Web APIs have recently gained popularity among developers because they allow third-party programs to interact with the website more efficiently and easily. Claiming an API is secure because it uses SSL or OAuth is false; there is more to an API than its transport layer (although admittedly SSL goes a long way).
Different authorization/authentication standards are at play for REST and SOAP; OAuth 1.X and 2.X, SAML, WS-Security, OpenID Connect, etc. SSL is great for transport-level security, but what if one’s message data needs to be encrypted (so no one can read it) or signed (so you can be sure it hasn’t been tampered with) after it has been sent over HTTP?
Testing your API for potential security issues is essential. This is where API Penetration Testing comes in. API Penetration Testing ensures that all possible vulnerabilities are identified and mitigated, thoroughly assessing your API's security posture.

Methodology
Testing is carried out following the below methods:
- Authentication and session management
- Authorization
- Input validation
- Output encoding
- Cryptography
- Message Integrity
- HTTP Return Code
Requirements
Before a penetration test is conducted the client needs to satisfy some requirements which are given below:
- The client needs to provide the URL’s of all the API.
- The client needs to provide vpn connection to access the api packages, if the packages are located in internal server.