APIs have become the backbone of modern applications. Mobile apps, web platforms, cloud applications, fintech services, healthcare portals, and enterprise systems all rely heavily on APIs for communication and data exchange. Because APIs directly handle authentication, sensitive data, transactions, and backend operations, they are one of the most targeted attack surfaces in modern cyber attacks.
An API VAPT (Vulnerability Assessment and Penetration Testing) helps organizations identify security weaknesses, authentication flaws, authorization bypasses, insecure configurations, and business logic vulnerabilities before attackers exploit them.
This guide covers a practical API Security VAPT checklist including REST APIs, GraphQL APIs, authentication mechanisms, authorization testing, input validation, rate limiting, business logic testing, and API hardening practices.
What is API Security VAPT?
API Security VAPT is the process of identifying vulnerabilities and security weaknesses in Application Programming Interfaces (APIs).
The primary objective is to validate:
- Authentication security
- Authorization controls
- Data validation
- Sensitive data exposure
- Business logic security
- API rate limiting
- Token handling
- Backend trust assumptions
API penetration testing is critical because insecure APIs can lead to:
- Account takeover
- Unauthorized data access
- Payment manipulation
- Sensitive information leakage
- Privilege escalation
- Remote system compromise
Why API Security is Important
Modern applications rely heavily on APIs because:
- Mobile apps communicate using APIs
- Single-page applications use APIs
- Cloud platforms expose APIs
- Third-party integrations depend on APIs
- IoT devices use APIs
- Microservices communicate via APIs
A single insecure API endpoint may expose millions of user records.
Some major real-world breaches occurred because of:
- Broken Access Control
- Insecure Direct Object References (IDOR)
- Weak JWT validation
- Missing rate limiting
- Excessive data exposure
API Security Testing Methodology
A structured API VAPT generally includes:
- API Information Gathering
- Authentication Testing
- Authorization Testing
- Input Validation Testing
- Business Logic Validation
- Rate Limiting Testing
- Sensitive Data Exposure Checks
- Session Management Testing
- GraphQL Security Testing
- Reporting and Remediation
1. API Information Gathering
The first phase focuses on understanding:
- API endpoints
- Request methods
- Authentication mechanisms
- Parameters
- Tokens
- Response structures
- API versions
Common sources:
- Mobile applications
- Swagger/OpenAPI documentation
- JavaScript files
- Burp Suite history
- Traffic captures
Useful files:
/swagger.json/openapi.json/docs/graphql
Common Tools:
- Burp Suite
- Postman
- Insomnia
- OWASP ZAP
Example:
curl https://api.example.com/openapi.json2. Authentication Testing
Authentication testing validates how securely users authenticate with the API.
Common authentication mechanisms:
- JWT Tokens
- OAuth
- API Keys
- Session Cookies
- Bearer Tokens
Check for:
- Weak login logic
- Credential stuffing protection
- MFA bypass
- JWT manipulation
- Token expiration
- Refresh token handling
- Logout invalidation
JWT Security Testing Checklist
JWT misconfigurations are extremely common.
Validate:
- Weak signing algorithms
- Missing signature validation
- Token tampering
- Expired token acceptance
alg:noneacceptance- Hardcoded secrets
Example JWT Header:
{
"alg": "HS256",
"typ": "JWT"
}Check whether tokens can be modified without validation.
3. Authorization Testing
Authorization testing is one of the most important parts of API VAPT.
Many APIs validate authentication but fail to validate authorization properly.
Test for:
- Horizontal privilege escalation
- Vertical privilege escalation
- Role manipulation
- Unauthorized object access
Example Vulnerable Request:
GET /api/user/1001/profile
Authorization: Bearer tokenTry changing:
/api/user/1002/profileIf another user’s data is accessible, this may indicate an IDOR vulnerability.
4. Input Validation Testing
Input validation testing identifies injection vulnerabilities and improper sanitization.
Test all parameters for:
- SQL Injection
- NoSQL Injection
- Command Injection
- XML Injection
- JSON Injection
- Path Traversal
Example SQL Injection Test:
{
"username": "' OR '1'='1",
"password": "test"
}APIs should properly validate and sanitize all user-supplied input.
5. Rate Limiting and Brute Force Protection
APIs handling authentication or OTP validation should implement rate limiting.
Test for:
- Unlimited login attempts
- OTP brute forcing
- Password spraying
- API abuse
- Enumeration attacks
Example:
- Send multiple login requests rapidly
- Observe response behavior
- Validate blocking mechanisms
Missing rate limiting can lead to:
- Account compromise
- Credential stuffing
- Resource exhaustion
6. Sensitive Data Exposure Testing
Review API responses carefully.
Check whether APIs expose:
- Internal IDs
- PII data
- Tokens
- Password hashes
- Debug information
- Backend versions
- Internal server paths
Common issue:
APIs returning excessive data beyond business requirements.
Example:
{
"username": "admin",
"email": "admin@example.com",
"password_hash": "$2y$10$..."
}Sensitive information should never be exposed unnecessarily.
7. HTTP Method Validation
Check whether APIs properly restrict HTTP methods.
Test:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
Example:
OPTIONS /api/users HTTP/1.1Improper method restrictions may expose hidden functionality.
8. Business Logic Testing
Business logic vulnerabilities are difficult to detect automatically.
Examples include:
- Payment manipulation
- Coupon abuse
- Negative pricing
- OTP reuse
- Workflow bypass
- Multi-step validation bypass
These vulnerabilities often require manual testing and understanding of application workflows.
9. API Versioning Security
Older API versions may still remain accessible.
Check:
/v1//v2//beta//old/
Older APIs may:
- Lack authentication
- Expose debug data
- Miss security patches
10. CORS Misconfiguration Testing
Cross-Origin Resource Sharing (CORS) misconfigurations can expose APIs to unauthorized origins.
Check for:
- Wildcard origins
- Credential support with wildcard
- Reflection-based origins
Risky Header Example:
Access-Control-Allow-Origin: *Improper CORS policies can lead to sensitive data exposure.
11. GraphQL Security Testing
GraphQL APIs require specialized testing.
Check for:
- Introspection enabled
- Query depth abuse
- Excessive data exposure
- Authorization flaws
- Batch query abuse
Example Introspection Query:
{
__schema {
types {
name
}
}
}If introspection is enabled in production, attackers may enumerate backend structures.
12. File Upload Validation
If APIs support uploads, test:
- File extension bypass
- MIME type bypass
- Malicious file uploads
- Path traversal
- Stored XSS
Check whether:
- Server-side validation exists
- Dangerous file types are blocked
13. API Error Handling Testing
Review API error messages carefully.
Check for:
- Stack traces
- SQL errors
- Internal paths
- Framework disclosure
- Debug information
Verbose error messages help attackers understand backend systems.
14. Session Management Testing
Validate:
- Session expiration
- Concurrent session handling
- Token revocation
- Device logout
- Session fixation
Check whether:
- Old tokens remain valid
- Tokens rotate properly
- Sessions invalidate after password change
15. API Security Headers Review
Review security headers:
- Content-Security-Policy
- Strict-Transport-Security
- X-Frame-Options
- X-Content-Type-Options
Weak or missing headers may increase attack surface.
Common API Security Vulnerabilities
| Vulnerability | Risk |
|---|---|
| Broken Access Control | Unauthorized data access |
| IDOR | Horizontal privilege escalation |
| Weak JWT Validation | Authentication bypass |
| Missing Rate Limiting | Brute force attacks |
| Excessive Data Exposure | Sensitive information leakage |
| Injection Vulnerabilities | Backend compromise |
| Weak CORS Policy | Cross-origin attacks |
| Business Logic Flaws | Financial abuse |
API VAPT Tools Checklist
| Tool | Purpose |
|---|---|
| Burp Suite | API interception |
| Postman | Request testing |
| OWASP ZAP | Automated scanning |
| Insomnia | API validation |
| ffuf | Endpoint discovery |
| JWT Tool | JWT manipulation |
| GraphQL Voyager | GraphQL mapping |
| Nuclei | Automated template scanning |
Official Resources:
API VAPT Reporting Best Practices
A professional API security report should include:
- API overview
- Authentication methods
- Endpoint inventory
- Vulnerability findings
- Request and response evidence
- Severity ratings
- Business impact
- Technical impact
- Remediation recommendations
Each finding should contain:
- Vulnerable endpoint
- HTTP request
- HTTP response
- Root cause
- Exploitation scenario
- Mitigation guidance
API Security Hardening Recommendations
Organizations should:
- Implement strong authentication
- Use proper authorization validation
- Enforce least privilege
- Implement rate limiting
- Use secure token management
- Disable debug endpoints
- Validate all inputs
- Implement API logging and monitoring
- Secure GraphQL introspection
- Regularly rotate secrets
Internal PentestHint Resources
Explore more cybersecurity and VAPT content:
Conclusion
API security testing is one of the most critical parts of modern application security assessments. APIs directly expose backend functionality, sensitive business logic, and user data, making them attractive targets for attackers.
A proper API VAPT should include authentication testing, authorization validation, business logic analysis, GraphQL security checks, rate limiting verification, and sensitive data exposure testing.
Whether you are a penetration tester, bug bounty hunter, SOC analyst, or cybersecurity student, understanding API penetration testing methodology is essential for securing modern applications against real-world attacks.
