API Security Testing with Schemathesis

When to use

Prerequisites

• Schemathesis installed (

  pip install schemathesis

  )
• API must be running with an accessible OpenAPI spec or GraphQL endpoint
• Verify:

  schemathesis --version

Instructions

1. Identify the target — Confirm the API schema URL and base URL.
2. Run the scan:
   OpenAPI:
   bash

   schemathesis run <openapi-url> --report > schemathesis-report.txt

   GraphQL:
   bash

   schemathesis run <graphql-url> --report

   • With authentication:

     schemathesis run <url> --auth user:pass

   • Bearer token:

     schemathesis run <url> --header "Authorization: Bearer <token>"

   • Specific endpoints:

     schemathesis run <url> --endpoint "/api/users"

   • Stateful testing:

     schemathesis run <url> --stateful=links

3. Parse the results — Present findings:

| # | Endpoint | Method | Issue Type | Status Code | Finding | Reproduction |
|---|----------|--------|------------|-------------|---------|-------------|

1. Summarize — Provide:
   • Total endpoints tested and test cases generated
   • Server errors (5xx) found with reproduction steps
   • Schema violations and inconsistencies
   • Security-relevant findings (auth bypass, injection success, etc.)

Issue Types Detected