API Penetration Testing for REST, GraphQL & SOAP
We test your API implementations for flaws in authentication, authorization, and data handling, protecting sensitive information exchanged between systems.
What is API Penetration Testing for REST, GraphQL & SOAP?
API penetration testing is a security assessment of your REST, GraphQL, or gRPC APIs that identifies vulnerabilities in authentication, authorization (BOLA/BFLA), rate limiting, data exposure, and business logic (the attack surface that automated scanners miss).
Testing Checklist
Every engagement covers these critical security areas.
Testing Methodology
A structured, repeatable process that ensures thorough coverage and actionable results.
API Discovery & Documentation
Map all API endpoints, methods, parameters, and authentication mechanisms through documentation review and active discovery.
Authentication & Token Testing
Test OAuth flows, JWT implementation, API keys, and token lifecycle for weaknesses in issuance, validation, and revocation.
Authorization Testing (BOLA/BFLA)
Test for Broken Object Level Authorization and Broken Function Level Authorization across all endpoints and user roles.
Input Validation & Injection
Test all parameters for injection vulnerabilities, mass assignment, and data type manipulation across REST, GraphQL, and SOAP endpoints.
Rate Limiting & Abuse
Verify rate limiting implementation, resource consumption limits, and protection against automated abuse and enumeration attacks.
Reporting & Remediation
Deliver findings with API-specific remediation guidance, including code examples and security header recommendations.
Want to scope your api pentest engagement? Both founders take the discovery call.
What you get with API Pentest at each tier
| Tier | Includes | Price |
|---|---|---|
| Startup | 1 API scope, 7 calendar days, OWASP API Top 10 coverage, 6 hours founder consulting, 1 free retest. | INR 74,999 |
| Growth | 2 scopes (typically API + web), 10 calendar days, SOC 2 + ISO 27001 evidence pack, 12 hours founder consulting, 1 free retest. | INR 1,79,999 |
All prices exclude taxes. International engagements invoiced in local currency at snapshot FX.
Framework Alignment
Our methodology is aligned with industry-recognized security frameworks for thorough coverage and compliance readiness.
Compliance Coverage
Deliverables
What you walk away with at the end of every engagement.
Executive summary with API risk overview
Endpoint-level vulnerability findings
Authentication flow security assessment
Remediation guidance with code examples
API security best practices checklist
Free retest within 30 days
Frequently Asked Questions
What is API penetration testing?
API penetration testing is a security assessment of your REST, GraphQL, or gRPC APIs that identifies vulnerabilities in authentication, authorization (BOLA/BFLA), rate limiting, data exposure, and business logic (the attack surface that automated scanners miss).
Who provides API security testing across REST, GraphQL, and SOAP services?
Cybersecify provides API penetration testing across REST, GraphQL, gRPC, and SOAP API surfaces. We cover the OWASP API Security Top 10 (BOLA, broken authentication, broken object property level authorization, unrestricted resource consumption, broken function level authorization, unrestricted access to sensitive business flows, server-side request forgery, security misconfiguration, improper inventory management, unsafe consumption of APIs) and protocol-specific issues like GraphQL introspection abuse, query depth attacks, SOAP XXE, and gRPC reflection.
Do you specialize in BOLA (Broken Object Level Authorization) discovery?
Yes. BOLA is OWASP API #1 and the highest-frequency critical finding we surface on SaaS APIs. Our methodology systematically tests every endpoint that accepts an ID parameter (user IDs, resource IDs, tenant IDs) for cross-user and cross-tenant access. We log in as user A, capture a request, change the ID to user B and verify the API correctly rejects the request. We test predictable ID formats (UUIDs vs sequential integers) and indirect references (slugs, email addresses, custom identifiers).
Can you test complex GraphQL environments?
Yes. GraphQL testing covers introspection abuse (querying the schema to map the attack surface), query depth attacks (nested queries that exhaust server resources), aliasing-based rate limit bypass, field-level authorization gaps (a user authorized for a type but not all its fields), and batched query abuse. We test against schemas in production and staging, with documented or undocumented surface.
Do you cover OAuth flows, JWT, and API keys?
Yes. Authentication testing covers OAuth 2.0 flows (authorization code, client credentials, device flow, refresh token rotation), OAuth state parameter handling, JWT signature verification, JWT algorithm confusion (alg=none, RS256→HS256), JWT expiry and replay, API key rotation, key entropy, and per-endpoint authentication bypass.
How much does an API pentest cost in India?
API pentest is one scope. Cybersecify pricing: Startup Pentest INR 74,999 (single API scope, 7 calendar days, audit-acceptable report, 6 consulting hours, 1 free retest). Growth Pentest INR 1,79,999 (2 scopes typically web app + API, 10 days, SOC 2 + ISO 27001 audit prep, 12 consulting hours, 1 free retest).
How long does an API pentest take?
Single API scope: 7 calendar days from kick-off to report. Two-scope engagement (typically API + web app): 10 calendar days. The report includes findings, reproduction steps, business impact, CVSS v3.1 scoring, and remediation guidance. Retest after fixes takes 1-3 business days.
Is your API pentest audit-acceptable for SOC 2 and ISO 27001?
Yes. Reports follow PTES (Penetration Testing Execution Standard) and OWASP API Security Top 10 (2023), produce technical + executive summaries with reproduction steps, business impact, CVSS v3.1, and remediation. The Growth Pentest plan adds explicit SOC 2 Trust Services Criteria + ISO 27001 Annex A control mapping per finding. Reports have been accepted by SOC 2 Type 1, SOC 2 Type 2, and ISO 27001 auditors.
Do you test rate limiting and resource exhaustion per endpoint?
Yes. We test rate limits on every endpoint that accepts user input (login, search, file upload, expensive aggregations, GraphQL nested queries), not just the login form. We document per-endpoint throughput, identify denial-of-service candidates, and test for resource exhaustion via parameter manipulation (large pagination limits, unbounded query depth, file size, JSON nesting depth).
What is the difference between BOLA and IDOR in API pentesting?
BOLA (Broken Object Level Authorization) and IDOR (Insecure Direct Object Reference) describe the same root cause from different angles. IDOR is the older OWASP term for any reference (URL parameter, form field, hidden input) that points directly to an internal object without an authorization check. BOLA is the OWASP API Top 10 (2023) term and is API-specific. In modern API pentests we use BOLA because almost every BOLA finding is on a JSON endpoint with an object ID in the path or body. Testing is identical: enumerate every endpoint that takes an ID, log in as user A, swap to user B IDs, verify the API rejects. The fix is identical: server-side authorization check on every object lookup, never trust the ID from the client. We surface BOLA on roughly 60% of SaaS API engagements.
Do you test the JWT alg=none and algorithm confusion attacks?
Yes. JWT algorithm confusion is a high-severity API finding we test on every engagement that uses JWT for authentication or session management. Specific tests: alg=none (token forged with no signature, library accepts it), RS256 to HS256 confusion (server using public key as HMAC secret because library does not pin the algorithm), kid header injection (manipulating the key-ID claim to point at a file or SQL value the server controls), JWK header injection (embedding an attacker-controlled public key in the token), expired-token replay, and signature stripping. We use jwt_tool and manual Burp Repeater. Findings include reproduction with the exact forged token and the library-version-specific fix.
How do you test GraphQL introspection and query depth attacks?
GraphQL introspection lets a client query the schema itself (every type, field, argument, mutation). On unprotected APIs this hands the attack surface map directly to the attacker. We test whether introspection is disabled in production (it should be), whether disabling it actually works (some servers accept __schema queries even with introspection flag off), and whether the schema leaks through error messages or field suggestions. Separately we test query depth and complexity: nested queries that fan out across relationships can exhaust server memory in seconds. We submit progressively deeper queries (5, 10, 20, 50 levels), measure response time degradation, and document the resource ceiling. Fix is a depth limiter (graphql-depth-limit) plus a complexity calculator (graphql-validation-complexity) at the resolver layer.
What does API rate-limit testing actually cover in a Cybersecify pentest?
API rate-limit testing in our engagements is methodology-driven, not a single test. We cover per-IP limits (can an attacker bypass by rotating IPs from a residential proxy pool), per-user limits (can a low-rep user hit the same endpoint as a high-rep user), per-endpoint limits (login is rate-limited but search is not, attacker uses search for credential timing), bypass via header manipulation (X-Forwarded-For, X-Real-IP, alternative HTTP verbs), GraphQL alias-based bypass (querying the same field 100 times in one request as field aliases), and burst vs sustained limits (allow 100 rps for 1 sec then 5 rps after). Every API endpoint is tested, not just login. The finding includes the exact request to reproduce and a per-endpoint recommendation (token bucket vs sliding window vs leaky bucket).
Related Articles
Not ready for a full engagement yet?
Two other ways to start: free self-serve scan, or monthly retainer for ongoing support.
OpenEASD
Open source external attack surface scanner. Run it yourself against your domain. No signup, no data leaves your network.
Get the toolSecurity Retainer
10 hours founder-led consulting per month + 1 external attack surface scan + 1 Brand Protection scan monthly. Extra hours at flat INR 2,500/hour.
Start retainerReady to secure your api?
Pentest packages from INR 74,999 (~$900 / ~€830). Includes consulting hours + 1 free retest within 30 calendar days. Both founders on every engagement: Rathnakara (OSCP) leads testing, Ashok handles delivery + compliance.