API Security Testing

What is an API pentest?

An API pentest is a security test aimed at your Application Programming Interfaces. APIs are the communication layer between applications, mobile apps, microservices and external partners. They often process the most sensitive data - personal information, financial transactions, medical records - but are rarely secured as thoroughly as the front-end that runs on them.

We test REST, GraphQL and SOAP APIs for vulnerabilities that automated scanners structurally miss. The OWASP API Security Top 10 is our starting point, but the vulnerabilities we most frequently report fall outside it: IDORs that let you query other customers' data, race conditions in payment flows, JWTs that are not correctly validated, rate limiting that is easily bypassed.

Common API vulnerabilities

• Broken Object Level Authorization (BOLA) - can a user retrieve other users' data by manipulating IDs? We find this in more than half of the APIs we test.
• Broken Function Level Authorization (BFLA) - can a regular user call admin endpoints?
• Excessive Data Exposure - does the API return more data than the client needs?
• Mass Assignment - can a user overwrite read-only fields?
• Injection - SQL, NoSQL, GraphQL and command injection via API parameters.
• Improper rate limiting - absence of throttling on authentication endpoints.

Why should you get an API pentest?

APIs are the fastest-growing attack surface. API-related data breaches are commonplace:

• APIs are overlooked: the web application gets a pentest, the underlying API does not. That is like securing the front door but leaving the back door open.
• Documentation is wrong: Swagger/OpenAPI specs are often outdated. We find undocumented endpoints that fall outside developers' awareness.
• Authorisation flaws are #1: BOLA and BFLA account for the majority of API data breaches. No scanner finds them.
• Microservices multiply risk: each service with its own API increases the attack surface.

Our approach

Our API pentesters combine deep understanding of API architectures with attack experience. Short lines: we share critical findings immediately.

• API discovery - inventorying all endpoints via documentation, traffic analysis and active fuzzing. We also find undocumented and deprecated endpoints.
• Authentication testing - JWT validation (algorithm confusion, key disclosure), OAuth flows, API key management, session handling.
• Authorization testing - systematic testing for BOLA and BFLA. Can user A access user B's data? Can a regular user perform admin functionality?
• Input validation - injection testing (SQL, NoSQL, GraphQL query manipulation), parameter tampering, mass assignment.
• Rate limiting & abuse - brute force protection, resource exhaustion, business logic abuse.
• Data exposure - analysing API responses for excessive data, internal identifiers, stack traces, debug information.
• Reporting - per finding: description, proof-of-concept request/response, CVSS score and recommendation. Retest available on request.

What does an API pentest cost?

Our hourly rate is €175 per hour. Costs are determined by:

• Number of endpoints: 10 endpoints is less than 200.
• Logic complexity: payment APIs and multi-tenant APIs require more test hours.
• Authentication/authorisation: the number of roles and permission levels determines the amount of authorisation tests.
• API type: GraphQL takes more time than REST due to the flexibility of queries.

Indication: €5,000 - €15,000 depending on the above. Fixed quote after a free scoping call.