Checklists
API Penetration Testing Checklist
APIs fail differently from traditional web apps - the highest-impact issues are usually authorization and business-logic flaws, not classic injection. This checklist covers the areas that matter most, aligned to the OWASP API Security Top 10.
The checklist
Object-level authorization (BOLA)
Test every object reference across accounts and tenants to confirm the server enforces ownership, not just authentication.
Authentication
Probe token issuance and validation - JWT handling, expiry, revocation, and credential-stuffing resistance.
Property-level authorization
Check for mass assignment and excessive data exposure: can a client set or read fields it shouldn't?
Resource consumption
Test rate limiting, pagination limits, and payload-size limits for denial-of-service and cost-abuse risks.
Function-level authorization
Attempt privileged and admin functions with low-privileged tokens (forced browsing).
Business flow abuse
Look for sensitive flows (checkout, transfer, invites) that can be automated or abused at scale.
SSRF
Test any endpoint that fetches URLs for server-side request forgery, including rebinding bypasses.
Misconfiguration & inventory
Check for verbose errors, missing security headers, and undocumented or deprecated endpoints (shadow APIs).
Key takeaways
- Authorization, not injection, is where most API breaches originate.
- Test across accounts and tenants, and across every HTTP method.
- Shadow and deprecated endpoints are a leading source of exposure.
FAQ
How is API pentesting different from web app pentesting?
APIs have no UI to constrain behavior, expose object references directly, and are dominated by authorization and business-logic risk. Testing focuses on per-object and per-function authorization across roles and tenants rather than page-level flaws.
Related
Impactr puts this into practice - autonomously testing your web apps and APIs the way an attacker would, and proving every finding with a reproducible exploit.
Join the waitlist