FastAPI Penetration Testing: DoS, SSRF & Modern Python API Security
FastAPI is the most popular Python framework for modern APIs, adopted by fintechs, AI/ML startups, and microservices backends. Recent vulnerabilities include CVE-2024-24762 (python-multipart DoS), CVE-2024-3651 (idna), CVE-2023-30798 (Starlette). Matproof Sentinel runs targeted FastAPI pentests with proof-of-exploit and audit-ready DORA / NIS2 / ISO 27001 reports from €149.
Why FastAPI requires specific pentest expertise
FastAPI has grown rapidly for microservices backends, fintech APIs (open banking PSD2), and ML serving (AI models exposed as APIs). Its async + Pydantic nature introduces unique security patterns: automatic type validation is powerful but incomplete, FastAPI dependency injection allows abuse of Depends() for data exfiltration, JWT in path parameters is a common anti-pattern that leaks tokens in logs. Recent CVEs illustrate the risks: CVE-2024-24762 (python-multipart) enables DoS via infinite multipart parsing. CVE-2024-3651 (idna) enables DoS via malformed Unicode parsing. CVE-2023-30798 (Starlette, FastAPI's base) enables path traversal in certain middleware patterns.
- CVE-2024-24762 (python-multipart): DoS via infinite multipart parsing — affects virtually all FastAPI applications accepting file uploads.
- CVE-2024-3651 (idna < 3.7): DoS via malformed Unicode parsing in domain names — affects FastAPI APIs using httpx/requests internally for user URL fetching.
- CVE-2023-30798 (Starlette < 0.37.2): path traversal in certain static files middleware patterns — exploit lateral movement in filesystem.
- Pydantic validation gaps: TypeScript-style strong type but incomplete — doesn't validate nested payload size, allow_extra_fields can create prototype pollution analog.
- JWT in path parameters: common anti-pattern (e.g., /api/users/{user_id}/orders/{jwt_token}) — leaks token in nginx/Cloudflare access logs, browser history, referrer headers.
- Async + race conditions: FastAPI is async-first; race conditions in business logic (payment processing, balance checks) are common if not managed with database transactions.
- For fintechs under DORA Art. 24 with payment APIs, a documented FastAPI pentest is required for compliance.
What we specifically test in a FastAPI
- CVE detection: python-multipart (CVE-2024-24762), idna (CVE-2024-3651), Starlette (CVE-2023-30798) — verify patched versions.
- Pydantic validation: test boundary cases (numeric overflow, string length, nested depth), allow_extra_fields configuration, custom validators.
- FastAPI dependency injection: Depends() chain audit for privilege escalation, security dependencies (auth, rate limit) active on all sensitive endpoints.
- OAuth2 / JWT: PyJWT signature validation, algorithm whitelisting (no « none »), expiration check, refresh token rotation, JWT in path parameters (anti-pattern).
- OWASP API Top 10 (2023): API1 BOLA, API2 Broken Auth, API3 Property Level Auth, API4 Resource Consumption, API5 BFLA, API6 Server Side Request Forgery.
- Async race conditions: business logic critical sections (payment, balance update) — test with concurrent requests to identify TOCTOU.
- File upload security: server-side MIME type validation, path traversal in filename, virus scan, upload size limits.
- GraphQL (if Strawberry/Ariadne): query depth limiting, introspection disabled in production, batch query attacks, alias-based DoS.
- Background tasks (FastAPI BackgroundTasks, Celery): code injection if task accepts user input, race condition between task and response.
- Documentation endpoints: /docs and /redoc exposed in production (anti-pattern, leaks complete schema), /openapi.json exposed.
Sample finding
JWT transmitted in path parameter — leak in access logs and referrer headers
The FastAPI exposes endpoints like GET /api/auth/refresh/{refresh_token} where refresh_token is passed as a path parameter. This anti-pattern causes refresh token leak in: (1) nginx access logs (default format includes full path); (2) Cloudflare/AWS WAF logs; (3) browser history (if called from SPA); (4) Referrer headers if API is called from external links. The test retrieved 1,247 valid refresh tokens from Cloudflare nginx logs of the last 30 days.
Fix: Immediate action (priority 1): refactor endpoint to accept refresh_token in POST body instead of path parameter. Example correct:\n\n@app.post('/api/auth/refresh')\nasync def refresh_token(payload: RefreshTokenRequest):\n return await refresh_logic(payload.refresh_token)\n\nComplementary actions: rotate all currently active refresh tokens (force re-authentication); audit nginx/Cloudflare access logs of last 90 days to identify already leaked tokens; configure log scrubbing on Cloudflare to redact path parameters; implement token binding (associate refresh token to device fingerprint or IP); lower refresh token TTL from 30 days to 7 days.
Reference: OWASP API4:2023 Unrestricted Resource Consumption · CWE-598 Use of GET Request Method With Sensitive Query Strings · GDPR Art. 32(1)(b) · RFC 6749 (OAuth 2.0) Section 10.3
FastAPI pentest options compared
| — | Free scan | Matproof Sentinel | Traditional consultancy |
|---|---|---|---|
| Automated scan engine | ✓ (3-min preview) | ✓ Full scan | ✗ Manual only |
| OWASP Top 10 coverage | Partial | ✓ Complete | ✓ Complete |
| Proof-of-exploit evidence | ✗ | ✓ Per finding | ✓ Per finding |
| Regulatory mapping (DORA/NIS2/ISO 27001) | ✗ | ✓ Automated | ✓ Manual |
| Audit-ready PDF report | ✗ | ✓ Instant | ✓ 2–4 weeks delivery |
| Continuous / recurring scans | ✗ | ✓ Per deploy | ✗ Annual engagement |
| Time to first result | ~3 min | ~30 min full scan | 2–4 weeks |
| Price | €0 | From €149 | €8,000–€25,000 |
| Source code review (SAST) | ✗ | ✓ On Growth plan | ✓ Scoped engagement |
| API testing (REST/GraphQL) | ✗ | ✓ Automated | ✓ Manual |
FastAPI pentest packages
- 1 full pentest scan
- AI-prioritized findings with CVSS 3.1
- Proof-of-exploit per finding
- Audit-ready PDF report
- Regulatory mapping (DORA, NIS2, ISO 27001)
- Unlimited scans (up to 3 domains)
- Continuous monitoring
- CI/CD integration (GitHub, GitLab)
- All regulatory mappings
- Priority support
- Unlimited scans + domains
- Authenticated / White-Box testing
- API & cloud infrastructure tests
- Dedicated security account manager
- 24h SLA response time
Frequently asked questions about FastAPI pentest
What specific risks for fintechs adopting FastAPI?
Fintech FastAPI typical risks: (1) Open Banking PSD2 APIs with OAuth2 misconfiguration (state parameter not validated, permissive redirect_uri whitelist); (2) SCT Inst payments with race condition between balance check and debit (async race); (3) Insufficient JWT scope — token with read_all_transactions used for single transaction query. We test all these patterns.
Do you also test similar frameworks like Quart, Litestar, Sanic?
Yes. Quart (async Flask) and Litestar (FastAPI fork) have similar attack surfaces. Sanic has differences (no Pydantic by default).
How do you handle testing of OAuth2 / JWT protected endpoints?
We provide test tokens (development account with various scopes). We test: token swap between different users (BOLA), scope escalation, token replay, signature manipulation, algorithm confusion.
How long does a complete FastAPI pentest take?
60-90 minutes for typical API (20-100 endpoints). For GraphQL APIs adds 30-60 min. Audit-ready report within 24 hours.
Is the report accepted for DORA Art. 24 audits for fintechs?
Yes. Technical report with explicit mapping to DORA Art. 24 (intrusion test), Art. 25 (vulnerability management).
Can we integrate with our CI/CD (Poetry, pip-tools, Docker)?
Yes. GitHub Actions / GitLab CI integration on PR. For Poetry-managed projects: automatic scan on poetry.lock changes. For Docker: integration with docker scout for vulnerability scan + Matproof Sentinel for runtime testing.
Go deeper — related blog articles
Protect your FastAPI now
First scan in 3 minutes, complete FastAPI pentest in 60-90 minutes. Audit-ready DORA / NIS2 / ISO 27001 report from €149.
Start free scan