Link to this headingAPI Testing

Change Version in endpoints /api/v3/login -> /api/v1/login
Try other verbs
Try parameters in Headers and bodies
Replace UUIDs with Integers
Try multiple parameters of the same name /api/profile?user_id=guest&user_id=admin
Try Wild Cards

• /api/users/*
• /api/users/%
• /api/users/_
• /api/users/.
• /api/users/.*

Test URLS for command injection | nslookup burp.test

Test staging and QA envs for differences

Link to this headingCheck Content types

Switch different content types

• x-www-form-urlencoded: user=test
• application/json: {"user": "test"}
• application/xml: <user>test</user>

Add Arrays to POST data:

• username[]=John
• username[$neq]=test

Link to this headingJSON Testing

Test Json datatypes
{“username”: “John”}
{“username”: true}
{“username”: null}
{“username”: 1}
{“username”: [true]}
{“username”: [“John”, true]}
{“username”: [“$neq”, “test”]}

Test Parameter Polution

• {“user_id”: “guest”, “user_id”: “admin”}

Link to this headingXML Testing

Check XXE