Skip to main content

Introduction

Metlo’s built-in testing framework helps you get to 100% Security Coverage on your highest risk APIs. You can build tests in a YAML format to ensure your API is working as intended and secure against common vulnerabilities. Testing Screenshot

Key Features

  • Auto-generated Tests - Automatically generate tests for OWASP Top 10 vulnerabilities like BOLA, Broken Authentication, SQL Injection and more
  • Custom Test Templates - Create your own test templates for specific security requirements
  • YAML-Based Configuration - Write tests in a simple, readable YAML format
  • CI/CD Integration - Integrate with your CI/CD pipeline to find issues in development and staging
  • Built-in Templates - Pre-built templates for common security tests

Available Test Templates

Metlo provides built-in templates for common security vulnerabilities:

BOLA

Test for Broken Object Level Authorization vulnerabilities

Broken Authentication

Verify authentication is properly enforced on protected endpoints

SQL Injection

Test for SQL injection vulnerabilities using time-based detection

Content Security Policy

Validate CSP headers are properly configured

HSTS

Ensure HTTP Strict Transport Security is enabled

Multi-Tenant BOLA

Test for authorization issues in multi-tenant applications

How It Works

1

Write Tests

Create test files in YAML format that define API requests and expected responses
2

Run Tests

Execute tests using the Metlo CLI or integrate them into your CI/CD pipeline
3

Review Results

View detailed test results including failed assertions and request/response data
4

Fix Issues

Address security vulnerabilities identified by the tests

Test Structure

A Metlo test consists of:
  • Test ID - Unique identifier for the test
  • Metadata - Name, severity level, and tags
  • Environment Variables - Configuration values used across test steps
  • Test Steps - Sequence of HTTP requests with assertions
  • Assertions - Conditions that must be true for the test to pass

Quick Example

Here’s a simple test that verifies authentication is required: 
id: auth-required-test

meta:
  name: Verify Authentication Required
  severity: HIGH
  tags:
    - BROKEN_AUTHENTICATION

test:
  - request:
      method: GET
      url: https://api.example.com/protected
      headers:
        - name: Authorization
          value: Bearer valid-token
    assert:
      - key: resp.status
        value: 200
  
  - request:
      method: GET
      url: https://api.example.com/protected
    assert:
      - key: resp.status
        value: [401, 403]

Next Steps

Writing Tests

Learn how to write security tests in YAML format

Running Tests

Execute tests using the Metlo CLI

CI/CD Integration

Integrate tests into your deployment pipeline

Custom Templates

Create your own test templates

Build docs developers (and LLMs) love

Get started for freeTalk to us