← all writeups
API

The API Security Checklist I Run on Every Engagement

Jan 28, 2026 · 8 min · by Abhishek Bhaskar (Abhi HackZ)

Most modern applications are a thin UI wrapped around an API, which means the API is the attack surface — and it's the part users never see, so it's the part that gets tested least. Below is the working checklist I run against REST and GraphQL APIs on every engagement. It maps closely to the OWASP API Security Top 10, but it's organised the way I actually test rather than as a spec to recite.

1. Broken object-level authorization (the number-one API bug)

This is the most common and most damaging API flaw, full stop. The server checks that you're logged in but not that this object is yours. Any endpoint shaped like /api/users/{id} or /api/orders/{id} is a candidate.

How I test it: authenticate as two separate low-privilege users, capture object references belonging to user A, and replay them as user B. If B can read or modify A's objects, that's a broken-object-level-authorization finding — and it scales to a mass data breach the moment the IDs are enumerable. I check reads and writes, and I check nested references (an object ID buried three levels deep in a JSON body is still an access-control decision).

2. Broken function-level authorization

Same idea, one level up: can a normal user reach admin functionality? I look for admin or privileged routes (often just guessable paths like /api/admin/...), and I try to hit them with a non-admin token. I also swap HTTP methods — an endpoint that correctly blocks GET for non-admins sometimes forgets to block DELETE or PUT. Authorization has to be enforced per-method, not per-path.

3. Excessive data exposure / mass assignment

Two sides of the same "the API trusts the shape of data" coin.

4. Authentication and token handling

5. Rate limiting and resource consumption

APIs that don't limit request volume enable credential stuffing, enumeration, and denial of wallet (in pay-per-use backends). I check whether limits exist, whether they're per-user or per-IP (per-IP alone is trivially bypassed), and whether expensive operations — search, export, report generation — have their own tighter limits.

6. GraphQL-specific surface

GraphQL concentrates a lot of power behind one endpoint, so it gets its own pass:

7. Documentation and definition leaks

Swagger/OpenAPI definitions, GraphQL SDL, and Postman collections left exposed give an attacker a complete map of the API — including endpoints the UI never calls. I always look for /swagger, /openapi.json, /api-docs and friends. A leaked spec turns black-box testing into white-box for free. (This is a routine finding, which is why API definition discovery is one of the things I automated into my recon tooling.)

8. Input validation and injection at the API layer

The API is where injection actually lands, since the UI's client-side validation means nothing to a proxy. I test the usual classes — SQL/NoSQL injection, SSRF via any parameter that takes a URL or fetches a resource, and command injection in anything that shells out — directly against the endpoints, not through the front-end that "helpfully" sanitises before sending.

9. Business logic (the part no checklist fully captures)

Beyond the taxonomy above, every API has rules specific to its business — sequences that must happen in order, values that must be re-derived server-side, actions that must happen once. I covered this in depth in Finding Business Logic Flaws Scanners Always Miss; on an API engagement it's where the highest-impact, lowest-noise findings tend to come from.

How the checklist gets used

I run the mechanical parts — object-level auth swaps, definition discovery, header and token checks, injection probes — with tooling so nothing gets skipped, then spend my human time on authorization logic and business rules where reasoning beats automation. That split, "automate the coverage, humanise the judgement," is the whole philosophy behind SentryScan: let the scanner prove the mechanical findings so the tester's attention goes to the ones only a person can see.

If your product is API-first, this is the surface most worth a dedicated look — and the one most likely to be carrying a broken-object-level-authorization bug right now. That's a core service I offer; book a scoping call and we'll map it.

Abhishek Bhaskar (Abhi HackZ)
Security Analyst & VAPT Engineer
Book a free 30-min security scoping call →