Document key parameters
An API’s attack surface includes the inputs and outputs of the API. Using the inputs and outputs, determine the potential vulnerabilities in the API. These inputs and outputs include:
API calls
URL parameters
Headers
Cookies
Web responses
File uploads
API keys
Identify the inputs and outputs of the API: The inputs and outputs of an API can be identified by the endpoints that the API provides. Make requests to different endpoints, interacting with the resources that the API exposes. The responses that the API sends back will contain the information necessary to understand the structure of the data being returned.