API Penetration Testing Checklists
Verify the strength of the authentication mechanisms used by the API, such as passwords, tokens, or API keys.
Check if the API uses secure transport protocols such as HTTPS.
Verify if the access controls are implemented correctly and if unauthorized access is restricted.
Ensure the API implements a proper password policy (i.e., password complexity, reset mechanism, etc.).
Verify if the API uses rate-limiting to prevent brute-force attacks.
Check if all input parameters are validated on the server and client sides.
Ensure the API is not vulnerable to common Injection attacks like SQL injection, NoSQL injection, or LDAP injection.
Verify if the API accepts only the expected data formats (i.e., JSON, XML) and rejects unexpected formats.
Verify that the API provides meaningful error messages to the client.
Ensure the API does not leak sensitive information such as system details, stack traces, or error codes.
Verify if the API logs all the incoming requests, errors, and responses.
Check if sensitive data is encrypted both in transit and at rest.
Verify if the API follows the principle of least privilege and ensures that users can access only the necessary data.
Verify if the API implements proper data validation and sanitization to prevent data tampering or exposure.
Verify if the API uses secure session management mechanisms such as tokenization or session IDs.
Check if the session tokens are invalidated after a certain period of inactivity or logout.
Verify if the API is vulnerable to common business logic flaws such as unauthorized access, privilege escalation, or transaction manipulation.
Check if the API performs proper access controls and validations for all user actions.
This involves a thorough examination of the configurations and communication mechanisms of the application to detect any sensitive data that may be disclosed and pose a security threat. They will check the following aspects of the API as these are the common areas where excessive data exposure vulnerabilities arise:
Error pages – investigate if any sensitive data is revealed in error messages.
URL strings – check if any confidential information is exposed in the URL.
API responses – examine the response payload for any sensitive information.
Data in transit – ensure that data transmitted between the client and server is encrypted.
Data at rest – verify that any data stored in the database is properly encrypted and secured.
The client – pay special attention to how the client filters data to avoid exposing confidential information.
Check if the API is integrated with any third-party services or libraries and if they are up-to-date and secure.
Verify if the API performs proper input validation and sanitization for third-party data.