Skip to main content
All CollectionsPenetration Tests
What information we need for an API Assessment
What information we need for an API Assessment
Matthew Elliott avatar
Written by Matthew Elliott
Updated over 2 years ago

API Assessment Pre-requisites

To conduct an efficient and in-depth API assessment, the tester will need the following before the start of the assessment:

  • A list of all methods/endpoints in scope for the assessment

  • Ideally, an API collection (such as Postman or SoapUI) will be provided which possesses a valid template for each request and all parameters

  • Documentation detailing the overall API functionality and showing all parameters for each of the methods/endpoints in scope

  • If an API collection cannot be provided, example valid requests for each method/endpoint using all available parameters will be required

  • Instructions on how to authenticate to the service. An example pre-made working request is also recommended (e.g a CURL command) so the penetration tester can quickly identify access issues prior to the beginning of the assessment.

  • In the event the API method/endpoints require valid data such as IDs or banking information to operate successfully, test data will need to be provided


    Please Note

If an API collection and valid example requests cannot be provided, requests will be manually built during testing using the API documentation. This may significantly increase the time taken to carry out the assessment and reduce the number of tests that can be performed during the time frame of the test.

If API documentation is also not available, it is unlikely the tester will be able to create successful requests. In this scenario, the assessment would not provide suitable coverage of the API service(s) in scope. Further to this, all parameters or functionality not detailed in API collections, documentation, or supplied requests will not be included in the test as the tester will likely be unaware of their existence.

Did this answer your question?