Targets For API Security Testing

Targets For API Security Testing
Targets For API Security Testing
Targets For API Security Testing
Targets For API Security Testing
Targets For API Security Testing

If you are going to test for API Security, then you have to understand its perimeters (HTTP request methods and response codes). In this section, we are going to explain HTTP requests and response methods.

HTTP request methods

HTTP includes a collection of request methods that signify the necessary action to be taken for a given resource. We are going to explain HTTP methods and their responses with status codes.

The following diagram shows the different HTTP methods: 

Figure 1.0 – HTTP Methods

Each of these methods implements a different logic:  

  • GET: The GET method requests a representation of the particular specified parameters and it is generally used for retrieving the data. 

  • POST: The POST method is used to submit a form to the specified parameters and many times, it is generally used for saving resources’ data in the server.

  • PUT: The PUT method replaces all current representations of the target parameters with the requested parameter payloads.

  • DELETE: The DELETE method deletes the specified parameter/object.

  • HEAD: The HEAD method is the same as the GET method, but it returns an object without a response body.

  • OPTIONS: The OPTIONS method is used to describe the available HTTP methods for the target parameter.

HTTP method responses

In this section, we are going to look at different response codes, which is represented in the following screenshot: 

Figure 1.1 – HTTP Responses Codes

Common status codes:

  • 200 OK – The solicitation has succeeded. The significance of the achievement relies upon the HTTP strategy.

  • 301 Moved Permanently – The URL of the mentioned asset has been changed forever. The new URL is given in the reaction.

  • 302 Found – This reaction code implies that the URI of the mentioned asset has been changed incidentally.

  • 400 Bad Request – The worker couldn’t comprehend the solicitation because of invalid sentence structure. The customer must verify itself to get the mentioned reaction.

  • 403 Forbidden – The customer doesn’t approach rights to the substance.

  • 404 Not Found – Concerned resource is not found by the server.

  • 405 Method Not Allowed – The server is aware of the request method, but it’s been impaired when used.

  • 429 Too Many Requests – The client has sent an excessive number of solicitations in a given measure of time. 

  • 500 Internal Server Error – The server has experienced a circumstance it doesn’t have a clue how to deal with.

  • 501 Not Implemented: The solicitation technique isn’t upheld by the server and can’t be taken care of.

  • 502 Bad Gateway – While working as a gateway to get a response needed to handle the request, got an invalid response.

  • 503 Unavailable Service – The server is not prepared to process the request.



The headers and specifications provide a wealth of knowledge that will assist you in troubleshooting issues. The meta-data associated with the API request and response is represented by HTTP headers, which are an essential part of the API request and response. HTTP headers often provide a wealth of knowledge about HTTP link styles, proxies, and other topics. The majority of these headers are used to handle connections between users, servers, and proxy and do not require explicit testing. The following are common request headers:

  • Host: This specifies the server’s domain name (for virtual hosting) and (optionally) the TCP port number whereby the machine is listening.

  • Referrer: The address of the previous web page accompanied by a connection to the currently requested page.

  • User-Agent: It is a string that identifies the user agent.

  • Cache-Control:  Directives on caching systems for both requests and responses. It basically sets the caching rules.

  • Connection: Controls if the network connection remains open after the current transaction is completed.

  • Accept: Types of media/data that are acceptable.

  • Accept-Encoding: The encoding algorithm, usually a compression algorithm, that is acceptable.

  • Cookie: To recognize users and it contains stored HTTP cookies that have been previously sent by the Set-Cookie header server.

The following are common response headers

  • Set-Cookie: Send cookies to the user agent from the server.

  • Cache-Control: It sets the caching rules. Directives on caching mechanisms for both requests and responses.

  • Content-Length: Length of the request body in size of bytes.

  • Content-Type: It determines the content type of the body of the request and also indicates the media type of the resource.

Now that we have covered requests and responses, we will be next cover SOAP web services and REST services. 

For more information, please visit API Security Github Guide


Let’s Talk About How Can Help You Securely Advance

Get A Free Quote
Targets For API Security Testing
Targets For API Security Testing

Our Valuable Clients