I haven’t done any security testing APIs, so I search for it and find a post about it. It has some Methods Of API Security Testing and Rules For API Security Testing, I will refer them if test API:
Fuzz Testing: It is basically a black box software testing technique which includes finding bugs using malformed data injection.
Command Injection: An injection flaw occurs with respect to web services and API when the web application pass information from HTTP request through other commands such as database command, system call, or request to an external service.
(Un) Authorized Endpoints And Methods: It is very important that an API should authorize every single request before processing it because when the API reveals any sensitive data and allow the users to make damaging actions.
Test For Authentication On All EndPoints: This is one of the ways to test your API security is to set up automated tests in the scenarios such as test authorized endpoints without authorization, test authorized endpoints without authorization and test user privileges.
Test Unhandled HTTP Methods: API that uses HTTP have various methods that are used to retrieve, save and delete data. The ways to set up a security test for these cases are using HEAD to bypass authentication and test arbitrary HTTP methods.
Parameter Tampering: It takes the advantage of backend sanitizing errors and then manipulates parameters sent in API requests. According to this, the forms that use type=”hidden” input should always be tested in order to make sure that backend server correctly validates them.