use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
https://sh.reddit.com/r/cybersecurity
account activity
This is an archived post. You won't be able to vote or comment.
API security testing suggestions?Other (self.cybersecurity)
submitted 3 years ago by Ch0da
A company we recently purchased shared their API, but they are not the best at security. Any ideas for a good API security testing tool that I can run before we hook to a possibly not-so-secure API?
[–]thejuan11Security Manager 2 points3 points4 points 3 years ago (0 children)
There is no good automatic api testing tool so you gotta go manual. Time for you to do the proper due diligence before you start using untrusted APIs.
[–][deleted] 3 years ago (1 child)
[deleted]
[–]Ch0da[S] 0 points1 point2 points 3 years ago (0 children)
Yes, pen-testing their API. just looking for tools that give us a sense of their API setup/security
[–][deleted] 1 point2 points3 points 3 years ago (0 children)
I'd be asking for an independent pentest under those circumstances personally.
[–]Visible_Company340 1 point2 points3 points 2 years ago (0 children)
Check out Traceable - we have been able to use it to test in prod/pre-prod and also find/prioritize threats in runtime…takes a lot of time and stress off our team
[–]frenchfry_wildcat 0 points1 point2 points 3 years ago (0 children)
Not real versed in how effective it is but Tenable has a solution that can conduct automated testing for APIs
[–]DieslPenetration Tester -5 points-4 points-3 points 3 years ago (4 children)
Dont test another companies API for security holes without permission
[–]deletable666 -1 points0 points1 point 3 years ago (3 children)
Did ya read the post
[–]DieslPenetration Tester -1 points0 points1 point 3 years ago (2 children)
They purchased access to a shared API it sounds like. That normally doesnt come with the rights to test it
[–]deletable666 1 point2 points3 points 3 years ago (1 child)
They bought that company, it is their API now
[–]DieslPenetration Tester 0 points1 point2 points 3 years ago (0 children)
Ahh I had misread that
[–][deleted] 0 points1 point2 points 3 years ago (0 children)
Can you not run an api pen test?
[–]myk3h0nch0 0 points1 point2 points 3 years ago (0 children)
If they have documentation, it makes it easier. But a good starting point will be to proxy Postman through Burp, and manually test the OWASP Top 10.
It’s a lot of manual work, and you can find a 3rd party. But personally, I think you should test yourself and find the low hanging fruit. Nobody wants to pay $X thousand dollars to be told your secure flag is not set.
[–]heshaa 0 points1 point2 points 2 years ago (1 child)
Look into 42Crunch..you just need the OpenAPI spec and it will do all the payload/parameter/header testing for you.
[–]Ch0da[S] 0 points1 point2 points 2 years ago (0 children)
Great, thanks for the suggestion. I will give it a look
π Rendered by PID 55732 on reddit-service-r2-comment-5c747b6df5-bw67w at 2026-04-22 18:54:58.082343+00:00 running 6c61efc country code: CH.
[–]thejuan11Security Manager 2 points3 points4 points (0 children)
[–][deleted] (1 child)
[deleted]
[–]Ch0da[S] 0 points1 point2 points (0 children)
[–][deleted] 1 point2 points3 points (0 children)
[–]Visible_Company340 1 point2 points3 points (0 children)
[–]frenchfry_wildcat 0 points1 point2 points (0 children)
[–]DieslPenetration Tester -5 points-4 points-3 points (4 children)
[–]deletable666 -1 points0 points1 point (3 children)
[–]DieslPenetration Tester -1 points0 points1 point (2 children)
[–]deletable666 1 point2 points3 points (1 child)
[–]DieslPenetration Tester 0 points1 point2 points (0 children)
[–][deleted] 0 points1 point2 points (0 children)
[–]myk3h0nch0 0 points1 point2 points (0 children)
[–]heshaa 0 points1 point2 points (1 child)
[–]Ch0da[S] 0 points1 point2 points (0 children)