Amazon API Testing: What 2 Minutes of Structural Analysis Revealed

We recently ran Rentgen against a simple production API endpoint responsible for updating a child profile.

No fuzzing. No custom scripts. No red team setup.

Just a real captured request and automated structural testing.

In under two minutes, Rentgen surfaced:

• Incorrect status code semantics (400 instead of 401)

• Unsupported method returning 403 instead of 405

• HTML error pages leaking from a JSON API

• Oversized payload not rejected early with 413

• CDN-level behavior interfering with API contract

This was not a security audit. This was structural API contract analysis.

Large systems rarely fail loudly. They drift — in validation order, status semantics, and edge handling.

Full technical breakdown here: 👉 https://rentgen.io/api-stories/amazon-profile-update-api-testing-case-study.html

Rentgen focuses on Automation Before Automation — finding protocol-level issues before test suites even exist.