API Security Testing: A Practical Checklist for 2025

Introduction

APIs are the backbone of modern applications — and the primary target for attackers. With microservices, mobile apps, and third-party integrations all relying on APIs, a single vulnerability can expose entire systems. This practical checklist covers what every security team should test when assessing API security in 2025.

OWASP API Security Top 10

The OWASP API Security Top 10 provides the foundation for API testing. The key risks include:

• API1: Broken Object Level Authorization (BOLA) — Accessing objects belonging to other users
• API2: Broken Authentication — Weak auth mechanisms allowing impersonation
• API3: Broken Object Property Level Authorization — Mass assignment and excessive data exposure
• API4: Unrestricted Resource Consumption — Missing rate limits enabling DoS
• API5: Broken Function Level Authorization (BFLA) — Accessing admin functions as regular user
• API6: Unrestricted Access to Sensitive Business Flows — Automating flows meant for humans
• API7: Server-Side Request Forgery — Making the server request unintended resources
• API8: Security Misconfiguration — Default configs, verbose errors, CORS misconfigurations
• API9: Improper Inventory Management — Shadow APIs and undocumented endpoints
• API10: Unsafe Consumption of Third-Party APIs — Trusting external API responses without validation

Authentication Testing Checklist

OAuth 2.0 / OIDC

• [ ] Verify authorization code flow cannot be intercepted (PKCE enforcement)
• [ ] Test for token leakage in URL fragments and referrer headers
• [ ] Confirm state parameter prevents CSRF attacks
• [ ] Check that redirect URIs are strictly validated (no open redirects)
• [ ] Verify scope enforcement — request elevated scopes and confirm denial
• [ ] Test token revocation actually invalidates access