IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Guides
  3. API Penetration Testing Checklist

Checklists

API Penetration Testing Checklist

APIs fail differently from traditional web apps - the highest-impact issues are usually authorization and business-logic flaws, not classic injection. This checklist covers the areas that matter most, aligned to the OWASP API Security Top 10.

The checklist

  1. Object-level authorization (BOLA)

    Test every object reference across accounts and tenants to confirm the server enforces ownership, not just authentication.

  2. Authentication

    Probe token issuance and validation - JWT handling, expiry, revocation, and credential-stuffing resistance.

  3. Property-level authorization

    Check for mass assignment and excessive data exposure: can a client set or read fields it shouldn't?

  4. Resource consumption

    Test rate limiting, pagination limits, and payload-size limits for denial-of-service and cost-abuse risks.

  5. Function-level authorization

    Attempt privileged and admin functions with low-privileged tokens (forced browsing).

  6. Business flow abuse

    Look for sensitive flows (checkout, transfer, invites) that can be automated or abused at scale.

  7. SSRF

    Test any endpoint that fetches URLs for server-side request forgery, including rebinding bypasses.

  8. Misconfiguration & inventory

    Check for verbose errors, missing security headers, and undocumented or deprecated endpoints (shadow APIs).

Key takeaways

  • Authorization, not injection, is where most API breaches originate.
  • Test across accounts and tenants, and across every HTTP method.
  • Shadow and deprecated endpoints are a leading source of exposure.

FAQ

How is API pentesting different from web app pentesting?

APIs have no UI to constrain behavior, expose object references directly, and are dominated by authorization and business-logic risk. Testing focuses on per-object and per-function authorization across roles and tenants rather than page-level flaws.

Related

IDOR / BOLAOWASP API Security Top 10API security testing

Impactr puts this into practice - autonomously testing your web apps and APIs the way an attacker would, and proving every finding with a reproducible exploit.

Join the waitlist
← All guides
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub