Home
/Checklists
/API Security Testing Checklist

API27 items

API Security Testing Checklist

A detailed checklist for testing the security of REST and GraphQL APIs. Covers authentication, authorization, input validation, rate limiting, and data exposure risks aligned with the OWASP API Security Top 10.

OWASP API Security Top 10NIST SP 800-115PTES

Progress: 0 of 27 items

Obtain API documentation (OpenAPI/Swagger specs, Postman collections)info

Gather all available API documentation including versioning information.

Identify API authentication mechanisms (OAuth2, API keys, JWT)

Document all authentication methods and obtain valid test credentials.

Confirm scope includes all API versions and environments

Clarify whether deprecated API versions and internal APIs are in scope.

Set up proxy tooling for API traffic interception

Configure Burp Suite or mitmproxy with appropriate certificate pinning bypasses.

Document rate limits and acceptable testing thresholds

Agree on maximum request rates to avoid triggering denial-of-service conditions.

Discover undocumented endpoints through fuzzing and wordlistsmedium

Use tools like Kiterunner or ffuf with API-specific wordlists to find hidden endpoints.

Enumerate API versions and deprecated endpointsmedium

Test /v1/, /v2/, /api/beta/ and similar patterns for accessible legacy versions.

Analyze response headers and error messages for information leakagelow

Check for verbose stack traces, internal IP addresses, and technology disclosure.

Map all HTTP methods accepted by each endpoint

Send OPTIONS requests and test PUT, DELETE, PATCH methods on read-only endpoints.

Identify GraphQL introspection and schema exposuremedium

Query __schema and __type to enumerate all available queries, mutations, and types.

Test for Broken Object Level Authorization (BOLA)critical

Manipulate resource IDs in API calls to access objects belonging to other users.

Test for Broken Function Level Authorizationcritical

Attempt to call admin-only API functions using regular user tokens.

Check for excessive data exposure in API responseshigh

Verify that responses only contain fields necessary for the client and no sensitive internal data.

Test JWT token validation and algorithm confusion attackscritical

Try none algorithm, RS256/HS256 confusion, expired tokens, and signature stripping.

Verify rate limiting on authentication and sensitive endpointshigh

Attempt brute-force attacks on login, password reset, and OTP endpoints.

Test for mass assignment and parameter pollutionhigh

Send additional fields in request bodies to modify unintended properties like role or isAdmin.

Assess input validation on all API parametershigh

Test for injection attacks, type confusion, and boundary value issues in request parameters.

Chain BOLA with data exposure to exfiltrate sensitive recordscritical

Demonstrate full impact by combining authorization flaws with excessive data exposure.

Test for SSRF through API parameters accepting URLscritical

Inject internal URLs into webhook, callback, and image URL parameters.

Exploit GraphQL batching and nested query attackshigh

Test for denial-of-service through deeply nested queries and batch brute-force attacks.

Test for NoSQL injection in API query parametershigh

Inject MongoDB operators ($gt, $ne, $regex) into JSON request bodies.

Verify CORS policy and test for credential leakage cross-originmedium

Confirm that Access-Control-Allow-Origin is not overly permissive with credentials.

Document all API endpoints tested with request/response examples

Include cURL commands or Postman collections for reproducibility.

Map findings to OWASP API Security Top 10 categories

Classify each vulnerability against the relevant API Security Top 10 category.

Provide API-specific remediation guidance

Recommend middleware-level fixes, input validation schemas, and authorization patterns.

Include automated scan results as appendices

Attach raw output from API scanning tools with false positives clearly marked.

Revoke and rotate all test credentials used during assessment

Ensure all API keys, tokens, and test accounts are invalidated post-engagement.

Related Vulnerabilities

Broken Access Control

critical

Injection

critical

Security Misconfiguration

medium

Identification and Authentication Failures

high

Server-Side Request Forgery

high

Industries Using This Checklist

Financial Services & Banking

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Vulnsy

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Contact

luke@vulnsy.com

API Security Testing Checklist

Pre-Engagement

Reconnaissance

Vulnerability Assessment

Exploitation & Testing

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy