Penetration Testing

API Pentest vs Web App Pentest: Which You Need

API vs web app pentest for SaaS startups, plus 5 signs your last pentest skipped the API entirely. What each covers, what to fix on the next round.

RG
Rathnakara GN
Cyber Secify
7 min read

A web app pentest targets browser-side vulnerabilities like XSS, CSRF, and session management, while an API pentest targets server-side issues like broken authorization, data exposure, and injection at the endpoint level. If your SaaS has a separate frontend and API backend, you need both because they have different attack surfaces.

You have a React frontend and a Node.js or Python API backend. Your enterprise prospect wants a pentest report. You ask a vendor for a quote and they ask: web app pentest or API pentest?

They are not the same thing. They test different attack surfaces, use different tools, and find different vulnerabilities. Here is what each covers and how to decide what your SaaS startup actually needs.

5 Signs Your Last Pentest Skipped the API

Before deciding what to scope next, look at the pentest you already have. Plenty of “web application pentest” reports we see in the wild barely touch the API. Five things to check.

1. The report does not cite the OWASP API Security Top 10. A real API pentest references the OWASP API Security Top 10 categories: BOLA, broken authentication, broken object property level authorization, unrestricted resource consumption, broken function level authorization, and so on. If your report only cites the OWASP (web) Top 10 (XSS, CSRF, injection, etc.), the API layer was not in scope.

2. The scope statement says “application” but never enumerates API endpoints. Real scope documents list either explicit endpoint groups (/api/v1/orders/*, /api/v1/users/*), API surfaces (REST, GraphQL, gRPC), or an OpenAPI/Swagger spec attached. A scope that says “test the application” and stops there is web-only by default.

3. There is no object-level authorization testing on tenant-isolated endpoints. This is the most common critical finding we see in SaaS APIs. The test pattern is: log in as user A, capture a request that returns user A’s resource, change the ID to user B’s resource, see if the API returns it. If no finding in this category exists and no negative test case is documented, the tester did not look. BOLA is the OWASP API #1 for a reason.

4. Authentication flow testing stops at “we tried to log in.” A real API pentest tests token refresh logic, JWT signature verification, session-coupled mobile auth, OAuth state parameter handling, password reset token reuse, API key rotation, and brute-force protection on every credential-accepting endpoint, not just the login form. If the auth section reads in one paragraph, the API auth was not tested.

5. There is no rate limiting or resource exhaustion testing per endpoint. A web app pentest tests the login page for rate limiting. An API pentest tests every endpoint that accepts user input: search, file upload, expensive aggregations, GraphQL nested queries. If the report does not include per-endpoint throughput numbers or DoS findings, this category was skipped.

If three or more of these are missing from your last pentest report, the API was not meaningfully tested. The next engagement should scope an API pentest explicitly.

What a Web Application Pentest Tests

A web app pentest targets the frontend, the application as a user interacts with it through a browser. The tester loads your app in a browser, clicks through workflows, and tries to break things the way an attacker would.

What gets tested:

  • Cross-Site Scripting (XSS): Can an attacker inject JavaScript into your app that runs in another user’s browser? Stored XSS in comments, profile fields, or shared content is especially dangerous in multi-tenant SaaS.
  • Cross-Site Request Forgery (CSRF): Can a malicious site trick a logged-in user into performing actions? Think changing email, adding team members, or modifying billing.
  • Session Management: How are sessions created, stored, and invalidated? Are cookies set with Secure, HttpOnly, and SameSite flags? Do sessions expire properly on logout?
  • File Upload: If your app accepts file uploads, can an attacker upload a web shell or a malicious SVG?
  • Business Logic Flaws: Can a user skip steps in a workflow, apply discount codes multiple times, or access features their plan doesn’t include?
  • Client-Side Security: Are secrets exposed in JavaScript bundles? Is sensitive data stored in localStorage?

Common findings in SaaS web apps:

  • Stored XSS in user-generated content fields
  • Missing CSRF protection on state-changing actions
  • Session tokens that survive password changes
  • Sensitive data in JavaScript source maps shipped to production
  • Client-side validation that the server doesn’t enforce

What an API Pentest Tests

An API pentest bypasses the frontend entirely. The tester hits your endpoints directly using tools like Burp Suite and custom scripts. No browser, no UI. Just raw HTTP requests against your REST, GraphQL, or gRPC endpoints.

What gets tested:

  • Broken Object-Level Authorization (BOLA/IDOR): Change /api/orders/1001 to /api/orders/1002. Does the API return another tenant’s data? This is the number one API vulnerability according to the OWASP API Security Top 10 (see also our detailed breakdown).
  • Authentication Flaws: Weak JWT implementation, tokens that don’t expire, API keys with excessive permissions, brute-forceable OTPs.
  • Broken Function-Level Authorization: Can a regular user call admin-only endpoints? The frontend hides the button, but the API endpoint still responds.
  • Rate Limiting: Can an attacker brute-force login, enumerate users, or scrape data without getting throttled?
  • Mass Assignment: Send extra fields in a PATCH request. Can a user set is_admin: true or plan: enterprise because the API binds all incoming fields?
  • Data Exposure: Does the API return more data than the frontend displays? Internal IDs, email addresses of other users, billing details.
  • GraphQL-Specific Issues: Introspection enabled in production, deeply nested queries causing denial of service, missing authorization on individual resolvers.

Common findings in SaaS APIs:

  • IDOR vulnerabilities across tenant boundaries (the most common critical finding we see)
  • API endpoints that bypass the authorization middleware
  • Verbose error messages leaking stack traces and database details
  • No rate limiting on authentication endpoints
  • GraphQL introspection enabled, exposing the entire schema to attackers

Why They Are Different Attack Surfaces

Consider a typical SaaS architecture: React frontend, REST API backend, PostgreSQL database.

When a pentester tests the web app, they interact through the browser. Every request goes through the frontend code. The React app might sanitize inputs, enforce workflows, and hide admin features.

When a pentester tests the API, none of that frontend logic exists. They send requests directly. Every endpoint is exposed. Every field is testable. Every authorization check (or missing check) is visible.

This is why a web app pentest that only tests through the browser misses API-level flaws. The frontend might correctly prevent a user from accessing another tenant’s data, but the API might return it if you just change the ID in the request.

When You Need Both

flowchart TD
    A[Your SaaS] --> B{Frontend and<br/>API separate<br/>deployments?}
    B -->|Yes| C[Need both scopes]
    B -->|No| D{Mobile app uses<br/>the same API?}
    D -->|Yes| C
    D -->|No| E{Third-party<br/>or partner systems<br/>call your API?}
    E -->|Yes| C
    E -->|No| F[One scope likely fine]
    C --> G[API first if<br/>budget-constrained]
    F --> H[Pick the higher-risk target]

You need both if:

  • Your frontend and API are separate deployments (React + Express, Next.js + Python FastAPI, etc.)
  • You have third-party integrations hitting your API directly
  • Your mobile app uses the same API
  • You are going through SOC 2 or ISO 27001 and need to demonstrate thorough testing

You might get away with one if:

  • Your app is a server-rendered monolith where the frontend and backend are tightly coupled (traditional Rails, Django, or Laravel app with no separate API)
  • You only have a public-facing API with no web frontend (API-only product)

For most modern SaaS startups building with React/Next.js and a separate API, both scopes are the right call.

How Scoping Works

Each pentest scope covers one target. A web application is one scope. An API is a separate scope.

At Cyber Secify:

Both plans include a Brand Protection Snapshot and retest after you fix the findings.

What to Do Next

If you are not sure which scoping makes sense for your architecture, talk to us. We will review your setup and recommend the right scope before you commit to anything. You can also check what each engagement covers on our web application pentest and API pentest service pages.

If you want to understand the API side deeper, read our breakdown of the OWASP API Security Top 10. It covers each vulnerability with real examples and what to test.

For a broader overview of penetration testing, start with Penetration Testing 101.

Frequently Asked Questions

How do I tell if my last pentest actually tested the API?

Five quick checks. Does the report cite the OWASP API Security Top 10 (not just the web app Top 10)? Did the scope explicitly list API endpoints, not just 'the application'? Is there testing for object-level authorization (BOLA/IDOR) across tenant boundaries? Are authentication flows tested beyond login (token refresh, signature verification, key rotation)? Is per-endpoint rate limiting tested? If three or more answers are no, the API layer was probably skipped.

Do I need both an API pentest and a web app pentest?

If your SaaS product has a frontend (React, Angular, Next.js) and a separate API backend, yes. They have different attack surfaces. The frontend has browser-specific vulnerabilities like XSS and CSRF. The API has authorization flaws, data exposure, and injection issues that only show up when testing endpoints directly.

Can one pentest cover both?

They are counted as separate scopes because the testing methodology and tools differ. At Cyber Secify, the Startup Pentest Plan (INR 74,999) covers 1 scope. The Growth Pentest Plan (INR 1,79,999) covers 2 scopes, which is typically web app plus API.

Which should I do first if I can only afford one?

Start with the API pentest. Your API handles authentication, authorization, and data access. If the API is compromised, the attacker has access to everything regardless of how secure the frontend is. The API is the higher risk target.

What is API penetration testing vs web app penetration testing?

API penetration testing targets the server-side attack surface: REST, GraphQL, gRPC, and SOAP endpoints. It focuses on authentication flows (OAuth, JWT, API keys), authorization (BOLA, BFLA), data exposure, rate limiting, injection at the endpoint level, and business logic flaws. Web app penetration testing targets the browser-side attack surface: rendered HTML, JavaScript, session management, cookies, XSS, CSRF, clickjacking, and DOM-based vulnerabilities. The two surfaces overlap in shared concerns (authentication, authorization) but the testing methodology and tooling differ. A web app pentest will not surface BOLA on API endpoints; an API pentest will not surface DOM-XSS in the frontend.

How does OWASP API Top 10 differ from OWASP Top 10?

OWASP Top 10 (most recently 2021) covers web application security broadly: broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, identification failures, software and data integrity failures, security logging failures, and SSRF. OWASP API Security Top 10 (2023 revision) covers API-specific risks: BOLA (Broken Object Level Authorization), broken authentication, broken object property level authorization, unrestricted resource consumption, broken function level authorization, unrestricted access to sensitive business flows, server-side request forgery, security misconfiguration, improper inventory management, and unsafe consumption of APIs. The API list emphasizes authorization and resource consumption issues that web app testing under-tests.

What is BOLA (Broken Object Level Authorization) and why is it the most common API finding?

BOLA is OWASP API number 1. It happens when an API endpoint authenticates the requesting user but does not verify that the user is authorized to access the specific resource being requested. Classic pattern: GET /api/v1/users/{userId} returns the requested user data without checking that the authenticated user is allowed to read that user data. Change the userId in the URL, and you read another user data. SaaS APIs frequently have BOLA on cross-tenant boundaries (User A from Tenant 1 reads User B from Tenant 2). It is the most common API finding because object-level authorization requires per-endpoint, per-action discipline that scanners cannot infer; only manual testing surfaces it.

Does an API pentest cover GraphQL and REST and SOAP and gRPC?

Yes, when scoped to the customer API surface. Cyber Secify covers REST (the most common), GraphQL (introspection abuse, query depth, aliasing), SOAP (XXE, WS-Security weaknesses, schema-level enumeration), and gRPC (reflection, message-level encryption gaps). The methodology for each protocol differs but the underlying authorization, authentication, and data-exposure concerns are tested consistently across all four.

If I have a web app with embedded API, do I need to scope both?

Yes, even when the API is hosted on the same domain as the web app. The web app and the API have different attack surfaces. Even if the API is documented as internal use only, enterprise security teams treat it as a separate component because attackers reverse-engineer the JavaScript bundle to find API endpoints regardless of how it is documented. The Growth Pentest Plan (INR 1,79,999) covers both as 2 scopes.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM the author on LinkedIn.

Share this article
API pentestweb app pentestpenetration testingAPI securityweb application securityOWASPSaaS security

Related Articles

Penetration Testing

Pentest Cost India 2026: Plans + Pricing Guide

Pentest cost in India 2026 for SaaS startups. Real pricing tiers, what drives cost, audit-acceptable plans, and ROI math vs breach cost. INR + USD.
Penetration Testing

Who Needs a CERT-In Empanelled Vendor in India

BFSI, telecom, power, govt, and CII entities need CERT-In empanelled pentest vendors in India. SaaS B2B doesn't. Decision guide with regulator citations.
Penetration Testing

When You DON'T Need CERT-In Empanelled Vendor

Most Indian SaaS startups don't need CERT-In empanelled pentest vendors. When the requirement actually applies, when it doesn't, and how to verify.

Two Ways to Start

Pick the one that fits where you are right now.

Ready to fix things

Security on Demand

INR 9,999

4 hours, founder-led. Full refund if you don't continue.

Just exploring

Free Security Snapshot

Open source. Runs on your infra via Docker.