VAPT · API (REST / GraphQL)

Authorization-first API pentest.

REST, GraphQL and gRPC - tested against the full OWASP API Top 10, treating every JWT as if it were already compromised. Reproducible PoCs against your OpenAPI / GraphQL schema.

Request a scope Download sample report (PDF)

Threat landscape

What API attackers exploit first

The six attack classes that drive most modern API breaches. Authorization-first testing finds them before launch.

Cross-tenant breach via BOLA

One predictable object ID and one valid token - that's all an attacker needs to read another tenant's data.

JWT forgery / alg confusion

RS256 → HS256, `alg:none`, and `kid` injection still find their way into production tokens.

Rate-limit & resource abuse

Endpoints with no throttling become DoS amplifiers, password sprays and scraping pipelines.

Mass assignment escalation

PATCH /me {role: 'admin'} - still a working privilege-escalation vector in too many APIs.

GraphQL introspection leak

Introspection enabled in prod hands attackers your full schema, including internal-only types.

Shadow / undocumented APIs

v1, v2, /internal, /debug - the endpoints not in your OpenAPI spec are the ones attackers find first.

What we cover

  • Authentication & token handling (JWT / OAuth)
  • Authorization (BOLA / BFLA / IDOR)
  • Input validation & mass assignment
  • Rate limiting & abuse prevention
  • Transport security & TLS configuration
  • GraphQL specifics (depth, introspection, batching)

Common findings

  • Broken object-level authorization (BOLA)
  • Broken function-level authorization (BFLA)
  • Excessive data exposure
  • Mass assignment / parameter pollution
  • Lack of rate-limiting / brute-force protection
  • Improper inventory & shadow APIs

OWASP API Top 10 (2023)

Coverage matrix

Authorization gets two of the top five slots. We test it like an attacker does - exhaustively.

API1
Broken Object-Level Authorization
The single most common API critical - every object id tested across roles.
API2
Broken Authentication
Token forgery, refresh-token replay, predictable session IDs.
API3
Broken Object Property-Level Authorization
Field-level data exposure and mass-assignment paths.
API4
Unrestricted Resource Consumption
Rate-limit, DoS-by-query, and cost-amplification attacks.
API5
Broken Function-Level Authorization
Method/endpoint privilege misalignment across roles.
API6
Unrestricted Access to Sensitive Flows
Reset, signup, purchase loops - abuse of business-critical flows.
API7
Server Side Request Forgery
Cloud-metadata, internal-service, response-smuggling tests.
API8
Security Misconfiguration
CORS, headers, default creds, verbose errors, debug routes.
API9
Improper Inventory Management
v1/v2/legacy APIs, undocumented endpoints, shadow surfaces.
API10
Unsafe Consumption of APIs
Third-party API integrations as a trust boundary.

Authorization-first

Every JWT is suspect

The single highest-impact class of API bug. We don't just exercise the happy path with a valid token - we treat the token as a credential the attacker already has, and walk every endpoint.

  • Object-level checks executed with every role pairing (admin → user, tenant-A → tenant-B)
  • Function-level checks across all HTTP verbs - POST/PATCH/DELETE silently allowed?
  • JWT introspection - algorithm confusion (RS256→HS256), `alg:none`, `kid` injection
  • OAuth scope tests - PKCE, redirect-URI validation, refresh-token reuse
  • GraphQL - query depth, introspection on/off in prod, mutation authorization

REST surface

OpenAPI / Swagger-driven enumeration. Every endpoint × every verb × every role pairing. Authorization matrix delivered as part of the report.

POST /api/v2/orders          [admin] [member] [viewer] [other-tenant]
GET  /api/v2/orders/:id      [admin] [member] [viewer] [other-tenant]
PATCH /api/v2/orders/:id     [admin] [member] [viewer] [other-tenant]
DELETE /api/v2/orders/:id    [admin] [member] [viewer] [other-tenant]
                          ↑
                  Each cell = expected vs observed

GraphQL surface

Schema-aware testing. Introspection on/off, mutation authorization, batching abuse, query-depth DoS, alias attacks.

query AttackerProbe {
  user(id: "1")          { email role }
  admin: user(id: "1")   { email role internalNotes }
  __schema { types { name } }
}

Tools & stack

What's in the toolbox

Burp Suite
HTTP intercept + repeater + intruder
Postman
Collection-based replay + scripting
ffuf
Endpoint + parameter enumeration
graphql-cop
GraphQL-specific abuse checks
InQL
GraphQL introspection + sniping
Schemathesis
OpenAPI-driven property testing
Ungated · no email required

See what a real report looks like

24 pages, redacted from a live engagement. Executive summary, technical findings with PoCs, remediation roadmap and attestation.

  • Executive summary + technical report
  • Reproducible PoCs with screenshots
  • Remediation roadmap + retest plan
  • Letter-of-attestation appendix
~24 pages · 2.1 MB
PDF · redacted real engagement
Download sample PDFNeed a redacted version for your sector?

How we work

Methodology

A repeatable five-phase process. Same depth whether it's a focused spot test or a multi-surface engagement.

01

Recon & threat modeling

Asset discovery, app mapping, STRIDE/DREAD analysis to scope what matters.

02

Automated baseline

Tuned SAST/DAST/scanners to clear the noise. Never the primary signal.

03

Manual exploitation

Where the real findings live. Senior testers, real PoCs, chained attacks.

04

Risk assessment

CVSS scoring combined with your business context - not auto-generated severities.

05

Reporting

Executive summary + reproducible technical report + remediation roadmap.

Frameworks & standards

Mapped to the standards your auditors care about

Reports map findings to the frameworks your compliance team is already chasing. Drop-in evidence for ISO, SOC 2, PCI and DPDP audits.

OWASP Top 10
OWASP API Top 10
OWASP MASVS / MSTG
OWASP ASVS
PTES
OSSTMM
NIST SP 800-115
MITRE ATT&CK
CIS Benchmarks
PCI-DSS 4.0
ISO 27001 Annex A
SOC 2 (Common Criteria)

FAQ

Common questions

If you're evaluating multiple firms, these are the questions worth asking each of us.

How long does a typical engagement take?

A focused spot test runs 5-7 business days. Multi-surface engagements typically take 2-4 weeks depending on application complexity. We agree on a written scope before the contract - no surprise extensions.

Is testing safe to run in production?

We test in production only when staging is unavailable and only with explicit written approval, an agreed test window, and a documented rollback plan. Destructive checks (DoS, data corruption) are excluded unless specifically requested.

What certifications does your team hold?

Engagements are run by senior testers and signed off by a practice lead. We test to recognised methodologies - OWASP, PTES and the OSSTMM - and map every finding to CVSS and CWE. If your procurement process needs specific individual credentials on file, we'll share them under NDA during scoping.

Do you offer retests after we patch?

Yes - retest engagements are scoped separately, focused only on the findings you've patched. Pricing is proportional to the surface area being re-verified and we send a written scope before any work starts.

What format are the deliverables in?

PDF reports (executive summary + technical), an editable findings spreadsheet, attack-path diagrams where relevant, and a letter of attestation on request. All findings include CVSS, CWE, repro steps, and remediation guidance.

How is scope determined and priced?

After a 15-minute discovery call we send a written scope inside 48 hours - fixed-price, with clearly itemized exclusions. No hourly billing surprises, no scope creep mid-engagement.

Lock down your API surface.

Send us your OpenAPI spec (or just a list of routes) and we'll come back with a scope in 48 hours.

Book my call Download sample report (PDF)