requests through your full ASP.NET Core pipeline with WebApplicationFactory, and assert on exactly how your API responds when things go wrong.
Apress · © 2026 · OWASP API Top 10 (2023)
Pro API Security
Pro API Security
Testing in ASP.NET Core
Detect and Prevent Vulnerabilities Using C# and WebApplicationFactory
Stop guessing whether your API is secure — prove it. This hands-on book teaches you to write automated tests in C# that catch real API vulnerabilities before they ship, using xUnit and WebApplicationFactory.
- Test every one of the OWASP Top 10 API Security risks with WebApplicationFactory
- Compare a vulnerable API against its secured fix, line by line
- Run your security suite on every commit in CI/CD or in the terminal
$ dotnet test --filter "Category=BOLA"
# Customer_A must not read Customer_B's account
GET /accounts/9b78…2f9 (as: customer‑A)
✗vulnerable → 200 OK leaks balance + tax ID
✓secured → 403 Forbidden access denied
Passed! 1 of 1
OWASP API1:2023
14 chapters
C# + Minimal APIs
xUnit + WebApplicationFactory
OWASP API Top 10 (2023)
Vulnerable Banking API
Free companion repo
What you'll be able to do
Security you can prove, not just hope for
Re-discover real breaches
Each risk opens with an incident that actually happened — Peloton, GitHub, New Relic, the PlayStation 5 bot rush — so you learn from how the real systems failed.
Before vs. After
Every chapter ships a vulnerable Banking API endpoint and its secured version, so you see precisely which lines turn a 200 OK leak into a 403 Forbidden.
Ship it in CI/CD
Wire your suite into GitHub Actions, Azure DevOps, and Jenkins so security validation runs automatically on every commit and pull request.
The spine of the book
The OWASP API Security Top 10 — tested
One chapter per risk. Each pairs a real-world breach with the exact tests that would have caught it in your own ASP.NET Core code.
API1:2023Ch 3
Broken Object Level Authorization
Changing an ID in a URL exposed 3M+ Peloton profiles. Test that users can only ever reach their own resources.
✗200 OK→✓403 Forbidden
API2:2023Ch 4
Broken Authentication
Ivanti's CVE-2023-35078 let attackers skip auth entirely. Test JWT validation, expiry, claims, and the none algorithm.
✗token forged→✓401 rejected
API3:2023Ch 5
Broken Object Property Level Authorization
One extra field gave an attacker write access to GitHub. Test against mass assignment and over-exposed properties.
✗field injected→✓field ignored
API4:2023Ch 6
Unrestricted Resource Consumption
Unbounded requests drive up cost and downtime. Add rate limiting and test that abusive traffic is throttled.
✗unlimited→✓429 limited
API5:2023Ch 7
Broken Function-Level Authorization
A restricted New Relic user could change admin-only settings. Test that customers can't approve their own loans.
✗self-approved→✓403 Forbidden
API6:2023Ch 8
Unrestricted Access to Sensitive Business Flow
Bots fired 27M requests/hour to clear PS5 stock. Test for automated abuse of legitimate business logic.
✗bot at scale→✓throttled
API7:2023Ch 9
Server-Side Request Forgery
An SSRF flaw exposed 100M+ Capital One records. Test that user-supplied URLs can't reach internal services.
✗internal hit→✓URL blocked
API8:2023Ch 10
Security Misconfiguration
Misconfigured endpoints leaked private Peloton data for months. Test security headers, CORS, and error handling.
✗stack trace→✓generic error
API9:2023Ch 11
Improper Inventory Management
A forgotten endpoint contributed to the Optus breach. Test versioning, deprecation, and retired routes.
✗ghost route→✓410 Gone
API10:2023Ch 12
Unsafe Consumption of APIs
The Salesforce–Drift supply-chain attack abused trusted integrations. Test that third-party responses are never trusted blindly.
✗trusted blind→✓validated
Inside the book
Table of contents
Fourteen chapters that take you from a security mindset to a fully automated, CI-integrated test suite — 345 pages.
Why API security is a quality attribute, how to build a security mindset, and the .NET testing tools you'll use — from xUnit as your test runner to WebApplicationFactory as your security testing foundation.
Install the .NET SDK and VS Code, add the right extensions, and clone the vulnerable Banking API with its Before/After layout mirroring the OWASP API Security Top 10.
Catch the Peloton-style flaw where changing an ID exposes another user's data, and write tests that prove every resource is owner-checked.
Test JWT validation, expiration, claim checks, and algorithm confusion — the class of failure behind Ivanti's CVE-2023-35078.
Block mass assignment and over-exposed fields — the GitHub public_key incident — with property-level authorization tests.
Add ASP.NET Core rate limiting and test that requests can't run up cost or take your API offline.
Prove customers can't reach admin-only functions like approving their own loans, using role- and claims-based access control plus an authorization matrix test.
Detect automated abuse of business logic — like the PlayStation 5 bot rush — with velocity, behavioral, and progressive-friction tests.
Stop user-supplied URLs from reaching internal services — the Capital One breach class — by validating and testing every outbound request.
Test security headers, CORS policies, and error handling so your API never leaks stack traces or implementation details.
Find and retire forgotten or undocumented endpoints before they become backdoors, with testable deprecation policies.
Treat third-party responses as hostile and test your defenses against supply-chain attacks like the Salesforce–Drift breach.
Run your whole suite in CI/CD with GitHub Actions, Azure DevOps, and Jenkins, and adopt a DevSecOps workflow where security is checked on every push.
Pull the threads together: a recap of the testing patterns you've built and where to take your API security practice next.
Questions
Frequently asked
Yes — it's built around them. Every chapter walks through real, runnable code: a vulnerable Banking API and its secured version, with C# tests you execute yourself to see each fix prove out.
Yes. A free companion repository contains the vulnerable and secured implementations for every chapter. Browse it on GitHub.
Working C# and basic ASP.NET Core development. You don't need prior security expertise — the book builds the security mindset as it goes, starting from first principles.
It's an evergreen book — the techniques aren't tied to any particular ASP.NET Core version. Examples are written in C# using xUnit and WebApplicationFactory, the same integration-testing tools you already use.
ASP.NET Core developers, QA engineers, and DevOps professionals who want to take ownership of API security testing — whether you're building new APIs or hardening existing ones.
Yes — the 2023 edition, with a dedicated chapter and tests for each of the ten risks, then a chapter on running it all in CI/CD.
Buy the book
Ship APIs you can prove are secure
Available in softcover and eBook. Start writing security tests this weekend.