Precursor Security
REST · GraphQL · SOAP

APIPenetrationTesting

APIs are where your business logic and customer data live, and where the most critical vulnerabilities hide. We deliver CREST-accredited API security testing across REST, GraphQL, and SOAP, targeting the authorisation flaws, logic errors, and token vulnerabilities that automated scanners cannot detect. OWASP API Security Top 10 mapped. Results delivered as we find them. Final report within days after test completion.

Scope API TestView Methodology
CREST Accredited
OWASP API Top 10
BOLA / IDOR Testing
GraphQL & SOAP Coverage
UK-Based Engineers
Scroll
Methodology

API Penetration Testing Methodology

Focused on the OWASP API Security Top 10 (2023), our API security testing methodology targets the logic, authorisation, and protocol-specific flaws unique to API architectures. Every engagement covers all ten OWASP categories, from BOLA (API1) and Broken Authentication (API2) through to Server Side Request Forgery (API7) and Unsafe Consumption of APIs (API10). Findings are mapped to OWASP categories in the final report.

Access Control

Authorisation Testing (BOLA/IDOR)

The most common and critical API vulnerability. We rigorously test for Broken Object Level Authorisation (BOLA) to ensure users cannot access or modify resources belonging to others by simply changing an ID. Every endpoint is probed for horizontal and vertical privilege escalation across multi-tenant object hierarchies.

Logic Flaws

Mass Assignment & Logic Flaws

Testing for mass assignment vulnerabilities where internal object properties (e.g., 'isAdmin': true, 'balance': 1000) can be overwritten by external input. We also validate business logic constraints across complex multi-step workflows, targeting the flaws that automated DAST scanners cannot model.

Token Security

Authentication & Token Security

Assessing authentication mechanisms including JWTs, OAuth 2.0, and API keys. We test for weak signing secrets, token leakage, algorithm confusion attacks, lack of expiration, and bypassable authentication checks.

Input Validation

Injection & Input Validation

Testing for SQL injection, NoSQL injection, command injection, and XML External Entity (XXE) attacks. APIs often process structured data directly, making them susceptible to injection if input validation is weak.

Rate Limiting

Rate Limiting & Resource Consumption

Verifying that appropriate rate limiting is in place to prevent brute force attacks, denial of service (DoS), and automated scraping of sensitive data. Mapped to OWASP API4:2023 Unrestricted Resource Consumption.

Protocol-Specific

GraphQL, SOAP & Protocol-Specific Testing

Protocol-aware testing beyond generic API checks. GraphQL: introspection data exposure, nested query denial of service, batched mutation attacks, and field-level authorisation bypass. SOAP: WSDL enumeration, injection via SOAP envelope, and XXE attacks. REST: HTTP verb tampering, parameter pollution, and shadow API discovery.

Coverage

OWASP API Security Top 10 Coverage

Every engagement tests against all ten OWASP API Security Top 10 (2023) categories. Every finding in the report is tagged to its corresponding category for audit evidence.

API1:2023

Broken Object Level Authorisation

BOLA testing across every endpoint, including multi-tenant object hierarchies.

API2:2023

Broken Authentication

JWT algorithm confusion, token leakage, OAuth 2.0 bypass, and session fixation.

API3:2023

Broken Object Property Level Authorisation

Mass assignment attacks and excessive data exposure in API responses.

API4:2023

Unrestricted Resource Consumption

Rate limiting bypass, payload flooding, and nested query denial of service.

API5:2023

Broken Function Level Authorisation

Admin endpoint discovery, HTTP verb tampering, and privilege escalation.

API6:2023

Unrestricted Access to Sensitive Business Flows

Multi-step logic abuse, account takeover flows, and automated process exploitation.

API7:2023

Server Side Request Forgery

SSRF via URL parameters, webhook targets, and import functionality.

API8:2023

Security Misconfiguration

CORS misconfiguration, verbose error messages, and insecure default settings.

API9:2023

Improper Inventory Management

Shadow API discovery, deprecated endpoint enumeration, and version confusion.

API10:2023

Unsafe Consumption of External APIs

Third-party API trust abuse and downstream data injection.

Protocol Coverage

REST, GraphQL & SOAP

Each protocol has its own attack surface. Our testers apply protocol-specific sequences, not generic API checks.

REST
  • Endpoint enumeration
  • HTTP verb tampering
  • Parameter pollution
  • Shadow API discovery
  • CORS misconfiguration
GraphQL
  • Introspection exposure
  • Nested query DoS
  • Batched mutation attacks
  • Field-level authz bypass
  • Schema enumeration
SOAP
  • WSDL enumeration
  • Injection via SOAP envelope
  • WS-Security bypass
  • XML External Entity (XXE)
  • Action spoofing
What Scanners Miss

Automated tools find the obvious.

DAST scanners and automated security tools cannot understand business context, session state, or multi-user object relationships. These are the vulnerability classes that require a human analyst.

BOLA across multi-tenant object hierarchies
Multi-step business logic flaws
Horizontal privilege escalation across accounts
Mass assignment in nested JSON payloads
JWT algorithm confusion attacks
SOAP body injection and WS-Security bypass
Engagement Pipeline

Engagement Workflow

Structured to minimise operational friction and maximise the value of the testing window.

Step 01

Scoping & Documentation

We review your API documentation (Swagger/OpenAPI, Postman collections) to understand the endpoints and data models. Most API assessments cover 20-100 endpoints across 3-5 days of testing. Provide your OpenAPI specification or Postman collection and we scope precisely within 24 hours.

Step 02

Discovery & Fuzzing

Enumerating all REST API endpoints, GraphQL schema fields, and SOAP operations, including undocumented or shadow APIs not present in the provided specification. We combine automated fuzzing with manual analysis to identify error handling weaknesses and unexpected data exposure before manual logic testing begins.

Step 03

Manual Logic Testing

The core of the assessment. Our analysts manually probe every authorisation boundary, testing for BOLA across multi-tenant object hierarchies, horizontal and vertical privilege escalation, mass assignment in nested payloads, and multi-step business logic manipulation. These are precisely the vulnerability classes that automated DAST scanners cannot reliably detect.

Step 04

Detailed Reporting & Debrief

A structured technical report with each finding documented at CVSS-rated severity, including reproduction steps and cURL commands. All findings are mapped to the OWASP API Security Top 10 (2023) categories and include prioritised remediation guidance. An executive summary is provided for non-technical stakeholders. A debrief call is included.

After Testing

Close the Loop.
After the Test.

Your API security report identifies what is exploitable today. We feed those exact findings into our 24/7 Managed SOC and EdgeProtect attack surface management, building custom detection rules for your API surface and continuously monitoring your external perimeter for new exposures between annual tests.

Explore Defensive Services

EdgeProtect ASM

Continuous attack surface monitoring of your API perimeter and external exposures.

24/7 SOC Monitoring

Custom detection rules tuned to the specific API vulnerabilities from your assessment.

Web App Testing

Pair with web application penetration testing for complete application security coverage.

SSO Assessment

Identity provider misconfiguration review for APIs using single sign-on authentication.

Service Catalogue

Full Penetration Testing Catalogue

Comprehensive penetration testing services tailored to your environment.

Assumed Breach

Internal Testing

Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.

Active Directory AssessmentInternal Network Penetration TestWorkstation Build AssessmentServer Build AssessmentCitrix/VDI Breakout AssessmentAD Password AuditSegmentation TestingFirewall Config AssessmentFirewall Ruleset AssessmentAdversarial EmulationWireless Network TestingDatabase Configuration Assessment
Discuss your requirementsFree scoping call with a CREST-certified engineer.
Ready to Secure

The best time to test your defences is now.

Join the high-growth companies relying on Precursor for continuous offensive and defensive security.

Start Your Assessment
Talk to an Engineer
CREST Triple Accredited|Fixed Price Quotes|Free Scoping Call|UK Based Team

Frequently Asked Questions

Common questions about this service, methodologies, and deliverables.

API penetration testing is a security assessment specifically focused on Application Programming Interfaces (REST, GraphQL, SOAP), also referred to as an API security assessment. Unlike web app testing which includes the UI, API testing interacts directly with the backend logic. It focuses on authorisation flaws (BOLA), data exposure, and logic vulnerabilities that allow attackers to access data without using the frontend application.

Yes. Every API penetration testing report includes findings tagged to the relevant OWASP API Security Top 10 (2023) category, from API1:2023 Broken Object Level Authorisation through to API10:2023 Unsafe Consumption of APIs. This structure is designed to satisfy internal audit evidence requirements, client compliance questionnaires, and external certification assessments such as ISO 27001 and SOC 2.

Cost depends on the number of endpoints, authentication complexity, and environment type (external-facing product API, internal microservices, or a combination). Most engagements covering 20-100 endpoints are scoped across 3-5 days of testing. We provide a fixed-price quote within 24 hours of receiving your API specification or Postman collection. Contact us to discuss scope and we will respond the same working day.

Most API security assessments take 3-5 days of testing plus 1-2 days for report production. A final debrief call is included. Timelines vary with endpoint count and complexity. For urgent assessments ahead of product releases or compliance deadlines, we can discuss accelerated scheduling.

Yes. GraphQL APIs present unique security challenges including introspection data exposure, deep nesting denial of service, batched mutation attacks, and field-level authorisation bypass. Our methodology includes dedicated GraphQL-specific test cases alongside standard API security testing across REST and SOAP.

BOLA (Broken Object Level Authorisation) is the number one vulnerability in the OWASP API Security Top 10. It occurs when an API allows an authenticated user to access resources (such as invoices, messages, or profiles) belonging to other users simply by changing the ID in the request. We rigorously test every endpoint for BOLA across single and multi-tenant architectures.

Providing documentation (Swagger, OpenAPI, or Postman collections) allows for a much more comprehensive white-box test, ensuring full coverage of all endpoints. Without documentation (black-box), we can still test, but coverage may be limited to endpoints discovered through frontend analysis.

Yes. We can test internal microservices via VPN access or a testing appliance. Securing internal APIs is critical because if an attacker breaches the perimeter, lateral movement often relies on exploiting unprotected internal service-to-service communication.

A web app pen test focuses on the application as a whole, including browser-side security and the UI. An API pen test ignores the UI and focuses purely on data exchange and backend logic. For modern applications (single-page apps, mobile), API testing is often where the most critical vulnerabilities are found.