A comprehensive list of ways to break an API server in order to test its error handling capabilities.
Table of contents
1. Empty or missing required fields2. Invalid field values - exceeding character limits3. Invalid field values - malformed data4. Extra or irrelevant keys in the payload5. Incorrect or invalid HTTP methods6. Invalid endpoint paths7. Query parameters instead of using the request body in POST requests8. Missing or invalid authentication headers (e.g., API keys)9. Incorrect data structure - array instead of an object10. Incorrect data structure - object instead of an array11. JSON formatting issues - invalid Unicode characters12. Duplicate keys in the payload13. Invalid or unsupported content types (e.g., sending XML instead of JSON)14. Exceeding payload size limits15. Invalid or expired authentication tokens16. Using special characters in field values17. Sending nested objects instead of simple key-value pairs18. Sending data in the wrong data type (e.g., string instead of integer)19. Sending null values for required fields20. Using reserved keywords in field names21. Sending incomplete or malformed multipart file uploads22. Incorrect or missing URL encoding for special characters23. Sending the request body in GET requests24. Invalid date or time formats25. Using non-ASCII characters in field names26. Sending deeply nested objects27. Using non-printable or control characters in field values28. Sending the same field multiple times with different values29. Missing or invalid content-length headers for request bodies30. Using spaces or special characters in field names31. Sending invalid or malformed JSONP callbacks32. Sending the payload as a single string instead of key-value pairs33. Sending boolean values as strings (e.g., "true" instead of true)34. Using non-standard HTTP methods (e.g., PATCH, CONNECT)35. Sending unsupported HTTP version numbers36. Sending multiple authentication headers (e.g., both API key and token)37. Sending unnecessary or invalid CORS headers38. Sending conflicting query parameters and request body data39. Using non-standard characters in authentication header values40. Sending negative numbers for fields that should only accept positive values41. Sending timestamps in the future or past beyond expected range42. Using HTML, JavaScript, or SQL code in field values to attempt code injection43. Using different character encodings in the payload (e.g., UTF-8, UTF-16)44. Sending arrays with mixed data types45. Sending field values as arrays or objects instead of simple data types (e.g., string, number)1 Comment
Sort: