We discussed the importance of penetration tests in security testing, and APIs are no exception; they all need to go through these penetration tests and ensure that underlying APIs are not exposing any vulnerabilities. Please note that there are three categories of pen tests in practice and they are—black-box pen tests, grey-box pen tests, and white-box pen tests.

Black-box and grey-box testing assumes testers have only limited knowledge about the underlying API. We shall briefly cover white-box testing in this section, as it's essential for API security testing, and why it is preferred for API penetration tests in the following section.