API testing is a focused area of penetration testing, looking specifically at the APIs that allow intercommunication between systems. There are a few main classes of APIs that are usually considered, B2C, B2B, and Backend APIs. The technologies that are used for APIs are varied from resultful APIs of HTTP to fully custom binary protocols.
API testing is very similar to web testing; however, it does not concern the presentation layer beyond the data encoding format. That is that it’s less concerned with how clients display the data, but more on that the data is encoded correctly. These similarities extend to the types of attacks that tried and will cover many of the same aspects, including authorisation and authentication controls, and data handling issues such as SQLi.
It should be noted that for modern web applications some level of API testing is performed, and in these cases, the major difference might be the level of documentation to the API the testers are provided, as API testing will typically include an API schema to direct the tester.
If you like this blog post, find more content in our Glossary.