API Bugs

// 4 bugs

Bugs in HTTP status codes, request validation, response schemas, error messages, and API contracts.

// Why it matters

API bugs can silently break integrations, mislead clients about what actually happened, and create data integrity problems downstream. A 200 OK response for a failed validation is one of the most common API bugs and a classic QA interview topic.

// Common symptoms

200 OK returned when input validation fails
Required field accepted as empty or missing
Error message says success but no record was created
Response schema differs from what the API documentation describes
Rate limits not enforced under load
Duplicate resource created when the same request is retried

// Testing types:API testingContract testingIntegration testingAutomated testingPerformance testing

Practice this → Hunt these bugs hands-on in the API Testing Playground.

// Bugs in this category

Difficulty

Severity

Showing 4 of 4 bugs

API Returns 200 for Validation FailureHigh

When an API endpoint receives invalid input and returns HTTP 200 OK instead of an appropriate 4xx status code, the client cannot distinguish a successful operation from a failed one by checking the HTTP status alone. Error information is buried in the response body, breaking clients that rely on standard HTTP semantics.

BeginnerAPI testingManual testingAutomated testing

Required Field Is Accepted as MissingMedium

An API endpoint declares a field as required in its documentation or schema but accepts a request where that field is absent, null, or an empty string, and proceeds as if the operation succeeded. Records are created or updated with missing data, silently violating the intended data model.

BeginnerAPI testingManual testing

API Accepts Requests Without Rate LimitingMedium

The POST /api/search endpoint accepts an unlimited number of requests per second from the same client. There is no per-client throttle and no 429 Too Many Requests response. A single client can saturate the server by sending requests in a tight loop without any backpressure.

BeginnerAPI testingSecurity testingPerformance testing

Sensitive Data Exposed in Error ResponseHigh

When POST /api/orders receives an invalid payload, an unhandled exception causes the server to return an HTTP 500 response body containing a full stack trace with internal file paths, database table names, and query text. This information disclosure allows an attacker to map the application's internal structure and identify further attack targets.

BeginnerSecurity testingAPI testingManual testing

// Explore other categories

Authentication Bugs

Bugs in login, logout, password reset, session management, tokens, and multi-factor flows.

6 bugs

Permission and Authorization Bugs

Bugs where users can access, edit, delete, or view resources they shouldn't be allowed to.

5 bugs

UI and Frontend Bugs

Bugs affecting layout, forms, responsiveness, error messages, and how the interface behaves across browsers and screen sizes.

2 bugs

Data Bugs

Bugs involving incorrect, duplicated, stale, missing, or inconsistent data across the application.

5 bugs

Payment Bugs

Bugs in checkout flows, payment retries, webhooks, refunds, subscriptions, and invoices.

4 bugs

Time and Date Bugs

Bugs caused by timezone mismatches, daylight saving transitions, date range errors, and locale differences.

3 bugs

Search and Filter Bugs

Bugs in search results, filters, pagination, sorting, and result counts.

2 bugs

File Upload Bugs

Bugs in file type validation, size limits, upload progress, storage, and file preview.

3 bugs

Notification Bugs

Bugs in email delivery, push notifications, in-app alerts, webhooks, and notification preferences.

2 bugs

// Practise finding these bugs

Hunt api bugs hands-on in a live practice app, then check your findings against the seeded-bug answer guide.

API Testing PlaygroundBeginner to IntermediateAPI Buggy Web AppBeginner to IntermediateWeb app Banking Practice AppIntermediate to AdvancedDomain workflow