Skip to Content
API Security TestingHow It Works

How It Works

API Security Testing follows a five-step process to identify vulnerabilities in your REST APIs. Each step builds on the previous one to provide thorough, spec-driven security testing.

Step 1: Spec Import

The process begins when you upload your OpenAPI specification file. Detectify parses the spec to understand your API’s structure:

  • Endpoints — Every path and HTTP method defined in your spec
  • Parameters — Query parameters, path parameters, headers, and request bodies
  • Data types — Expected formats, constraints, and enumerations
  • Authentication — Security schemes defined in the spec

The parser validates your spec and reports any issues that could affect scan coverage. Only .json format is supported.

Step 2: Configuration

After importing your spec, you configure the scan:

  • Authentication credentials — Provide tokens, API keys, or OAuth details so the scanner can access protected endpoints
  • Rate limiting — Set request rate limits to avoid overwhelming your API or triggering throttling
  • Scope — Optionally exclude specific endpoints from testing
  • Scheduling — Run scans on demand or on a recurring schedule

Step 3: Scanning

During the scan, Detectify sends crafted payloads to each endpoint defined in your spec. The scanner uses payload rotation, cycling through different attack variations for each target. This means that across multiple scan runs, your API is tested against an expanding set of payloads rather than the same static set each time.

Payload selection is tracked per target, so the scanner remembers which payloads have already been sent and prioritizes untested variations in subsequent runs. This approach maximizes coverage over time without requiring excessively long individual scan runs.

The scanning engine is the same fuzzing engine used by Application Scanning, adapted for API-specific attack vectors.

Step 4: Analysis

Detectify analyzes the responses from each payload to determine whether a vulnerability exists. This is not signature-based or fingerprint-based detection. The scanner sends actual exploit payloads and evaluates the API’s response to confirm whether the vulnerability is real.

For each potential finding, the scanner:

  • Verifies the vulnerability by confirming exploitable behavior in the response
  • Determines the severity based on the type of vulnerability and the potential impact
  • Captures the exact request and response for reproducibility
  • Generates remediation guidance specific to the vulnerability type

Step 5: Continuous Monitoring

API Security Testing is designed for ongoing use, not just one-time assessments. With scheduled scans, Detectify continuously monitors your API for:

  • New vulnerabilities introduced by code changes
  • Regression detection where previously fixed issues reappear
  • Expanded coverage through payload rotation across scan runs
  • Configuration drift where authentication or authorization controls degrade over time

Each scan run builds on previous results, and payload rotation ensures that coverage deepens with every iteration.

Last updated on
OverviewUse Cases