You Keep Using That OOP in Your API… I Do Not Think It Means What You Think It Means

Join Thomas Freeman, Director of Offensive Services at Sikich, on a deep dive into how object‑oriented programming (OOP) maps directly onto API security—and why many teams misunderstand it. Drawing on over twenty years of cybersecurity experience, this talk cuts through theory to deliver real-world value for AppSec and DevSecOps practitioners.

Why OOP Matters for API Security Testing

• Model like a developer, test like an attacker: APIs often reflect real‑world objects (e.g. user, order, vehicle) with attributes and methods—understanding this modeling helps you anticipate hidden endpoints and unauthorized functionality.
  Thomas illustrates that knowing the object model means spotting attack vectors others miss like Broken Function Level Authorization and SSRF apisecuniversity.com+15apisecuniversity.com+15apisecuniversity.com+15.
• Encapsulation isn’t security by itself: Even well-structured code can leak or allow escalation if authorization logic is missing within object methods or classes.

Exploring Key Vulnerabilities Through an OOP Lens

Thomas connects OOP principles to the latest OWASP API Security Top 10:

OWASP API Top 10 RiskOOP EquivalentExample ScenarioAPI3: Broken Object Property Level Authorization (BOPLA)Property-level abuse/mass assignmentAn ORM like Sequelize returns extra fields; attacker crafts a body to flip roles or IDs apisecuniversity.com+14apisecuniversity.com+14apisecuniversity.com+14apisecuniversity.comAPI5: Broken Function Level Authorization (BOLA)Unauthorized method callsA PUT request to mark a product as “returned” triggers a refund—even though the user doesn’t own the itemAPI6/7: SSRF or Logical FlawsMethod invocation on malicious inputEndpoint accepts vehicleDataUrl, backend fetches external IP, leaking internal network info apisecuniversity.com

Thomas shows that as APIs translate JSON into object instances (think car.color, user.role), you need to test not only data attributes but also object methods and ownership logic.

Testing Smarter: Attack the Model

• Inspect JSON, not just UI representations: GET responses often hide internal fields—check for fields like admin, vehicleId, or role.
• Trigger object methods with unauthorized inputs: Try APIs like /orders/:id/return via PUT—even if UI doesn’t expose that capability.
• Follow object relationships across endpoints: User and order objects might be tightly coupled; requests affecting one object may expose others.

Thomas demonstrates these tactics using vulnerable app environments like Sage‑Labs’ cAPI training in Docker, where routine operations expose BOPLA and SSRF vulnerabilities in minutes.

Risk‑Aware Pen Testing = Business Value

Beyond breaking systems, the goal is to reduce risk. Thomas reminds us that organizations care about value protection—money, mission, and reputation. As testers, providing confidence that access controls work as intended is our real deliverable.

Testing is more than capturing flags—it’s about showing assurance. Thomas explicitly frames pentesting around systems’ object models, authorization logic, and potential real‑world abuse patterns.

Resources & Further Reading

Want to go deeper? Explore these APIsec University articles for more on OOP and API security:

• [Why Object‑Oriented Thinking is Essential for API Penetration Testing] — A veteran red teamer dissects how OOP enables pentesters to uncover hidden risks like SSRF and method‑level logic flaws apisecuniversity.com+13apisecuniversity.com+13apisecuniversity.com+13
• [Automate BOLA Detection & Secure Your API] — A DevSecOps tutorial detailing automated detection of Broken Object Level Authorization, including contextual ownership checks, UUID-based IDs, and CI/CD integration apisecuniversity.com+15apisecuniversity.com+15apisecuniversity.com+15
• [Test‑Driven Development for API Security: A Blueprint for Shifting Left] — Learn how to embed security tests for authorization and object-based vulnerabilities into your development pipeline for CI enforcement apisecuniversity.com+7apisecuniversity.com+7apisecuniversity.com+7

Also consider APIsec University’s API Penetration Testing and OWASP API Security Top 10 & Beyond courses to gain hands-on skills in testing for precisely these risks apisecuniversity.com+15apisecuniversity.com+15apisecuniversity.com+15.

Takeaway Actions for AppSec & DevSecOps Teams

1. Enumerate object models from endpoints: Use GET requests and reverse-engineered OpenAPI specs to understand what the system exposes.
2. Test all methods, especially ones like PUT /:id/return, PATCH /:id/role, or other functional actions tied to objects.
3. Evaluate ORMs carefully: Are they exposing or accepting internal admin or role attributes? Watch for mass assignment issues.
4. Automate ownership checks in pipeline tools—Run multi-role tests, swap user IDs, and break builds on unauthorized access.
5. Apply test-driven API security—write security tests upfront to prevent vulnerabilities from ever entering production.

Final Thoughts

Thomas Freeman’s session skillfully bridges object‑oriented programming theory and real‑world API security practice. By modeling APIs the way developers do and testing them the way attackers will, you elevate your pen tests from basic endpoint scans to business-critical risk assessments.

In OOP‑driven APIs, defenses fail not because of technical misconfiguration, but gaps in how objects, properties, and methods are allowed to behave. As AppSec and DevSecOps professionals, your mission is to lock those gaps down—and testing with an OOP mindset gives you the advantage.

Preparing your team or personal skillset for modern API threats? Check out the APIsec University platform to dive into hands‑on labs, certifications, and expert‑led content.

Happy testing—and keep thinking like both dev and attacker.

‍