Checklist

API penetration testing checklist

APIs carry the workflows attackers care about: identity, money movement, customer records, admin functions and integrations. This checklist helps teams prepare for API testing and understand what a manual engagement should cover.

Before testing starts

Gather API documentation, test accounts for each role, authentication details, rate limit expectations and examples of sensitive workflows. Good preparation lets testers spend more time on logic and impact.

  • OpenAPI, Postman, GraphQL schema or representative captured traffic
  • User roles, tenant examples and ownership rules
  • Authentication flows, refresh tokens and session expiry expectations
  • Known high-risk endpoints such as exports, billing, admin and identity

Core API test areas

Manual API testing should go beyond endpoint discovery. The highest-impact issues are usually broken object authorisation, excessive data exposure, weak token validation, mass assignment and missing rate limits.

What the report should prove

The report should include exact requests, responses, affected roles, affected objects, impact and fix guidance. Screenshots alone are not enough for engineering teams to reproduce API vulnerabilities.

FAQ

Common questions

Is an API scan enough?

No. Scanners help with coverage, but API risk usually depends on business logic, object ownership and role boundaries that require manual testing.

Can GraphQL be tested with the same approach?

GraphQL needs additional checks for schema exposure, batching, query depth, resolver behaviour and object authorisation.

Do testers need production access?

Usually no. A staging environment with production-like data flows and representative roles is often safer and more practical.

Your next test could start in ten days.

A 30-minute call. We’ll scope your first test on it.

Book a call