Home
/Checklists
/API Security Testing Checklist

API27 items

API Security Testing Checklist

A detailed checklist for testing the security of REST and GraphQL APIs. Covers authentication, authorization, input validation, rate limiting, and data exposure risks aligned with the OWASP API Security Top 10.

OWASP API Security Top 10NIST SP 800-115PTES

Progress: 0 of 27 items

Obtain API documentation (OpenAPI/Swagger specs, Postman collections)info

Gather all available API documentation including versioning information.

References

OWASP API Security Top 10

Identify API authentication mechanisms (OAuth2, API keys, JWT)

Document all authentication methods and obtain valid test credentials.

Confirm scope includes all API versions and environments

Clarify whether deprecated API versions and internal APIs are in scope.

Set up proxy tooling for API traffic interception

Configure Burp Suite or mitmproxy with appropriate certificate pinning bypasses.

Document rate limits and acceptable testing thresholds

Agree on maximum request rates to avoid triggering denial-of-service conditions.

Discover undocumented endpoints through fuzzing and wordlistsmedium

Use tools like Kiterunner or ffuf with API-specific wordlists to find hidden endpoints.

Commands

kr scan https://api.target.com -w routes-large.kite -A=apiroutes-220828

ffuf -u https://api.target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,201,401,403

References

Kiterunner - API content discovery tool

Enumerate API versions and deprecated endpointsmedium

Test /v1/, /v2/, /api/beta/ and similar patterns for accessible legacy versions.

References

OWASP API9:2023 - Improper Inventory Management

Analyze response headers and error messages for information leakagelow

Check for verbose stack traces, internal IP addresses, and technology disclosure.

References

OWASP WSTG - Test for Error Handling

Map all HTTP methods accepted by each endpoint

Send OPTIONS requests and test PUT, DELETE, PATCH methods on read-only endpoints.

Commands

curl -X OPTIONS -i https://api.target.com/v1/users

References

OWASP WSTG - Test HTTP Methods

Identify GraphQL introspection and schema exposuremedium

Query __schema and __type to enumerate all available queries, mutations, and types.

Commands

curl -X POST https://api.target.com/graphql -H "Content-Type: application/json" -d '{"query":"{__schema{types{name}}}"}'

References

OWASP WSTG - Testing GraphQL
PortSwigger - GraphQL API vulnerabilities

Test for Broken Object Level Authorization (BOLA)critical

Manipulate resource IDs in API calls to access objects belonging to other users.

Evidence to capture

two paired API requests showing User A's token returning User B's record (with redacted PII), including the raw HTTP requests and responses.

References

OWASP API1:2023 - Broken Object Level Authorization
CWE-639: Authorization Bypass Through User-Controlled Key

Test for Broken Function Level Authorizationcritical

Attempt to call admin-only API functions using regular user tokens.

Evidence to capture

request with a low-privilege token successfully invoking an administrative endpoint, showing both the raw request and the privileged response payload.

References

OWASP API5:2023 - Broken Function Level Authorization

Check for excessive data exposure in API responseshigh

Verify that responses only contain fields necessary for the client and no sensitive internal data.

References

OWASP API3:2023 - Broken Object Property Level Authorization

Test JWT token validation and algorithm confusion attackscritical

Try none algorithm, RS256/HS256 confusion, expired tokens, and signature stripping.

Commands

jwt_tool eyJhbGciOi... -T

jwt_tool eyJhbGciOi... -X a -pc role -pv admin

References

OWASP JWT for Java Cheat Sheet
PortSwigger - JWT attacks
CWE-347: Improper Verification of Cryptographic Signature

Verify rate limiting on authentication and sensitive endpointshigh

Attempt brute-force attacks on login, password reset, and OTP endpoints.

References

OWASP API4:2023 - Unrestricted Resource Consumption

Test for mass assignment and parameter pollutionhigh

Send additional fields in request bodies to modify unintended properties like role or isAdmin.

Evidence to capture

request body containing an unexpected field (e.g. `"role":"admin"`) plus the response demonstrating that the field was accepted and persisted.

References

OWASP API6:2023 - Unrestricted Access to Sensitive Business Flows
OWASP Mass Assignment Cheat Sheet

Assess input validation on all API parametershigh

Test for injection attacks, type confusion, and boundary value issues in request parameters.

References

OWASP API8:2023 - Security Misconfiguration

Chain BOLA with data exposure to exfiltrate sensitive recordscritical

Demonstrate full impact by combining authorization flaws with excessive data exposure.

Evidence to capture

scripted iteration enumerating other users' records via the BOLA flaw, with a sample of the extracted payloads (PII redacted).

Test for SSRF through API parameters accepting URLscritical

Inject internal URLs into webhook, callback, and image URL parameters.

References

PortSwigger - SSRF
OWASP SSRF Prevention Cheat Sheet

Cheat sheet · /cheat-sheets/ssrf

Exploit GraphQL batching and nested query attackshigh

Test for denial-of-service through deeply nested queries and batch brute-force attacks.

References

PortSwigger - GraphQL API vulnerabilities

Test for NoSQL injection in API query parametershigh

Inject MongoDB operators ($gt, $ne, $regex) into JSON request bodies.

Commands

nosqlmap

References

OWASP WSTG - Testing for NoSQL Injection

Cheat sheet · /cheat-sheets/sql-injection

Verify CORS policy and test for credential leakage cross-originmedium

Confirm that Access-Control-Allow-Origin is not overly permissive with credentials.

Commands

curl -I -H "Origin: https://evil.com" https://api.target.com/v1/users

References

OWASP WSTG - Test Cross-Origin Resource Sharing
PortSwigger - CORS

Document all API endpoints tested with request/response examples

Include cURL commands or Postman collections for reproducibility.

Map findings to OWASP API Security Top 10 categories

Classify each vulnerability against the relevant API Security Top 10 category.

Provide API-specific remediation guidance

Recommend middleware-level fixes, input validation schemas, and authorization patterns.

Include automated scan results as appendices

Attach raw output from API scanning tools with false positives clearly marked.

Revoke and rotate all test credentials used during assessment

Ensure all API keys, tokens, and test accounts are invalidated post-engagement.

Related Vulnerabilities

Broken Access Control

critical

Injection

critical

Security Misconfiguration

medium

Identification and Authentication Failures

high

Server-Side Request Forgery

high

Industries Using This Checklist

Financial Services & Banking

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Company

About
Contact
luke@vulnsy.com

API Security Testing Checklist

Pre-Engagement

Reconnaissance

Vulnerability Assessment

Exploitation & Testing

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy