REST
Testing REST APIs
Documentation Requirements
Endpoints
Docs
Key/Credentials
Sample Calls
What to look for
Unauthenticated Endpoints
Hidden Endpoints
Error Messages on Malformed Input
Check Mobile APP (might be using legacy API/other Endpoints)
HTTP/No HSTS
Bruteforce detection (Think Password Reset Token)
find old apis e.g. /v3 in use but /v1 exists too
Tools
Burp + SoapUI
Last updated