Home Cyber Security Penetration Testing API Pentest
API Pentest

API Penetration Testing Service

Digital Roxy runs manual API penetration tests against REST, GraphQL, and gRPC APIs to the OWASP API Security Top 10 standard. Every engagement maps authorization across every endpoint and role. OSCP-certified testers, manual exploitation, CVSS-scored findings, and compliance attestation.

Get a Scoped Quote Full Pentest Service

API pentest is where broken authorization hides in plain sight.

An API penetration test is a manual security assessment of a REST, GraphQL, or gRPC API. The single most valuable thing an API pentest delivers is a complete authorization map. Every endpoint multiplied by every role gives you a grid, and testing each cell of that grid is where Broken Object-Level Authorization (BOLA) and Broken Function-Level Authorization (BFLA) findings emerge. These two issues are #1 and #5 on the OWASP API Security Top 10 because they are the most common and most damaging API vulnerabilities in production.

Digital Roxy API pentests cover all ten OWASP API Top 10 categories, plus authentication flows (OAuth 2.1, JWT, API keys, mTLS), rate limiting and resource consumption testing, mass assignment on data models, excessive data exposure through response shapes, and injection in query parameters, bodies, and GraphQL queries. Every endpoint gets tested against every role. Every finding is manually exploited with proof-of-exploit captures showing the exact request, response, and business impact.

API Pentest Findings

API Vulnerability Classes We Exploit

OWASP API Security Top 10 is a useful taxonomy. These are the specific bugs within that taxonomy that we actually find in production.

Critical

Broken Object-Level Authorization (BOLA, API1)

The #1 API vulnerability class in production. GET /api/users/12345 returns data without verifying the authenticated user owns user 12345. Iterating IDs exposes every user. We test every endpoint that takes an object ID against every role. Takes time, finds bugs.

High

Broken Function-Level Authorization (BFLA, API5)

Admin-level endpoints callable by non-admin users. /api/admin/users/delete returning 200 instead of 403 for a regular user. Usually caused by authorization checked in the UI but not enforced in the API. We map every endpoint against every role to catch this.

High

Mass Assignment (API6)

PATCH /api/users/me with a request body that includes {"role":"admin"} successfully elevating the user. Rails and Django apps are especially prone to this when strong parameters or serializer allowlists are not enforced. Manual testing with unexpected field names catches it.

High

Excessive Data Exposure (API3)

GET /api/users/me returning all user fields including hashed password, reset token, and internal flags. The UI only displays five fields, but the API returns 40. Easy to miss in review because the UI looks correct.

Critical

Broken User Authentication (API2)

JWT algorithm confusion (accepting both RS256 and HS256). Password reset tokens that do not expire. Refresh tokens that do not rotate. OAuth state parameter not verified. Session fixation on login. Authentication flaws in APIs turn into full account takeover.

Medium

Resource Consumption / Rate Limiting (API4)

Endpoints that accept pagination parameters without bounds (PageSize=1000000). Endpoints accepting arbitrary-depth nested GraphQL queries. Expensive operations (PDF generation, image resizing) without user-level rate limits. Leads to DoS and infrastructure cost abuse.

High

GraphQL-Specific Issues

Introspection enabled in production exposing the full schema. Nested query complexity without depth limits. Field-level authorization enforced inconsistently across resolver chains. Batched query abuse. GraphQL adds attack surface that REST does not have.

High

Injection Through API Inputs (API8)

SQL injection through JSON body fields. NoSQL injection through MongoDB operators in query parameters. Command injection through user-controlled arguments in backend tool wrappers. Server-side template injection in dynamic content generators.

Methodology

Our API Pentest Methodology

Methodology aligned with OWASP API Security Top 10 2023 and OWASP API Security Testing Guide. Full endpoint-by-role coverage is non-negotiable.

DISCOVER

API Endpoint Discovery

OpenAPI specs, Postman collections, GraphQL introspection responses, and mobile-app reverse engineering all feed into endpoint discovery. For undocumented APIs, we crawl the consuming clients (web app, mobile app) to map the actual endpoints in use. Shadow APIs and deprecated endpoints often contain the most interesting findings.

AUTHN

Authentication Review

JWT analysis (algorithm confusion, weak secrets, missing kid validation, expiration handling). OAuth 2.1 flow review (state parameter, PKCE, redirect URI validation). API key lifecycle review. mTLS implementation review where used. Refresh token rotation and revocation testing.

AUTHZ-MAP

Authorization Map

Build a matrix: endpoints x HTTP methods x user roles. Every cell gets tested to verify the expected authorization behavior. This is the single most productive phase of API pentests. BOLA and BFLA findings come from this phase.

INJECT

Injection Testing

SQL, NoSQL, command, template, and XPath injection against every user-controlled input. JSON body fields get tested alongside URL and query parameters. For GraphQL, field-level injection across the schema.

LOGIC

Business Logic Testing

API-specific business logic issues: mass assignment, excessive data exposure, IDOR patterns that require chaining multiple endpoints. Race conditions on state-changing endpoints. Workflow state bypass through endpoint reordering.

RATE

Rate Limiting & Resource Testing

Rate limit bypass through header manipulation (X-Forwarded-For), endpoint variation, and case-sensitivity tricks. Resource consumption testing on expensive endpoints. GraphQL query depth and complexity testing.

REPORT

Report & Retest

OWASP API Top 10 mapped findings. Full authorization matrix as an appendix. CVSS-scored findings with exploit reproduction steps. Free retest after fixes ship.

Toolset

Our API Pentest Toolset

API pentest tooling overlaps with web, but adds specialization for GraphQL, gRPC, and modern authentication protocols.

Burp Suite Pro + Postman

Primary request-response inspection and tampering. Postman for structured endpoint exploration from OpenAPI specs.

graphql-voyager + InQL

GraphQL schema exploration and introspection abuse testing. Critical for engagements that include GraphQL.

ffuf + Arjun

Endpoint and parameter discovery. Arjun for hidden parameters that clients send but documentation omits.

jwt_tool + jwtcrack

JWT analysis, algorithm confusion, weak secret cracking, key injection. JWT flaws are common enough to warrant specialized tooling.

Autorize + AuthMatrix

Burp extensions for automated authorization testing. Run all requests across all roles and flag discrepancies.

Custom Python tooling

For OAuth flow manipulation, gRPC service testing, and any authentication pattern that standard tools miss.

Pricing

API Pentest Engagement Tiers

Three engagement sizes. Every quote is fixed-price after a 15-minute scoping call. No hourly billing.

Focused API

Single API with under 50 endpoints and up to 3 roles. Right for startups with a focused product surface.

From $4,500 · flat fee
  • OWASP API Top 10 coverage
  • Authorization matrix testing
  • Authentication flow review
  • 1-week engagement
  • One free retest
  • Technical + executive report
  • Compliance attestation
Get Scoped Quote
Most Popular

Platform API

API with 50-200 endpoints and 4-8 roles. Right for mid-market SaaS and enterprise platforms.

From $8,500 · flat fee
  • Everything in Focused API
  • Full endpoint x role matrix
  • Rate limiting & resource testing
  • Shadow API discovery
  • GraphQL testing if applicable
  • 2-3 week engagement
  • Developer debrief call
  • Two free retests
Get Scoped Quote

Public API

Developer-facing public APIs with third-party consumers. Documentation review plus security testing.

From $14,500 · flat fee
  • Everything in Platform API
  • OpenAPI spec security review
  • Third-party integration risk review
  • API abuse scenario testing
  • Key lifecycle and scope review
  • Public developer docs security audit
  • Dedicated 30-day Slack support
Get Scoped Quote
FAQ

API Pentest Questions, Answered Directly

Yes, all three, with a methodology adjusted per protocol. REST APIs test against OWASP API Top 10 with endpoint-by-role matrix coverage. GraphQL adds introspection testing, query depth and complexity testing, and field-level authorization verification. gRPC requires .proto file review plus runtime testing against the deployed service. The engagement scope defines which protocols are in play.
Broken Object-Level Authorization (BOLA). It is the #1 category in OWASP API Security Top 10 for good reason. APIs that return data based on client-supplied object IDs without verifying ownership are everywhere. A single BOLA finding in a user-facing API typically exposes every user. This is the finding category we invest the most time in during engagements.
Documentation accelerates testing but is not required. If OpenAPI specs, Postman collections, or GraphQL schemas are available, we use them. If not, we reverse-engineer the API surface from the consuming clients (web app, mobile app, public documentation) and from active discovery techniques. Undocumented APIs often have more findings because the shadow endpoints have had less security review.
For APIs under 50 endpoints, we hand-test every endpoint against every role. For larger APIs, we use Burp Autorize or AuthMatrix to automate the matrix testing, then manually investigate every discrepancy. Large APIs also get a stratified sample on the low-priority endpoints and full coverage on the high-privilege or high-sensitivity endpoints.
Yes. mTLS-protected APIs need certificate materials provisioned by your team for the engagement. Custom authentication schemes (request signing, HMAC, bespoke token formats) are understood and tested, with your team providing a reference implementation or working client code. Authentication complexity does not block testing; it just requires scoping time.
We coordinate rate limiting and WAF testing explicitly in the rules of engagement. Testing stays below production-impact thresholds for normal probing, and spikes to WAF-triggering rates only during defined rate limit testing windows. Your WAF catching our activity is a feature; we report on what it caught and what it missed.
Yes. Introspection status in production is tested and reported. Query depth and complexity limits are tested with progressively deeper nested queries to find the point where the server either errors or chews CPU. Field-level authorization is tested by requesting fields that should be restricted to admin roles from non-admin accounts. GraphQL-specific issues get their own report section.
Yes. Kong, Apigee, AWS API Gateway, and custom gateway configurations are in scope on request. Gateway misconfigurations often undo the security controls the application developers put in place: stripped auth headers, cached response leaks, and route misconfigurations that expose internal endpoints. Gateway testing is usually part of a comprehensive API engagement.
Other Testing Types

Explore Related Penetration Tests

Web Application Penetration Testing Web App Pentest Network Penetration Testing Network Pentest Mobile Application Penetration Testing Mobile Pentest Cloud Penetration Testing Cloud Pentest Penetration Testing as a Service (PTaaS) PTaaS

Ready to scope your API Pentest?

Book a 15-minute scoping call. You get a fixed-price quote within one business day.

Book Scoping Call See Full Pentest Service