API Testing

Overview

API testing targets the programmatic interfaces that applications expose — REST endpoints, GraphQL schemas, and WebSocket connections. APIs often have weaker security controls than browser-facing pages because developers assume only their front-end will interact with them. This makes APIs a high-value attack surface for authentication bypass, data exposure, and privilege escalation.

Topics in This Section

• REST API Testing — endpoint discovery, authentication testing, BOLA/IDOR, mass assignment, rate limiting bypass, verbose error exploitation
• GraphQL Testing — introspection queries, authorization bypass, batching attacks, injection, denial of service via nested queries
• WebSocket Testing — connection hijacking, cross-site WebSocket hijacking (CSWSH), message injection, origin validation bypass