This meme is so far from reality
I saw this meme and honestly it’s so far from reality. We keep talking about shift-left, testing earlier, bringing QA into development and then we share memes like this, implying API testing somehow doesn’t make sense. First of all, API itself can be the product. Second: even if it’s not - API always needs to be tested separately. Different bugs. Different rules. Different risks. You don’t test...
AI and Rentgen are best friends
AI generates code and APIs faster than humans can realistically validate them. More APIs → more drift → more regressions. That’s exactly why Rentgen exists. Rentgen helps teams quickly understand how their APIs behave under real-world input: before writing tests, before CI, before production incidents. As AI accelerates software creation, the need for fast API diagnostics only grows. 👉...
Amazon API Testing: What 2 Minutes of Structural Analysis Revealed
We recently ran Rentgen against a simple production API endpoint responsible for updating a child profile. No fuzzing. No custom scripts. No red team setup. Just a real captured request and automated structural testing. In under two minutes, Rentgen surfaced: Incorrect status code semantics (400 instead of 401) Unsupported method returning 403 instead of 405 HTML error pages leaking from a JSON...
Testing Proton Pass API Without Knowing Its Architecture
I took a real Proton Pass API request straight from the browser and ran it through Rentgen. No architecture knowledge. No configs. No scripts. Just import cURL → generate tests → wait a minute. The result? Rentgen surfaced protocol-level signals around: - Large payload handling - Authentication gate ordering - Route semantics (404 vs 405) - OPTIONS method clarity This isn’t a “security drama”...
ChatGPT Telemetry Crashes on Invalid Input (Yes, Really)
Everyone says telemetry “doesn’t matter”. Until it starts returning 500 Internal Server Error. I pointed Rentgen at one of ChatGPT’s internal telemetry endpoints — the one triggered when you click Copy under a message. Nothing exotic. I literally copied the cURL from the browser and pasted it into Rentgen. Then I let Rentgen do what it does best: mutate inputs. Result? Sending perfectly valid...
Clickjacking — when your users click things they never meant to
Clickjacking is one of those “everything works” security problems that teams ignore because nothing crashes, nothing burns, and monitoring stays green. And that’s exactly why it survives. Your API can be flawless, your backend locked down — but if your UI can be framed, a user can be tricked into clicking real actions through someone else’s page. Approvals, settings, payments, permissions. All...
Your API Is Leaking Its Server Version. Yes, That’s Still a Thing
There’s a special kind of security failure that doesn’t come from complex exploits or zero-days. It comes from your API politely introducing itself to the entire internet: “Hi, I’m nginx 1.18.0.” This isn’t advanced hacking. It’s basic fingerprinting — and it’s how attackers decide whether you’re worth attacking at all. Exposing server versions turns vulnerability scanning into shopping with a...
If a problem can be solved without AI, does AI actually make it better?
I recently had an interesting conversation with an investor. I was explaining a very concrete technical problem and the solution behind it. At some point he asked: “Won’t AI solve this in a few years? If so, doesn’t that make your solution irrelevant?” That question stuck with me — because my instinctive reaction was: why would that make it irrelevant? If a problem can be solved without AI,...
After testing hundreds of APIs, the biggest issues are still HTTP basics
After years of testing APIs across fintech, gov, and internal platforms, I keep seeing the same pattern: Most API bugs are not complex. They’re boring HTTP basics that teams quietly forget. A few examples I see again and again: Missing auth returns 403 instead of 401 — so clients debug permissions instead of authentication Unsupported HTTP methods return 200 — so people debug payloads instead...
I spent 18 years breaking software, now I built a tool that does it faster than I ever could
I’m Liudas — a QA engineer with 18 years of experience in backend/API testing, leading QA teams in security-critical environments in the UAE. I built Rentgen because most API bugs are simple edge cases no one has time to test manually. One cURL → hundreds of generated test cases. All local, no cloud, no telemetry. I believe in no-nonsense engineering, fast feedback loops, and tools that help...