What is API Testing?
API penetration testing is the process of identifying security weaknesses in an API by simulating attacks. The goal is to check for common vulnerabilities such as authentication problems, payment bypass, authorization flaws, data leaks, or misconfigurations, so developers can fix them and keep data safe.
Stay updated with the latest official OWASP API Security guidance here: https://owasp.org/www-project-api-security/
REST API vs SOAP API
| Aspect | REST API | SOAP |
|---|---|---|
| Protocol | REST uses HTTP/HTTPS, focusing on simple, stateless communication. | SOAP works over multiple protocols like HTTP, SMTP, and TCP, offering more versatility. |
| Data Format | Supports JSON, XML, and other formats, making it lightweight and flexible. | Uses XML exclusively, resulting in larger and more verbose messages. |
| Performance | Faster due to its simplicity and minimal overhead. | Slower because of XML parsing and strict standards. |
| Security | Relies on HTTPS, OAuth, and other external mechanisms for security. | Has built-in WS-Security for encryption and authentication. |
| Use Case | Best for lightweight apps, mobile, and web services. | Preferred for enterprise apps requiring strict security and complex transactions. |
Synchronous and Asynchronous APIs
| Aspect | Synchronous API | Asynchronous API |
|---|---|---|
| Execution | Tasks are executed sequentially; the client waits for a response before proceeding. | Tasks are executed independently; the client doesn't wait and can continue other operations. |
| Communication | Blocking – the client is blocked until the server responds. | Non-blocking – the client continues without waiting for the server's response. |
| Performance | Slower for long-running tasks as it waits for responses. | Faster and more efficient for handling concurrent tasks. |
| Use Case | Suitable for immediate-response tasks (e.g., login authentication). | Ideal for background or long-running tasks (e.g., sending emails, data processing). |
OAuth 2.0
| Authentication Method | Why it's Secure | Use Case |
|---|---|---|
| OAuth 2.0 with Bearer Tokens | OAuth 2.0 allows for delegated access to resources, meaning users don’t need to share their credentials directly with third-party applications. Bearer tokens are used for authentication, and OAuth can be combined with additional security measures such as PKCE (Proof Key for Code Exchange) for mobile apps. | Typically used in modern web applications, APIs, and services where access delegation and permissions are needed (e.g., social media login, third-party service access). |
Common Types of API
| Aspect | RESTful API | SOAP API | GraphQL API | Websocket API |
|---|---|---|---|---|
| Protocol | HTTP/HTTPS | HTTP/HTTPS | HTTP/HTTPS | WebSocket |
| Message Format | JSON, XML | XML | JSON | Custom binary or text-based |
| Request Methods | GET, POST, PUT, DELETE, etc. | POST | POST | Custom |
| Endpoint Structure | Multiple endpoints for different resources | Single endpoint | Single endpoint | Single endpoint |
| Query Flexibility | Fixed structure for endpoints and data retrieval | Fixed structure defined by WSDL | Flexible query structure for data retrieval | Real-time bidirectional communication |
| Data Fetching | Partial data fetching via endpoints | Predefined request/response structure | Flexible data fetching with custom queries | Real-time data updates |
| Authentication | Various methods (API keys, OAuth, JWT, etc.) | Various methods (WS-Security, Basic Auth, etc.) | Various methods (API keys, OAuth, JWT, etc.) | Custom authentication schemes |
| Security Protocols | HTTPS, TLS | HTTPS, TLS | HTTPS, TLS | SSL/TLS |
| Common Vulnerabilities | Injection attacks (SQLi, XSS, etc.), Broken Authentication, Insecure Direct Object References, etc. | XML External Entity (XXE) injection, SOAPAction header injection, etc. | Injection attacks, Introspection leaks, Query depth attacks, etc. | Message tampering, DoS attacks, Authorization bypass, etc. |
| Testing Considerations | Input validation, Authentication, Authorization, Error handling, Rate limiting, etc. | WSDL file disclosures, Message validation, Encryption, etc. | Query depth, Introspection, Authorization controls, etc. | Message flooding, Message validation, Encryption, etc. |
REST API Pentesting Resources
An application programming interface (API) is a way for two or more computer programs or components to communicate with each other.
Tools and Wordlist
| Tools | URL | Word List | URL |
|---|---|---|---|
| Burp Suite Pro | Download | Assetnote | Wordlist |
| Postman | Download | SecLists | GitHub |
| Kiterunner | GitHub | ||
| Dirb | Kali Tools | ||
| Gobuster | Kali Tools |
API Pentesting Resources
GitHub Repositories for API Pentesting
| Credit | URL |
|---|---|
| arainho | https://github.com/arainho/awesome-api-security |
| m14r41 | https://github.com/m14r41/PentestingEverything/tree/main/API%20Pentesting |
API Security Checklists
| Credit | URL |
|---|---|
| Shieldfy | https://github.com/shieldfy/API-Security-Checklist |
| APISec.ai Blog | https://www.apisec.ai/blog/api-security-checklist |
| Astra Blog | https://www.getastra.com/blog/api-security/api-security-checklist/ |
| Salt Security Blog | https://salt.security/blog/api-security-checklist |
| Indusface Blog | https://www.indusface.com/blog/api-penetration-testing-checklist/ |
API Course Free
| Credit | URL |
|---|---|
| APISec University | https://www.apisecuniversity.com/courses/api-penetration-testing |
Vulnerable APIs
| Credit | URL |
|---|---|
| OWASP | https://github.com/OWASP/crAPI |
| erev0s | https://github.com/erev0s/VAmPI |
| roottusk | https://github.com/roottusk/vapi |
Common API Vulnerability and Payment related Test
| # | Test Case | Purpose | Example |
|---|---|---|---|
| 1 | Authentication Testing | Check if login/token mechanisms are secure | - Weak/default passwords (admin:admin)- Predictable JWT ( userId=1)- Login bypass via missing/invalid token |
| 2 | Authorization Testing / IDOR | Ensure users cannot access other users’ resources | - /user/1/profile → /user/2/profile returns another user’s info- /order/100 → /order/101 shows someone else’s order |
| 3 | Broken Object Level Authorization (BOLA) | Prevent access to objects without proper checks | - Modifying orderId or invoiceId in API requests- Accessing /files/secret.docx by changing file ID |
| 4 | Excessive Data Exposure | Verify API only returns necessary info | - /profile returns password hash, SSN, date of birth, or full address- /orders returns other customers’ email addresses |
| 5 | Rate Limiting / Throttling | Check if API prevents brute force / DoS | - Send 1000 login requests in 1 minute - Flood /reset-password endpoint to check throttling |
| 6 | Injection Testing | Identify SQL/NoSQL/Command Injection | - SQL: username=admin' OR 1=1 --- MongoDB: {"$gt": ""}- Command: ; rm -rf / (test sandbox safely) |
| 7 | Business Logic Testing | Ensure app workflow cannot be bypassed or abused | - Modify amount in order request- Skip verification or approval steps - Redeem same coupon multiple times |
| 8 | Payment & Checkout Testing | Ensure payments and transactions are secure | - Change amount or currency in request- Modify discount or apply multiple times- Checkout as another user ( userId tampering)- Replay payment requests to simulate double-spending |
| 9 | Sensitive Data Exposure | Check if PII, secrets, or keys are leaked | - API returns API keys, JWT secrets, email, phone numbers - Passwords or tokens stored in plaintext |
| 10 | Security Misconfigurations | Detect weak API settings and headers | - HTTP instead of HTTPS - Overly permissive CORS ( *)- Debug info, server version leaks |
| 11 | Logging & Error Handling | Verify no sensitive info is exposed in errors | - Stack traces returned in JSON - Database errors revealing table/column names |
| 12 | Session Management Testing | Validate token/session security | - Session tokens never expire - Reusable tokens after logout - JWT with alg: none |
| 13 | Parameter Tampering | Test input modification impacts | - Change userId in request- Alter discount or price values- Modify role=admin in JSON payload |
| 14 | Third-party Integration Testing | Ensure external APIs cannot be abused | - Manipulate callbacks from payment gateways - Intercept and modify 3rd-party webhook data |
| 15 | Cryptography / Data Protection Testing | Check proper encryption & token handling | - Weak or no TLS (HTTP instead of HTTPS)- Predictable or unencrypted tokens - Reversible encryption of sensitive fields |
Information Gathering
- Identify the API's purpose, business logic, and functionality.
- Enumerate API endpoints and methods (GET, POST, PUT, DELETE, etc.).
- Gather information about API versioning and changes.
- Discover hidden or undocumented endpoints using fuzzing and brute force.
- Obtain API documentation, if available, and review it for insights.
Authentication Testing
- Test API authentication mechanisms, such as API keys, OAuth, JWT, or basic authentication.
- Verify if authentication tokens or credentials are securely stored on the client side.
- Test for missing or weak authentication, including default credentials.
- Assess multi-factor authentication (MFA) if used.
Authorization Testing
- Test role-based access control (RBAC) and authorization mechanisms.
- Check if users can access resources they shouldn't have permissions for.
- Test for horizontal privilege escalation by manipulating user roles.
- Verify proper enforcement of access controls, such as admin vs. regular user.
Input Validation
- Test for input validation and output encoding to prevent injection attacks.
- Check for SQL injection, Cross-Site Scripting (XSS), and other injection vulnerabilities.
- Verify if API endpoints properly validate and sanitize user inputs.
- Assess file upload endpoints for malicious file uploads.
Data Exposure
- Test for sensitive data exposure through API responses.
- Verify if the API enforces proper data encryption in transit (HTTPS).
- Check for information disclosure in error messages.
- Ensure that data, especially personally identifiable information (PII), is redacted.
Rate Limiting and Resource Exhaustion
- Test rate limiting and resource exhaustion controls.
- Check if the API is vulnerable to brute force attacks or denial-of-service (DoS) attacks.
- Test for API rate limiting bypass techniques.
- Verify if anti-automation mechanisms are in place.
JWT and OAuth Testing
- Test JSON Web Tokens (JWT) security, including signature validation.
- Check for OAuth vulnerabilities, such as authorization code, implicit grant, and client credentials issues.
- Verify if OAuth tokens are securely managed, rotated, and revoked.
- Assess OAuth token scope and permissions.
API Rate Limiting
- Test API rate limiting policies for different user roles.
- Verify if rate limiting is consistently applied across API endpoints.
- Check for bypasses or weaknesses in rate limiting controls.
- Test for API rate limiting abuse and scenarios.
Error Handling
- Test how the API handles errors and exceptions.
- Check if error messages reveal sensitive information or internal details.
- Verify that proper HTTP status codes are returned for different error scenarios.
- Assess if error messages are consistent and not overly verbose.
Webhooks and Callbacks
- Test webhooks and callback mechanisms.
- Check for security vulnerabilities in callback URLs, such as SSRF or unauthorized callbacks.
- Verify if callbacks are properly authenticated and validated.
- Test for replay attacks or callback abuse.