Api Security Testing

1. Test API key validation
2. Test JWT tokens
3. Test OAuth2 flows
4. Test token expiration
5. Test refresh tokens

Phase 3: Authorization Testing

1. Test object-level authorization
2. Test function-level authorization
3. Test role-based access
4. Test privilege escalation
5. Test multi-tenant isolation

Phase 4: Input Validation

1. Test parameter validation
2. Test SQL injection
3. Test NoSQL injection
4. Test command injection
5. Test XXE injection

Phase 5: Rate Limiting

1. Test rate limit headers
2. Test brute force protection
3. Test resource exhaustion
4. Test bypass techniques
5. Document limitations

Phase 6: GraphQL Testing

1. Test introspection
2. Test query depth
3. Test query complexity
4. Test batch queries
5. Test field suggestions

Phase 7: Error Handling

1. Test error messages
2. Check information disclosure
3. Test stack traces
4. Verify logging
5. Document findings

API Security Checklist

• Authentication working
• Authorization enforced
• Input validated
• Rate limiting active
• Errors sanitized
• Logging enabled
• CORS configured
• HTTPS enforced

Related Workflow Bundles

• security-audit - Security auditing
• web-security-testing - Web security