DEV Community

Sospeter Mong'are
Sospeter Mong'are

Posted on

1

Basic API Security Testing Checklist for Developers and Pentesters

#api #security #backenddevelopment #programming

APIs are the backbone of modern applications, but they are also frequent targets for attackers. Whether you're a developer securing your own API or a red teamer probing for weaknesses, it's important to understand the core areas where APIs can be vulnerable.

Below is a basic but powerful checklist covering essential security testing practices — from authentication issues to privilege escalation, credential leaks, and pivoting.

1. Authentication & Authorization

Hardcoded Credentials

  • Check for credentials hardcoded in client-side code, headers, request bodies, or exposed through misconfigured API documentation.

Weak or Default Logins

  • Try common combinations like admin:admin or test:test. Many APIs still ship with default credentials that are never changed.

Missing or Weak Authentication

  • Some endpoints might not require authentication, or may use predictable tokens (e.g., static API keys or JWTs with no signature validation).

Privilege Escalation (PrivEsc)

  • Test whether users can access or modify resources beyond their privilege level. For example, can a regular user access admin-only routes just by tweaking a role ID or URL?

2. Input Validation & Injection

SQL/NoSQL Injection

  • Attempt injection payloads in various input fields, JSON bodies, or URL parameters.

Command Injection

  • Look for unsafe handling of input in server-side commands (;, &&, backticks, etc.).

Cross-Site Scripting (XSS)

  • Check for reflected or stored payloads, especially in APIs that render data to the frontend.

Path Traversal

  • Try inputs like ../../../../etc/passwd to access unauthorized files or directories.

3. Information Disclosure

Verbose Error Messages

  • Inspect error responses for stack traces, database errors, or internal IPs.

Open or Misconfigured API Documentation

  • Swagger UI or Postman collections might reveal internal routes or sensitive parameters.

Environment & Config Leaks

  • Check for accessible .env, debug logs, version files, and .git directories.

4. Rate Limiting & Brute Force

Brute Force Attacks

  • Attempt multiple failed logins to check if the API enforces account lockout or rate limiting.

OTP/Token Guessing

  • APIs that send or verify codes (like OTPs or reset tokens) should enforce limits to prevent enumeration.

5. Transport Security

HTTPS Enforcement

  • Ensure all endpoints reject plain HTTP and redirect to HTTPS.

CORS Misconfigurations

  • Wildcard values in Access-Control-Allow-Origin can allow malicious websites to abuse your API.

6. Sensitive Data in Transit

Credentials in URLs

  • Tokens, passwords, or other secrets should never be passed via GET parameters.

Unencrypted Payloads

  • Sensitive data should always be encrypted in transit — check for TLS and proper encryption of token contents.

7. File Upload and Malware Delivery

File Type Validation

  • Try uploading files with unexpected or double extensions (shell.php.jpg).

Keylogger or Reverse Shell Drop

  • Upload a test script to determine whether malicious code can be executed after upload.

Directory Traversal in Upload Paths

  • Attempt to write files outside the intended directory (e.g., via ../ manipulation).

8. Lateral Movement & Pivoting

Internal Endpoints

  • Some APIs expose staging or admin interfaces publicly — try scanning for unusual routes.

SSRF & Open Redirects

  • Attempt to force the server to make a request to an internal service (like http://localhost:8000 or cloud metadata services).

Token Misuse Across Services

  • Test if tokens from one service can be used to access another microservice.

9. Logging & Monitoring Gaps

Lack of Audit Trails

  • Actions like failed logins, large file uploads, or malicious inputs should be logged.

Log Evasion

  • Use payload obfuscation (e.g., Unicode tricks) to test if your input bypasses logging systems or WAFs.

10. Session Management

Session Fixation

  • Check if the same session ID can be reused across different accounts.

Expired Tokens Still Working

  • Expired tokens should be rejected immediately — test this explicitly.

Conclusion

Securing your API isn’t just about using HTTPS and validating input. A truly secure API must be resistant to privilege escalation, resilient against brute force and pivoting attempts, and vigilant against information leaks. This checklist provides a solid foundation to assess your API's security posture — whether you're in development or on a red team operation.

For more details, you can check OWASP API Security Top 10

profile
Heroku
 Promoted

Heroku

Deploy with ease. Manage efficiently. Scale faster.

Leave the infrastructure headaches to us, while you focus on pushing boundaries, realizing your vision, and making a lasting impression on your users.

Get Started

Top comments (0)

profile
DevCycleHQ
 Promoted

DevCycle image

Ship Faster, Stay Flexible.

DevCycle is the first feature flag platform with OpenFeature built-in to every open source SDK, designed to help developers ship faster while avoiding vendor-lock in.

Start shipping