Scribd
Upload
26 views

API pentesting testcases

Uploaded by

charan.gadiparthi208
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
26 views

API pentesting testcases

Uploaded by

charan.gadiparthi208
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

Here’s a categorized list of API penetration testing test cases with their names,

commonly used during an API security assessment:

1. Authentication and Authorization


Weak Password Policy
Brute Force Attack on Login
Token Expiry Validation
Replay Attack using Access Tokens
Lack of Two-Factor Authentication (2FA)
Hardcoded API Keys or Tokens
Privilege Escalation through IDOR
Authentication Bypass (401/403)
Broken OAuth Implementation
2. Input Validation
SQL Injection in Query/Body Parameters
No Input Validation on Special Characters
Cross-Site Scripting (XSS) in API Responses
XML External Entity (XXE) Injection
JSON Injection Vulnerabilities
Command Injection via API Inputs
Buffer Overflow in Payloads
Improper File Upload Validation
3. Session Management
Session Fixation Attack
Insecure Session Cookies
Token Hijacking via MITM
Improper Session Timeout Handling
4. Business Logic
IDOR (Insecure Direct Object References)
Improper Rate Limiting
Order Manipulation Vulnerabilities
Improper Implementation of Business Rules
Duplicate Transaction Exploits
5. Access Control
Horizontal Privilege Escalation (Same Level)
Vertical Privilege Escalation (Admin/User)
Accessing Unauthorized Endpoints
Improper Access to Admin Functions
6. API Endpoint Security
Testing Unused or Deprecated Endpoints
Missing or Weak CORS Policy
Information Disclosure in Error Messages
Unencrypted API Responses (No HTTPS)
Improper HTTP Methods Allowed (GET, POST, PUT, DELETE)
7. Data Exposure
Sensitive Data in API Responses (PII/PCI)
Exposed User Credentials
Improper Masking of Sensitive Data
Misconfigured Caching of API Responses
API Debug Logs in Production
8. Rate Limiting and Denial of Service (DoS)
Lack of Request Throttling
Abuse of Bulk Data APIs
Improper Rate Limit on Expensive Operations
Massive Data Upload or Download
Resource Exhaustion via Repeated Calls
9. Security Misconfigurations
Improper Handling of HTTP Headers (e.g., X-Content-Type-Options, X-Frame-Options)
Default API Endpoints Accessible
API Versioning Exposed (e.g., /v1/, /v2/)
Improper Error Handling in APIs
Exposed Configuration Files (e.g., .env, .json)
10. Server-Side Vulnerabilities
Server-Side Request Forgery (SSRF)
Broken JSON Web Token (JWT) Implementation
Server-Side Template Injection (SSTI)
Path Traversal on API Endpoints
Improper Parsing of Multipart Requests
11. API-Specific Test Cases
GraphQL Misconfiguration Testing
Over-fetching/Under-fetching Data in GraphQL Queries
gRPC API Testing
SOAP Injection Testing
Rate Limit Testing on Paginated APIs
12. Third-Party Integrations
Vulnerable Third-Party API Integrations
Improper Handling of Webhooks
Missing API Rate Limiting on External APIs
Open Redirect in API Responses

You might also like