Traditional perimeter security measures, such as Web Application Firewalls (WAFs) and static analysis, often fail to detect logic-based vulnerabilities in healthcare Application Programming Interfaces (APIs), creating significant risks for patient data confidentiality. Addressing the scarcity of empirical performance evaluations in this domain, this study employs a grey-box controlled experimental design to assess the effectiveness of automated HTTP fuzzing against a production-grade mobile health application ("Application X"). Using the FFUF tool configured with sequential identifier injection, status-code filtering, and hidden-field probing, the experiment tested 33 endpoints against the OWASP API Security Top 10 2023 benchmarks. To ensure data reliability, a rigorous multi-step validation protocol including replay testing and environmental noise elimination was applied to filter false positives. The results identified 88 distinct vulnerabilities distributed across six categories, with a critical dominance of Security Misconfiguration (API8) and Broken Object Property Level Authorization (API3). Analytically, the high prevalence of API3 reveals a systemic failure in backend serialization, where sensitive fields  including password hashes and internal administrative flags were exposed due to the absence of Data Transfer Objects (DTOs), contradicting the assumption of secure client-side filtering. Limitations of this study include the restriction to a single patient-role perspective and the exclusion of third-party integrations. The study concludes that automated fuzzing is superior to static analysis in detecting runtime data leakage and recommends mandatory Server-Side Output Filtering through explicit DTOs as a critical standard for secure health API development and data privacy compliance.

API Security; Excessive Data Exposure; Fuzzing; Healthcare Application; OWASP Top 10

Al-Naji, M., Zagrouba, R., & Al-Otaibi, S. (2024). A zero trust architecture for health information systems. Health and Technology, 14, 189–199. https://doi.org/10.1007/s12553-023-00809-4

Al-Rumaim, A., & Pawar, J. D. (2024). Exploring the evolving landscape of API security challenges in the healthcare industry: A comprehensive review. IEEE Access, 12, 10456-10478. https://doi.org/10.1109/SIN60469.2023.10474998

Alazmi, S., & Leon, D. C. de. (2022). A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners. IEEE Access, 10, 33200–33219. https://doi.org/10.1109/ACCESS.2022.3161522

Alsaidi, A., Alhuzali, A., & Bamasag, O. (2022). Effective and scalable black-box fuzzing approach for modern web applications. Journal of King Saud University - Computer and Information Sciences. https://doi.org/10.1016/j.jksuci.2022.10.006

Atlidakis, V., Godefroid, P., & Polishchuk, M. (2019). RESTler: Stateful REST API fuzzing. In Proceedings of the 41st International Conference on Software Engineering (ICSE) (pp. 748-758). IEEE Press. https://doi.org/10.1109/ICSE.2019.00083

Augustine, N., Sultan, A. M., Osman, M., & Sharif, K. (2024). Application of artificial intelligence in detecting SQL injection attacks. International Journal on Informatics Visualization, 8(4), 2131– 2138. https://doi.org/10.62527/joiv.8.4.3631

Cinar, A. C., & Kara, T. B. (2023). The current state and future of mobile security in the light of the recent mobile security threat reports. Multimedia Tools and Applications, 82, 20269–20281. https://doi.org/10.1007/s11042-023-14400-6

Dalimunthe, S., Putra, E. H., & Ridha, M. A. F. (2023). Restful API security using JSON Web Token (JWT) with HMAC-Sha512 algorithm in session management. IT Journal Research and Development, 8(1), 81–94. https://doi.org/10.25299/itjrd.2023.12029

Eceiza, M., Flores, J. L., & Iturbe, M. (2023). Improving fuzzing assessment methods through the analysis of metrics and experimental conditions. Computers & Security, 124, 102946. https://doi.org/10.1016/j.cose.2022.102946

Ehsan, A., Abuhaliqa, M. A. M. E., Catal, C., & Mishra, D. (2022). RESTful API testing methodologies: Rationale, challenges, and solution directions. Applied Sciences, 12(9), 4369. https://doi.org/10.3390/app12094369

Feio, D., & Pardal, M. L. (2024). An empirical study of DevSecOps focused on continuous security testing. Proceedings of the 2024 IEEE International Workshop on Security and Trust Management (STM). https://doi.org/10.1109/EuroSPW61312.2024.00074

Godefroid, P., Huang, B.-Y., & Polishchuk, M. (2020). Intelligent REST API data fuzzing. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (pp. 725–736). ACM. https://doi.org/10.1145/3368089.3409719

Gowda, P., & Gowda, A. N. (2024). Best practices in REST API design for enhanced scalability and security. Journal of Artificial Intelligence, Machine Learning and Data Science, 2(1), 827–830. https://doi.org/10.51219/JAIMLD/priyanka-gowda/202

Idris, M., Syarif, I., & Winarno, I. (2022). Web application security education platform based on OWASP API security project. EMITTER International Journal of Engineering Technology, 10(2), 246– 261. https://doi.org/10.24003/emitter.v10i2.705

Liu, Y., Li, Y., Deng, G., Liu, Y., Wan, R., Wu, R., et al. (2022). MOREST: Model-based RESTful API testing with execution feedback. In Proceedings of the 44th International Conference on Software Engineering (ICSE '22) (pp. 1-12). ACM. https://doi.org/10.1145/3510003.3510133

Manchana, R. (2024). DevSecOps in cloud native cybersecurity: Shifting left for early security, securing right with continuous protection. International Journal of Science and Research (IJSR), 13(8), 1– 8. https://www.researchgate.net/publication/383403159

Martin-Lopez, A., Segura, S., & Ruiz-Cortés, A. (2019). Test coverage criteria for RESTful web APIs. In Proceedings of the 10th ACM SIGSOFT International Workshop on Automating TEST Case Design, Selection, and Evaluation (A-TEST '19) (pp. 15-21). ACM. https://doi.org/10.1145/3340433.3342822

Mateus-Coelho, N., Cruz-Cunha, M., & Ferreira, L. G. (2021). Security in microservices architectures. Procedia Computer Science, 181, 1225–1236. https://doi.org/10.1016/j.procs.2021.01.320

Papageorgiou, A., Strigkos, M., Politou, E., Alepis, E., Solanas, A., & Patsakis, C. (2018). Security and privacy analysis of mobile health applications: The alarming state of practice. IEEE Access, 6, 9390–9403. https://doi.org/10.1109/ACCESS.2018.2799522

Putra, R. A., Kautsar, I. A., Hindarto, H., & Sumarno, S. (2023). Detection and prevention of insecure direct object references (IDOR) in website-based applications. Procedia of Engineering and Life Science, 4, 1–7. https://doi.org/10.21070/pels.v4i0.1435

Sconiers-Hasan, M. (2024). Application programming interface (API) vulnerabilities and risks (Special Report CMU/SEI-2024-SR-004). Software Engineering Institute, Carnegie Mellon University. https://doi.org/10.1184/R1/25282342

Sivakumar, K., & Thilagam, P. S. (2025). Vulnerability testing of RESTful APIs against application layer DDoS attacks. International Journal of Advanced Computer Science and Applications, 16(3).

Sutter, T., Kehrer, T., Rennhard, M., Tellenbach, B., & Klein, J. (2024). Dynamic security analysis on Android: A systematic literature review. IEEE Access, 12, 57261–57287. https://doi.org/10.1109/ACCESS.2024.3390612