Broken object-level authorization
The #1 API risk. We enumerate IDs, switch tenants, escalate roles, and test every endpoint that takes a record reference.
pentest · api
Test the contract your clients depend on.
REST and GraphQL APIs tested manually for the patterns scanners miss: broken object-level authorization, mass assignment, batched query abuse, business-logic flaws, schema introspection leaks, rate-limit bypass.
01. in scope
What we test.
Coverage maps to OWASP API Security Top 10 (2023) plus GraphQL-specific patterns.
Broken authentication
Token issuance, JWT verification, key rotation, refresh-token reuse, API key entropy, multi-step auth flows.
Broken object property authorization
Mass assignment, attribute-based escalation, hidden fields, partial-update abuse.
Unrestricted resource consumption
Rate limiting at endpoint level, GraphQL query depth/complexity limits, batched mutation abuse, DoS via expensive operations.
Unrestricted access to sensitive business flows
Workflow bypass, replay, race conditions in multi-step business operations.
Server-side request forgery
In API endpoints that fetch URLs (webhook handlers, image processors, integrations). Cloud metadata, internal-service abuse.
02. methodology
Methodology Methodology.
Schema-aware testing where possible (OpenAPI, GraphQL introspection), black-box otherwise. We work the auth model end-to-end.
- Schema + surface discoveryImport OpenAPI/Swagger, introspect GraphQL, or map endpoints from client traffic. Build the full surface inventory.
- Auth + tenant boundary mappingIdentify every authn and authz check. Build matrix of users x roles x records to test cross-boundary access.
- Manual exploitationEach finding worked with reproducible Burp/Postman/curl artifacts. Logs and timestamps captured for the report.
- Report + readoutFindings with severity, exploit chain, fix guidance. Engineer Q&A on which controls are realistic for your stack.
03. deliverables
What you walk away with.
API pentest deliverables.
Findings report + PoCs
Reproducible curl/Burp requests for every finding. Server response captured. Severity per CVSS 4.0.
API Top 10 coverage map
Which categories tested, which surfaced findings, which were clean.
Tenant-boundary report
For multi-tenant APIs: cross-tenant attempts attempted, blocked, and any leak paths found.
Retest within 30 days
Post-fix retest included. Findings re-verified, attestation letter delivered.
04. when
When teams hire us for this.
Common triggers for an API pentest.
Public API launch
You are about to publish API docs and let third parties hit your endpoints. Verify auth, rate limits, and BOLA before they do.
Internal API used by partners
A partner integration relies on your API. Their security team is asking what testing you have done.
GraphQL migration
Moved from REST to GraphQL (or about to). New attack surface — depth limits, batched queries, introspection.
SOC 2 / ISO 27001 audit prep
Auditor expects API surface to be covered by the pentest. Generic web app coverage is not enough.
05. faq
Questions before the call.
Common questions for this engagement type. See main pentest FAQ for shared questions.
OpenAPI/Swagger vs no schema — does it matter?
OpenAPI speeds up surface mapping but is not required. We can map endpoints from client traffic, intercepting Postman collections, or HAR exports.
GraphQL specific concerns?
Yes. Introspection exposure, depth and complexity limits, batched mutation abuse, persisted-query bypass. We cover these on top of the standard OWASP API Top 10.
Authenticated only or also unauthenticated?
Both. Most APIs have public endpoints (health, version, login). We test those first, then move to authenticated surface with provided test credentials.
Test an API?
Free 30-minute scoping call. We will review your API surface (OpenAPI/schema, sample requests) and quote a fixed-fee engagement.