Security testing helps ensure that basic security requirements have been met, including the conditions of user access, encryption, and authentication concerns. The idea behind API scanning is to craft inputs to coax bugs and undefined behavior out of an API, essentially mimicking the actions and attack vectors of would-be hackers.
API security testing begins by defining the API to be tested. Testers provide information on inputs and outputs of the API, using a variety of specification formats including OpenAPI v2 / v3, Postman Collections, and HAR files. API security tests use this information to construct fuzzed input tailored to the input the API expects.
The output of API security testing is a report of any vulnerabilities or bugs found while fuzzing the API. This could include findings such as SQL and OS command injections, authorization/authentication bypasses, path traversal issues, and OWASP Top 10 API vulnerabilities including broken auth, security misconfiguration, and data exposure.