AI Checklist Generator

From the makers of Manifestly Checklists

Email address

Home > api pen test

api pen test

Pre-Engagement Activities

Define the scope of the test (include endpoints, data types, etc.)

Identify all API endpoints to be tested.
Catalog the types of data handled by each endpoint.
Determine testing methods (manual, automated).
Set boundaries for what will and won't be tested.
Document the scope clearly for all stakeholders.

Obtain necessary permissions and legal agreements

Draft a legal agreement outlining the testing scope.
Include liability clauses and confidentiality terms.
Obtain written consent from the API owner.
Ensure compliance with relevant regulations.
Keep all documentation accessible for reference.

Set up communication channels and reporting formats

Choose secure communication tools (e.g., Slack, email).
Establish frequency and format for status updates.
Define escalation protocols for critical findings.
Create a reporting template for final results.
Ensure all stakeholders understand the communication plan.

Information Gathering

Identify API endpoints and their documentation

Gather information on authentication mechanisms (OAuth, API keys, etc.)

Discover versioning and dependencies of the API

Authentication and Authorization Testing

Test for weaknesses in authentication mechanisms (e.g., brute force, credential stuffing)

Check for improper authorization issues (e.g., horizontal/vertical privilege escalation)

Validate token usage and expiration policies

Input Validation and Injection Testing

Test for SQL injection vulnerabilities

Check for XML/JSON injection flaws

Validate input types and boundaries to prevent buffer overflows

Rate Limiting and Throttling

Assess API rate limiting to detect denial of service vulnerabilities

Check for IP whitelisting/blacklisting effectiveness

Test for abuse of resources through automated requests

Data Exposure and Security Misconfigurations

Verify if sensitive data is exposed in responses (e.g., unnecessary fields)

Check for misconfigured security headers (CORS, Content Security Policy)

Assess the use of HTTPS and check for SSL/TLS vulnerabilities

Business Logic Testing

Validate workflows to identify logic flaws (e.g., bypassing purchase flows)

Test for race conditions and improper state management

Assess error handling to ensure sensitive information is not leaked

Conclusion and Reporting

Document all findings with details on vulnerabilities and impact

Provide remediation recommendations for each identified issue

Schedule a debriefing session with stakeholders to discuss results

This checklist can help guide the penetration testing process for APIs and ensure thorough coverage of potential vulnerabilities.

Download CSV Download JSON Download Markdown

Use in Manifestly

Hey there! Here's a little about us or visit our recurring workflow SaaS: Manifestly Checklists

Light Dark