Checklist
API penetration testing checklist
APIs carry the workflows attackers care about: identity, money movement, customer records, admin functions and integrations. This checklist helps teams prepare for API testing and understand what a manual engagement should cover.
Before testing starts
Gather API documentation, test accounts for each role, authentication details, rate limit expectations and examples of sensitive workflows. Good preparation lets testers spend more time on logic and impact.
- OpenAPI, Postman, GraphQL schema or representative captured traffic
- User roles, tenant examples and ownership rules
- Authentication flows, refresh tokens and session expiry expectations
- Known high-risk endpoints such as exports, billing, admin and identity
Core API test areas
Manual API testing should go beyond endpoint discovery. The highest-impact issues are usually broken object authorisation, excessive data exposure, weak token validation, mass assignment and missing rate limits.
What the report should prove
The report should include exact requests, responses, affected roles, affected objects, impact and fix guidance. Screenshots alone are not enough for engineering teams to reproduce API vulnerabilities.
FAQ
Common questions
Is an API scan enough?
No. Scanners help with coverage, but API risk usually depends on business logic, object ownership and role boundaries that require manual testing.
Can GraphQL be tested with the same approach?
GraphQL needs additional checks for schema exposure, batching, query depth, resolver behaviour and object authorisation.
Do testers need production access?
Usually no. A staging environment with production-like data flows and representative roles is often safer and more practical.