Home / Solutions / API Security Testing
API Security Testing

API Security Testing — REST, GraphQL & gRPC

API Security Testing — REST, GraphQL & gRPC

Where modern breaches happen.

REST, GraphQL, and gRPC pentesting against OWASP API Security Top 10 (2023). Auth bypasses, BOLA at scale, GraphQL introspection abuse — the vulnerabilities scanners can't even enumerate.

Coverage
OWASP API Top 10 (2023) full coverage
REST · GraphQL · gRPC · WebSocket
Schema-driven exhaustive testing
Rate limit & DoS resistance
Auth: JWT, OAuth, mTLS, API keys
01 // WHY APIS

More breaches start at the API than the UI.

Modern apps are 80% API surface, 20% rendered UI. Attackers know this. The OWASP API Top 10 exists because API-specific vulnerabilities don't map cleanly to web app categories — and most pentest vendors haven't caught up.

  • BOLA (Broken Object Level Authorization) — the #1 API risk
  • GraphQL-specific: introspection, batching attacks, query depth DoS
  • JWT misuse: alg confusion, none algorithm, weak secrets
  • gRPC: reflection, message tampering, missing auth on streams
API findings (sanitized) 
CRITICAL  BOLA on /api/v1/orders/{id}
  → user A reads user B's order
  → 14M order records enumerable
  // API1:2023

CRITICAL  GraphQL introspection in prod
  query { __schema { types { name } } }
  → full schema exposed
  → admin mutations discovered
  // API8:2023

HIGH      JWT signature not verified
  alg=none accepted
  → arbitrary user impersonation
  // API2:2023

HIGH      No rate limit on /auth/login
  → 10K req/sec credential stuffing
  // API4:2023
02 // SCHEMA-DRIVEN TESTING

Every endpoint, every method, every parameter.

Manual API testing without a schema misses endpoints. We start from your OpenAPI / GraphQL schema / proto files and exhaustively test every operation against the OWASP API Top 10. Nothing slips through because nobody knew it was there.

  • OpenAPI / Swagger import for full REST coverage
  • GraphQL schema introspection + custom query generation
  • Protobuf-driven gRPC test case generation
  • Drift detection: undocumented endpoints flagged separately
Coverage matrix 
REST API
  · 247 endpoints from OpenAPI
  · 1,432 test cases generated
  · 6 undocumented endpoints found
  → 12 findings

GraphQL
  · 89 queries, 34 mutations, 12 subs
  · Batched query DoS tested
  · Field-level auth checked
  → 7 findings

gRPC
  · 5 services, 41 RPCs
  · Reflection enabled in prod
  · Stream auth tested
  → 4 findings

WebSocket
  · 12 message types
  · Origin validation tested
  → 0 findings

OWASP API Top 10 (2023) coverage

Every category. Every endpoint.

API1: BOLA

Broken Object Level Authorization. Test every object reference for cross-user access.

API2: Auth

Broken authentication — JWT misuse, weak password resets, session management.

API3: Property auth

Broken object property level authorization. Mass assignment, excessive data exposure.

API4: Resource consumption

Unrestricted resource consumption. Rate limits, query complexity, DoS resistance.

API5: Function auth

Broken function level authorization. Admin endpoints accessible to regular users.

API6–10

Sensitive flows, SSRF, security misconfig, inventory mgmt, unsafe consumption of APIs.

Engagement Model

Schema-driven scoping. Endpoint-based pricing.

API security engagements are scoped by endpoint count and protocol mix (REST / GraphQL / gRPC / WebSocket). OpenAPI or GraphQL schema makes scoping precise and pricing transparent. Typical mid-size REST API (100-300 endpoints): 2 weeks, scoped from $14K. Combined REST + GraphQL: 3 weeks, $20K+. Same fixed-fee model, same free retest within 90 days.

Deliverables

API-specific evidence.

Per-endpoint coverage matrix

Every endpoint, every method, every documented parameter — coverage shown explicitly. Plus undocumented endpoints we discovered (typically 5-15% of the surface).

OWASP API Top 10 (2023) mapping

Findings tagged with API1-API10 categories. Auditors and your team can navigate by attack class. Useful for tracking program maturity over time.

GraphQL-specific deliverable

For GraphQL APIs: query depth analysis, batching attack assessment, field-level authorization map, introspection exposure check, schema diff vs declared schema.

Reproducible exploits

Postman collections, Insomnia exports, or raw cURL — depending on your team's tools. Every finding re-verifiable in under a minute.

Sample Finding

Common API attack pattern.

Critical · CVSS 9.6
BOLA on /api/v1/orders/{id} — 14M records enumerable

OWASP Category: API1:2023 (Broken Object Level Authorization)
Endpoint: GET /api/v1/orders/{order_id}
Issue: The orders endpoint validates that the requester is authenticated, but does not validate that the order_id belongs to the authenticated user. Sequential or guessed order_ids return arbitrary order data.
Reproduction: 1. Place test order, observe order_id = 14,238,221. 2. Request /api/v1/orders/14,238,220 (different user's order). 3. Full order details returned (PII, payment info, addresses).
Impact: 14M+ historical orders enumerable. PII exposure. PCI DSS scope expansion.
Remediation: Add authorization check linking order to authenticated user. Replace sequential IDs with UUIDs to slow blind enumeration. Add monitoring for sequential ID access patterns.

Frequently Asked Questions

Common questions, answered.

Can you test our API without our staging environment?
We strongly prefer a dedicated staging environment with isolated test data. Production testing is possible with explicit scope, but rate limits, side effects, and audit-log noise make it suboptimal for thorough coverage. Most clients spin up a copy environment for the engagement.
Do you test GraphQL specifically?
Yes — and it's increasingly a majority of our API engagements. GraphQL has unique attack surfaces (introspection in production, query batching, query depth/complexity DoS, field-level auth bypass, persisted-query allowlist gaps) that REST-focused vendors miss.
What about WebSocket and gRPC?
Both covered. WebSocket requires manual session-aware testing including origin validation, frame fuzzing, and authentication-after-upgrade testing. gRPC requires .proto file ingestion, reflection-API testing, and stream authentication checks. We've delivered pentests on both protocols across fintech, healthtech, and SaaS clients.
Will you find undocumented endpoints?
Yes. We brute-force common paths, scrape JS bundles for API references, monitor traffic from your authenticated clients, and diff against your stated OpenAPI schema. Undocumented endpoints get their own report section — often the highest-value findings because no one has reviewed them.
What's BOLA and why is it the #1 API risk?
BOLA — Broken Object Level Authorization — is the vulnerability where an authenticated user can access objects belonging to other users by manipulating object IDs (e.g. /api/orders/123 returns user A's data when user B is authenticated). It's #1 because it's both extremely common and extremely impactful — direct cross-tenant data exposure. Every API pentest tests every object reference in the schema for BOLA.
Do you test authentication / authorization specifically?
Yes — extensively. JWT alg confusion (RS256 → HS256 attacks, alg=none acceptance, key confusion), OAuth scope confusion, SAML XML signature wrapping, mTLS verification bypass, API key entropy and rotation, HMAC signature replay, and session management. Auth findings often have the highest impact in API pentests.
How much does an API pentest cost?
Small-to-mid APIs (50-200 endpoints) typically run $18k-$36k. Larger APIs (200-500 endpoints) typically $36k-$72k. Very large or polyglot APIs (500+ endpoints across REST + GraphQL + gRPC) typically $72k-$150k. Pricing is fixed-fee scoped after a free schema review.
How long does an API pentest take?
Typical timeline is 2-3 weeks. Large enterprise APIs with many integrations or polyglot stacks (REST + GraphQL + gRPC) may run 3-5 weeks. We provide a precise timeline after schema review.
Do you test against rate limiting and DoS?
Yes. Rate-limit bypass (per-IP, per-user, per-API-key), query-complexity DoS (especially for GraphQL), batched-query amplification, and slow-loris-style request consumption. We test resilience without actually taking down your service — this is coordinated with your team.
What if our API uses a custom auth scheme?
Custom auth gets extra attention because it's where novel vulnerabilities tend to live. We document the scheme, test it against known patterns (replay, signature wrapping, key confusion), and stress-test edge cases. Custom auth schemes often add 20-30% to engagement length.
Do you provide an OpenAPI / schema audit on top of the pentest?
Yes — schema review is part of standard scoping. We flag schema-design issues (over-permissive responses, mass-assignment risks, missing rate-limit hints, inconsistent auth requirements) as a complementary deliverable.
How do you handle webhooks?
Webhooks get tested as a distinct surface — your outbound webhooks (SSRF risk on subscriber URLs, secret rotation, retry-replay attacks) and your inbound webhook receivers (signature verification, replay protection, payload size limits).
Why do API security and web application security need separate pages?
They're different attack surfaces. Web apps render HTML and run JavaScript in the browser; APIs are pure data interfaces consumed by clients you don't control. The OWASP API Security Top 10 exists because API-specific risks (BOLA, broken object property authorization, unrestricted resource consumption) don't map cleanly to the classic OWASP Web Top 10. Modern apps are 80% API surface, 20% rendered UI — testing one without the other leaves the bigger half uncovered.
How do you test GraphQL specifically?
GraphQL has its own attack surface: schema introspection in production exposes admin endpoints, batched queries can DoS the resolver layer, depth limits can be bypassed with aliases, field-level authorization is often missing where object-level is enforced. We start from your schema (introspected or provided), generate queries that exercise every type and every field, then probe for these GraphQL-specific patterns explicitly.
Will you test our undocumented or "internal" endpoints?
Yes. We brute-force common paths, scrape JS bundles for API references, monitor traffic from your authenticated clients, and diff against your stated OpenAPI schema. Undocumented endpoints get their own report section because they're often the weakest part of the surface — they don't go through the same review process as documented APIs.
What about rate limiting and DoS resistance?
Tested as part of every API engagement. We measure rate limit thresholds, look for endpoints that are unintentionally cheap to invoke but expensive to serve (e.g., complex GraphQL queries, expensive sorts, image transformations), and check whether rate limits are per-user, per-IP, or global. Authentication endpoints especially — credential stuffing protection.
Do you test gRPC and WebSocket?
Yes. gRPC requires proto file ingestion and a different toolchain (grpcurl, custom Python clients). WebSocket requires manual session-aware testing — we look for missing authentication on subscriptions, channel hijacking, message tampering, and origin validation gaps. Both are covered without premium charges.

Related

Continue exploring

Companion
Web App Pentesting

The frontend that consumes your API.

Read more →
Mobile clients
Mobile App Pentesting

Mobile apps as API consumers.

Read more →
Continuous
Continuous AppSec

API testing every release, not annual.

Read more →
New
AI / LLM AppSec

Securing API surfaces that talk to LLMs.

Read more →
Ready to ship secure?
Talk to a senior engineer. No SDR script, no slide deck — just a working session about your stack.

What is API security testing

Pentesting designed for the way modern apps are actually built.

API security testing is penetration testing focused on a system's API surface — REST, GraphQL, gRPC, and WebSocket endpoints — rather than its rendered UI. It exists as a distinct discipline because most modern applications are 80% API surface and 20% UI, and because the attack patterns that break APIs (BOLA, broken authentication, query-complexity DoS, mass assignment) don't map cleanly onto traditional web app pentest categories.

The OWASP API Security Top 10 (2023) defines the canonical category set, and every CredShields API pentest provides explicit coverage against it: API1:2023 BOLA, API2:2023 Broken Authentication, API3:2023 Broken Object Property Level Authorization, API4:2023 Unrestricted Resource Consumption, API5:2023 Broken Function Level Authorization, and so on through API10:2023 Unsafe Consumption of APIs.

Unlike web app pentesting, API testing benefits enormously from schema-driven exhaustive coverage. We import your OpenAPI spec, GraphQL schema, or proto files, and generate test cases against every operation against every category — methodically rather than opportunistically. Undocumented endpoints (a common finding) get their own report section.

  • Full OWASP API Security Top 10 (2023) coverage
  • REST, GraphQL, gRPC, WebSocket — same engagement
  • OpenAPI / GraphQL schema / .proto file import for exhaustive coverage
  • Auth methodologies: JWT (incl. alg confusion), OAuth, mTLS, API keys, HMAC

Pricing & timeline

Priced by API surface, not by hours.

API pentests are scoped by endpoint count, schema complexity, and protocol mix (REST, GraphQL, gRPC, WebSocket). Pricing is fixed-fee determined after a schema review and discovery call. Most engagements complete within 2-3 weeks.

Small-to-mid API (50-200 endpoints)
$18k - $36k
Large API (200-500 endpoints)
$36k - $72k
Very large or polyglot (500+ endpoints, REST+GraphQL+gRPC)
$72k - $150k
Typical timeline
2-3 weeks
Re-tests included
One free retest within 90 days
Schema review
Free as part of scoping; non-binding

Related

Related services

Web Application Pentesting

Most apps need both — web pentest covers the UI surface.
Mobile App Pentesting

Mobile apps consume APIs; test both for full coverage.
Continuous AppSec

API tests on every release as your endpoints change.
Cloud Security Review

API gateways (Kong, Apigee, AWS API GW) reviewed end-to-end.
AI / LLM AppSec

LLM-backed APIs need prompt-injection-aware testing.
Sample Pentest Report

Preview a sanitized API pentest report.
Ready When You Are

The pentest your auditor will accept.
The findings your engineers will fix.

Continuous AppSec for SaaS, fintech, and regulated industries. Talk to a senior engineer — no SDR script, no slide deck, just a working session about your stack.

Fixed-Fee Pricing
No engineer-hour billing
Audit-Ready by Default
SOC 2, ISO, PCI, HIPAA
Engineer-Validated
Not scanner output