CyberFortify API penetration testing exercises REST, GraphQL and gRPC APIs against the OWASP API Security Top 10 with manual, multi-role authorisation matrix testing. We find what scanners cannot - BOLA, broken function-level auth, mass assignment, JWT alg confusion and business-logic abuse - and document chains, not isolated bugs.
// 01 What is API penetration testing?
API penetration testing is the manual assessment of the programming interfaces a product exposes to its own clients - web, mobile, partner integrations and AI agents.
Aligned with the OWASP API Security Top 10, a separate document from the classic OWASP Top 10 because the dominant API risk classes differ.
APIs are the dominant attack surface in 2026: business logic without a UI to constrain it, no client-side feedback loop, no human user to socialise behaviour. They accept whatever you send. Pen testing them well means thinking like an attacker who has read the documentation, modelled the data, and is probing the gap between intent and implementation.
// 02 REST · GraphQL · gRPC
Three protocols dominate modern API surfaces. Each carries its own abuse primitives. CyberFortify scopes per-protocol with a tester fluent in the format.
REST & OpenAPI
JSON, JSON:API, REST + HAL, ODataThe dominant public API style. Test surface is wide and the dominant risks are authorisation-shaped - BOLA on every /{id} route, function-level auth on every privileged verb.
- BOLA / IDOR across the full route inventory
- Broken function-level authorization on admin verbs
- Mass assignment via JSON merge / patch
- JWT alg confusion, kid path traversal, alg=none
- Rate-limit & quota bypass via header / IP / token rotation
- SSRF via webhook / image-fetch / report-export endpoints
GraphQL
Apollo, Relay, Hasura, Hot ChocolateSingle endpoint, typed schema, client-driven queries - convenient for clients, novel risk shape for security. Scanners struggle here; manual analysis is mandatory.
- Introspection abuse on production schema
- Alias-based authorisation bypass
- Query depth, complexity & circular-fragment DoS
- Batched-query authorisation gaps
- Mutation chaining & soft-delete state corruption
- Resolver-level injection (SQL, NoSQL, command)
gRPC & Protobuf
gRPC-Web, Connect, TwirpBinary protocol over HTTP/2, schema-defined, low-friction service-to-service. Often deployed with weaker authorisation assumptions than public APIs.
- Server-reflection exposure & schema enumeration
- Protobuf field-tag confusion & type smuggling
- Metadata-based authentication tampering
- mTLS posture & client-cert trust scope
- Streaming-RPC authorisation drift mid-stream
- Connect / gRPC-Web cross-protocol auth bypass
// 03 OWASP API Security Top 10 - what we test against
The OWASP API Security Top 10 is the risk taxonomy for modern APIs. CyberFortify covers every class on every engagement, with depth tuned to the role matrix and data-classification severity.
BOLA
Broken object-level authorization. The number-one API risk - manipulating an ID parameter to access another user's record. Tested across every role pair.
Broken authentication
JWT alg confusion, kid traversal, weak signing keys, OAuth2 redirect-uri abuse, password reset token reuse, MFA bypass.
Broken property-level auth
Mass assignment writing protected fields, response over-fetching exposing sensitive properties not displayed in the UI.
Unrestricted resource consumption
Rate-limit bypass, query-cost amplification, file-upload size, recursive request patterns, computation-heavy endpoints with no quota.
Broken function-level auth
Privileged endpoints reachable without role check - admin verbs, deprecated routes, internal-only routes exposed in production.
Sensitive business flow abuse
Bot-driven coupon redemption, gift-card balance enumeration, signup farming, automated checkout, business-logic flows with no abuse limit.
Server-side request forgery
Webhook URLs, image-fetch endpoints, report-export, OAuth callback validation. Often chains into cloud metadata abuse.
Security misconfiguration
CORS *, debug endpoints, verbose errors, default credentials on admin tooling, missing security headers, TLS misconfig.
Improper inventory mgmt
Old API versions still live, sandbox environment exposed to internet, undocumented admin surfaces, deprecated routes with weaker auth.
Unsafe consumption of APIs
Trusting third-party API responses without validation, redirect chains, unverified webhook payloads, supply-chain trust assumptions.
// 04 Common API pen test findings
Recurring findings from real CyberFortify API engagements. Treat as a self-audit checklist.
Cross-tenant BOLA on /accounts/{id}
Authenticated user from tenant A reads or modifies records belonging to tenant B by changing the account ID. Tenant scoping enforced in UI but not in the resolver.
API1 / CWE-639JWT alg=none accepted
Server validates JWT signatures with the algorithm specified in the token header. Setting alg: none with a forged payload yields admin impersonation.
Mass assignment writes role field
POST / PATCH on user endpoint accepts arbitrary JSON fields. Sending "role":"admin" persists, granting administrative privileges to a regular user.
GraphQL alias bypass on rate limit
Single GraphQL request batches the same authentication mutation 1,000 times via aliases. Rate-limit applied per-request, not per-operation. Credential stuffing at line speed.
API4 / API2Admin endpoint reachable from user role
Privileged endpoint missing function-level authorisation check. Authenticated regular user invokes POST /admin/users/{id}/impersonate successfully.
SSRF via report-export URL
Endpoint fetches a customer-supplied URL server-side. No allow-list. Pivots to 169.254.169.254 and harvests instance role credentials.
// 05 Pen test vs API scanner & DAST
Automated API scanners catch the long tail of misconfiguration but miss the dominant risk classes. The OWASP API Top 10 is structured around exactly the categories scanners cannot detect.
// 06 Methodology
CyberFortify's seven-phase engagement, tuned for APIs. Schema-first - documentation review (OpenAPI / GraphQL SDL / .proto) is the highest-leverage pre-test activity and where many findings originate.
Pre-engagement
Rules of engagement, role / token issuance for the authorisation matrix, schema delivery (OpenAPI, SDL, .proto).
Schema firstDocumentation review
Schema scan for over-broad responses, data-classification gaps, missing scopes, undocumented endpoints flushed from JS bundles and mobile binaries.
Highest leverageThreat modelling
OWASP API Top 10 mapped to your data model and integration surface; per-role abuse cases enumerated.
API Top 10Authorisation matrix
Manual fuzzing across every role pair - the highest-yield activity on every API engagement. Custom Burp Pro extensions for matrix generation.
Multi-roleExploitation & chaining
BOLA into account takeover, mass assignment into privesc, JWT alg confusion into impersonation, SSRF into cloud STS.
PoC chainsReporting
API Top 10 + classic Top 10 references, CWE root cause, CVSS v3.1 scoring, prioritised remediation guidance.
Audit-readyFree remediation retest
Every closed finding revalidated, attestation letter issued.
Included// 07 Standards & compliance mapping
| Standard | Reference | What our test covers |
|---|---|---|
| OWASP API Security Top 10 | API1-API10 (2023) | Risk-class coverage matrix |
| OWASP Top 10 | A01, A03, A04, A05, A07, A10 | Application-layer overlap (injection, authz, SSRF) |
| OWASP ASVS 4.0.3 | V1, V4, V13 (API), V14 | Verification standard for API controls |
| PCI DSS v4.0 | Req 6.2.4, 11.4 | Cardholder data APIs |
| SOC 2 | CC6.1, CC6.6, CC7.1 | Logical access & detection evidence |
| ISO/IEC 27001:2022 | A.8.25, A.8.28, A.8.29 | Secure development & testing |
| HIPAA | 164.312(a), 164.312(e) | ePHI access via APIs |
// 08 Frequently asked questions
What is the OWASP API Security Top 10?
The OWASP API Security Top 10 (2023) is the canonical list of API-specific risk classes - API1 BOLA, API2 Broken Authentication, API3 Broken Object Property Level Authorization, API4 Unrestricted Resource Consumption, API5 Broken Function Level Authorization, API6 Unrestricted Access to Sensitive Business Flows, API7 SSRF, API8 Security Misconfiguration, API9 Improper Inventory Management, API10 Unsafe Consumption of APIs.
Do you test undocumented endpoints?
Yes. A significant portion of API findings come from endpoints not in the public OpenAPI spec - admin surfaces, internal-only routes, deprecated versions, debug endpoints. Discovery uses JS-bundle parsing, mobile binary analysis and traffic observation, and is part of every CyberFortify API engagement.
How is GraphQL pen testing different from REST?
GraphQL has its own risk shape: introspection-driven schema discovery, alias-based authorisation bypass, query-depth and complexity attacks, batched-query authorisation gaps and mutation chains. CyberFortify's GraphQL testing covers each plus the underlying resolvers and the data sources they expose.
Do you test gRPC services?
Yes. gRPC testing covers protocol-buffer message fuzzing, server-reflection exposure, metadata-based authentication, mTLS posture and streaming-RPC authorisation. Where reflection is disabled, .proto files are accepted as scope input or reverse-engineered from clients.
Do you test the underlying microservices?
On request. Where in scope, testing extends past the public API into the internal service mesh - mTLS posture, service identity, internal-only authorisation and lateral movement risk. Frequently overlaps with our cloud penetration testing service.
How long does an API pen test take?
Five to ten business days of active testing depending on endpoint count, role count for the authorisation matrix and protocol mix. Total elapsed time including scoping, reporting and the free remediation retest is typically three to five weeks.