API SECURITY
testing.

The invisible attack surface.

APIs now carry the majority of sensitive traffic on the modern internet — mobile backends, partner integrations, microservice meshes, headless commerce. They’re also the part of the attack surface most poorly tested. Public scanners report on the front-end while billions of authenticated API requests go unchecked.

Our API security testing treats your API as an attacker would: authorization is the primary battleground. BOLA, BFLA, and broken object property level authorization make up the majority of high-impact findings we report — and none of them are found by automated tools.

OWASP API Security Top 10 (2023).

Every API engagement covers the complete OWASP API Security Top 10:

• API1: Broken Object Level Authorization (BOLA) — the #1 API risk; horizontal and vertical access checks
• API2: Broken Authentication — weak credentials, brute force, token theft, MFA bypass
• API3: Broken Object Property Level Authorization — excessive data exposure and mass assignment
• API4: Unrestricted Resource Consumption — rate-limit bypass, DoS, billing manipulation
• API5: Broken Function Level Authorization (BFLA) — admin endpoints accessible to standard users
• API6: Unrestricted Access to Sensitive Business Flows — bot abuse, scraping, fraud chains
• API7: Server-Side Request Forgery (SSRF) — cloud metadata, internal scanning, DNS rebinding
• API8: Security Misconfiguration — verbose errors, default credentials, missing headers
• API9: Improper Inventory Management — shadow APIs, deprecated versions, dev endpoints
• API10: Unsafe Consumption of APIs — SSRF via webhook, third-party API trust failures

What we test.

Authentication & tokens

• JWT algorithm confusion (alg=none, RS256 to HS256), weak secrets, kid injection
• OAuth 2.0 misconfiguration — PKCE bypass, open redirect chains, scope escalation
• API key handling — rotation, scoping, transport security
• Token replay, refresh token abuse, session fixation in stateful APIs

Authorization

• BOLA across every endpoint and every relationship between objects
• BFLA on admin and privileged actions, including hidden endpoints
• Object property authorization (sensitive fields exposed in responses)
• Tenant isolation in multi-tenant SaaS APIs

Data exposure

• Excessive data in responses (the API3 classic)
• Mass assignment via JSON, query parameters, and header injection
• Verbose error messages leaking stack traces, DB schema, internal IPs
• Cache poisoning of authenticated endpoints

Resource consumption

• Rate-limit bypass via headers, casing, alternate transports
• GraphQL depth and complexity DoS, batching abuse, alias amplification
• Pagination abuse leading to billing or data exfiltration
• File upload size, type, and content validation

Protocols & formats.

• REST — JSON, XML, multipart, custom content types
• GraphQL — introspection, fragments, aliases, mutations, subscriptions
• gRPC — protobuf manipulation, server-streaming, reflection
• WebSocket — auth on upgrade, message tampering, channel hijack
• Server-Sent Events — auth, CORS bypass
• OData, JSON-RPC, SOAP — legacy formats still in scope
• OpenAPI/Swagger & Postman — documentation parsing and endpoint discovery

Our methodology.

1. Documentation review. Parse OpenAPI/Swagger or GraphQL schema, identify endpoints, methods, and parameters. Combine with traffic capture for undocumented endpoints.
2. Endpoint mapping. Build a per-role matrix of every endpoint and every object relationship. This drives BOLA testing.
3. Authentication abuse. Token analysis, refresh flows, MFA bypass, account takeover paths.
4. Authorization fuzzing. Test every endpoint with every user role and every cross-tenant relationship. The most labour-intensive phase — and where most critical findings emerge.
5. Business logic. Multi-step abuse, race conditions, idempotency violations, payment tampering.
6. Reporting & retest. Postman collection of PoC requests, replay-ready, included with the report. Free retest within 30 days.

Tools & techniques.

Compliance alignment.

• OWASP API Security Top 10 (2023) — full coverage
• PCI-DSS v4.0 requirement 6.2.3 (application security testing)
• ISO/IEC 27001:2022 Annex A 8.26 (application security requirements)
• SOC 2 Type II CC8.1 change management and security testing
• GDPR Article 32 technical and organizational measures
• HIPAA § 164.312(a)(1) access control for API-served PHI

What you receive.

• Executive summary with risk posture and headline findings
• Technical report with PoC for every finding, CVSS scoring, OWASP API mapping
• Postman collection of replay-ready exploit requests
• Authorization matrix — the per-endpoint, per-role access map we built
• Endpoint inventory delta — what we found that wasn’t in your OpenAPI spec
• Remediation guidance mapped to your framework (Express, FastAPI, Spring, Go)
• Free retest within 30 days with clean attestation

Frequently asked questions.

What is the OWASP API Security Top 10?

It’s the industry-standard list of the most critical API security risks — including BOLA (Broken Object Level Authorization), broken authentication, broken object property level authorization, unrestricted resource consumption, and SSRF. We test every API engagement against the full list.

Do you test GraphQL APIs?

Yes — GraphQL testing is a specialty. Introspection, batching attacks, depth and complexity DoS, BOLA via object IDs, alias abuse, mutation tampering, and IDOR through nested queries.

How long does API testing take?

A focused API assessment runs 2–3 days for a small surface (10–30 endpoints), 5–7 days for a large public API. We scope by endpoint count, authentication complexity, and number of user roles.

What do I need to provide?

Ideally: API documentation (OpenAPI/Swagger, GraphQL schema), test credentials for each user role, a staging environment URL, and a designated point of contact. We can also work with production with rate-limiting agreements in place.

Can you test mobile app backends?

Yes. We proxy the mobile app, capture the backend API traffic, and treat it as an API engagement. Optionally we can also test the mobile binary itself (root/jailbreak detection, certificate pinning, secret extraction).

Related services.

• Web Application Penetration Testing
• Cloud Security Audit — AWS, Azure, GCP
• Network Penetration Testing
• API case studies — BOLA, JWT, GraphQL findings