Skip to Content
API Security TestingOverview

API Security Testing

API Security Testing is a Dynamic Application Security Testing (DAST) solution designed specifically for REST APIs. It tests your API endpoints by sending real payloads derived from your OpenAPI specification to identify exploitable vulnerabilities.

How It Works

API Security Testing uses your OpenAPI spec as a blueprint to understand your API’s structure, including endpoints, parameters, request bodies, and authentication requirements. It then generates targeted payloads for each endpoint, rotating through thousands of attack variations to maximize coverage.

The scanning engine is shared with Application Scanning, meaning your APIs benefit from the same fuzzing technology and vulnerability research that powers web application testing.

Key Capabilities

CapabilityDescription
Spec-driven testingScans are built from your OpenAPI specification, ensuring every documented endpoint is tested
Payload rotationRotates through extensive payload libraries per target, covering edge cases and bypass techniques
Authentication supportSupports OAuth 2.0, Basic Auth, and API key authentication schemes
Continuous monitoringSchedule recurring scans to catch regressions as your API evolves
Prompt injection testingDetects prompt injection vulnerabilities in AI and LLM-powered endpoints

Coverage

API Security Testing covers over 25 vulnerability types, including SQL injection, server-side template injection, command injection, broken object-level authorization (BOLA), and prompt injection. See Coverage for the full list.

Getting Started

To begin testing your APIs:

  1. Prepare your OpenAPI specification in .json format
  2. Upload it to Detectify
  3. Configure authentication
  4. Run your first scan

See the Getting Started guide for detailed instructions.

Last updated on
TroubleshootingHow It Works