API Security Testing Checklist

1. Reconnaissance

• Identify and catalogue all API endpoints

• Review API documentation (Swagger/OpenAPI)

• Capture requests & responses (Postman, Burp, ZAP)

• Map authenticated vs unauthenticated endpoints

• Identify shadow or undocumented APIs

---

🔐 2. Authentication & Authorization

• Test authentication mechanisms (API-Key, OAuth2, JWT, Basic Auth)

• Verify token/session management (expiry, revocation, reuse)

• Test authorization: RBAC, scope-based, BOLA/IDOR

• Test privilege escalation

• Check credentials/API keys exposed in logs or URLs

---

🔑 3. API Key / Token Handling

• Check API key/token exposure (URLs, logs, GET parameters)

• Verify secure transmission (HTTPS only)

• Test key rotation, scope restriction, least privilege

• Check JWT algorithm confusion (alg: "none")

• Verify signature enforcement for JWT

• Test JWT claim manipulation (iss, sub, roles, exp)

---

🔄 4. HTTP Method Manipulation

• Identify allowed HTTP methods (GET, POST, PUT, DELETE, PATCH)

• Test unexpected methods on sensitive endpoints

• Test OPTIONS/HEAD for info leakage

• Check responses for improper 405 Method Not Allowed handling

---

💉 5. Parameter Handling & Injection

• Test HTTP Parameter Pollution (HPP)

• Test array parameters, nested JSON, XML injection

• Check JSON/XML malformed payload impact (XXE)

• Validate input (range, type, length, format)

• Test content-type bypass techniques

---

📦 6. Data Handling & Security

• Accept only valid content types (respond with 415/406 when invalid)

• Check sensitive data exposure in API responses

• Check error messages for internal information leakage

• Verify data encryption in transit (TLS) & encryption at rest

---

⚡ 7. Rate Limiting & DoS

• Check if APIs enforce rate limiting

• Test DoS with large JSON/XML (resource exhaustion)

• Check file upload size limitations

• Verify brute-force protection

---

🎯 8. Business Logic Flaws

• Test logic bypass (skip payment, skip steps, bypass workflow)

• Check predictable identifiers (order IDs, tokens, user IDs)

• Test cross-user access manipulation

• Ensure business rules/validations are strictly enforced

---

📊 9. Logging & Monitoring

• Check logging of key security events (401/403 spikes, errors)

• Verify presence of correlation IDs for request tracing

• Confirm alerts trigger for abnormal activity

• Test runtime API protection/WAF behavior

---

📝 10. Reporting & Automation

• Document API endpoints, findings, and fixes

• Automate repeated tests (CI/CD integration for DAST/SAST)

• Execute tests after every major deployment

• Build endpoint/parameter risk classification

---

🎨 11. GraphQL API Testing

• Discover GraphQL endpoints, analyze queries/mutations/subscriptions

• Run introspection queries, enumerate schema, types, fields

• Test nested queries, circular references, batch overload, alias abuse

• Test injection attacks (query/mutation/subscription/variable/fragment)

• Document findings and automate GraphQL testing

---

🚫 12. API Rate-Limiting & DDoS Testing

• Identify endpoints, versions, documentation, request flow patterns

• Flood API with high-volume requests, test UA/IP rotation

• Test throttling, burst limits, gateway-level protections

• Discover & test hidden/undocumented endpoints without limits

• Identify deprecated/old API versions and test them

• Check if docs expose sensitive or unintended information

• Document DoS weaknesses, bypasses, and automated test cases

---

🔌 13. WebSocket Security Testing

• Identify WebSocket endpoints, protocols, headers, authentication

• Test hijacking, CSWSH, Origin bypass, downgrade, state manipulation

• Test message tampering, binary injection, frame manipulation, compression bombs

• Document WebSocket vulnerabilities, automate WS test scenarios