Service A.05 · API Penetration Testing

API penetration testing aligned with the OWASP API Security Top 10.

CyberFortify's API penetration testing services uncover the authorisation, authentication and business-logic flaws that automated scanners systematically miss. We test REST, GraphQL and gRPC APIs against the OWASP API Security Top 10, validate broken object-level and function-level authorization, exploit mass-assignment, expose JWT signature confusion, and chain findings into proof-of-concept account takeovers.

Aligned with: OWASP API Security Top 10 · ASVS Engagement: 5-10 business days Protocols: REST · GraphQL · gRPC
REST
Full coverage
GraphQL
Field-level RBAC
gRPC
Reflection + bin
Free retest
Test classes: BOLA · broken auth · mass assignment · rate-limit bypass · JWT alg confusion · resource exhaustion · GraphQL field-level auth · introspection abuse · query depth attack · field aliasing abuse · gRPC reflection · metadata abuse · protobuf fuzzing Test classes: BOLA · broken auth · mass assignment · rate-limit bypass · JWT alg confusion · resource exhaustion · GraphQL field-level auth · introspection abuse · query depth attack · field aliasing abuse · gRPC reflection · metadata abuse · protobuf fuzzing
// Executive summary

CyberFortify API penetration testing exercises REST, GraphQL and gRPC APIs against the OWASP API Security Top 10 with manual, multi-role authorisation matrix testing. We find what scanners cannot - BOLA, broken function-level auth, mass assignment, JWT alg confusion and business-logic abuse - and document chains, not isolated bugs.

// 01 What is API penetration testing?

// DefinitionAPI Pen Test

API penetration testing is the manual assessment of the programming interfaces a product exposes to its own clients - web, mobile, partner integrations and AI agents.

Aligned with the OWASP API Security Top 10, a separate document from the classic OWASP Top 10 because the dominant API risk classes differ.

APIs are the dominant attack surface in 2026: business logic without a UI to constrain it, no client-side feedback loop, no human user to socialise behaviour. They accept whatever you send. Pen testing them well means thinking like an attacker who has read the documentation, modelled the data, and is probing the gap between intent and implementation.

// 02 REST · GraphQL · gRPC

Three protocols dominate modern API surfaces. Each carries its own abuse primitives. CyberFortify scopes per-protocol with a tester fluent in the format.

HTTP / JSONA.05.1

REST & OpenAPI

JSON, JSON:API, REST + HAL, OData

The dominant public API style. Test surface is wide and the dominant risks are authorisation-shaped - BOLA on every /{id} route, function-level auth on every privileged verb.

  • BOLA / IDOR across the full route inventory
  • Broken function-level authorization on admin verbs
  • Mass assignment via JSON merge / patch
  • JWT alg confusion, kid path traversal, alg=none
  • Rate-limit & quota bypass via header / IP / token rotation
  • SSRF via webhook / image-fetch / report-export endpoints
OpenAPI 3.1SwaggerOAuth 2.1OIDC
HTTP / SDLA.05.2

GraphQL

Apollo, Relay, Hasura, Hot Chocolate

Single endpoint, typed schema, client-driven queries - convenient for clients, novel risk shape for security. Scanners struggle here; manual analysis is mandatory.

  • Introspection abuse on production schema
  • Alias-based authorisation bypass
  • Query depth, complexity & circular-fragment DoS
  • Batched-query authorisation gaps
  • Mutation chaining & soft-delete state corruption
  • Resolver-level injection (SQL, NoSQL, command)
SDLApollo FederationPersisted queries
HTTP/2 / ProtoA.05.3

gRPC & Protobuf

gRPC-Web, Connect, Twirp

Binary protocol over HTTP/2, schema-defined, low-friction service-to-service. Often deployed with weaker authorisation assumptions than public APIs.

  • Server-reflection exposure & schema enumeration
  • Protobuf field-tag confusion & type smuggling
  • Metadata-based authentication tampering
  • mTLS posture & client-cert trust scope
  • Streaming-RPC authorisation drift mid-stream
  • Connect / gRPC-Web cross-protocol auth bypass
protocReflectionmTLSBuf

// 03 OWASP API Security Top 10 - what we test against

The OWASP API Security Top 10 is the risk taxonomy for modern APIs. CyberFortify covers every class on every engagement, with depth tuned to the role matrix and data-classification severity.

API1 · 2023

BOLA

Broken object-level authorization. The number-one API risk - manipulating an ID parameter to access another user's record. Tested across every role pair.

API2 · 2023

Broken authentication

JWT alg confusion, kid traversal, weak signing keys, OAuth2 redirect-uri abuse, password reset token reuse, MFA bypass.

API3 · 2023

Broken property-level auth

Mass assignment writing protected fields, response over-fetching exposing sensitive properties not displayed in the UI.

API4 · 2023

Unrestricted resource consumption

Rate-limit bypass, query-cost amplification, file-upload size, recursive request patterns, computation-heavy endpoints with no quota.

API5 · 2023

Broken function-level auth

Privileged endpoints reachable without role check - admin verbs, deprecated routes, internal-only routes exposed in production.

API6 · 2023

Sensitive business flow abuse

Bot-driven coupon redemption, gift-card balance enumeration, signup farming, automated checkout, business-logic flows with no abuse limit.

API7 · 2023

Server-side request forgery

Webhook URLs, image-fetch endpoints, report-export, OAuth callback validation. Often chains into cloud metadata abuse.

API8 · 2023

Security misconfiguration

CORS *, debug endpoints, verbose errors, default credentials on admin tooling, missing security headers, TLS misconfig.

API9 · 2023

Improper inventory mgmt

Old API versions still live, sandbox environment exposed to internet, undocumented admin surfaces, deprecated routes with weaker auth.

API10 · 2023

Unsafe consumption of APIs

Trusting third-party API responses without validation, redirect chains, unverified webhook payloads, supply-chain trust assumptions.

// 04 Common API pen test findings

Recurring findings from real CyberFortify API engagements. Treat as a self-audit checklist.

CriticalF.A01

Cross-tenant BOLA on /accounts/{id}

Authenticated user from tenant A reads or modifies records belonging to tenant B by changing the account ID. Tenant scoping enforced in UI but not in the resolver.

API1 / CWE-639
CriticalF.A02

JWT alg=none accepted

Server validates JWT signatures with the algorithm specified in the token header. Setting alg: none with a forged payload yields admin impersonation.

API2 / CWE-347
HighF.A03

Mass assignment writes role field

POST / PATCH on user endpoint accepts arbitrary JSON fields. Sending "role":"admin" persists, granting administrative privileges to a regular user.

API3 / CWE-915
HighF.A04

GraphQL alias bypass on rate limit

Single GraphQL request batches the same authentication mutation 1,000 times via aliases. Rate-limit applied per-request, not per-operation. Credential stuffing at line speed.

API4 / API2
HighF.A05

Admin endpoint reachable from user role

Privileged endpoint missing function-level authorisation check. Authenticated regular user invokes POST /admin/users/{id}/impersonate successfully.

API5 / CWE-285
MediumF.A06

SSRF via report-export URL

Endpoint fetches a customer-supplied URL server-side. No allow-list. Pivots to 169.254.169.254 and harvests instance role credentials.

API7 / CWE-918

// 05 Pen test vs API scanner & DAST

Automated API scanners catch the long tail of misconfiguration but miss the dominant risk classes. The OWASP API Top 10 is structured around exactly the categories scanners cannot detect.

Capability
API pen test
API scanner / DAST
SAST
BOLA across roles
Multi-role manual
Cannot model
No
Function-level auth
Yes
Partial
No
Mass assignment
Yes
Field-fuzz only
Code patterns
Business-logic abuse
Yes
No
No
GraphQL alias bypass
Yes
No
No
Misconfig & CVE detection
Manual + scanner
Continuous
Source-level
Audit evidence
SOC 2 / ISO / PCI
Limited
Limited

// 06 Methodology

CyberFortify's seven-phase engagement, tuned for APIs. Schema-first - documentation review (OpenAPI / GraphQL SDL / .proto) is the highest-leverage pre-test activity and where many findings originate.

01

Pre-engagement

Rules of engagement, role / token issuance for the authorisation matrix, schema delivery (OpenAPI, SDL, .proto).

Schema first
02

Documentation review

Schema scan for over-broad responses, data-classification gaps, missing scopes, undocumented endpoints flushed from JS bundles and mobile binaries.

Highest leverage
03

Threat modelling

OWASP API Top 10 mapped to your data model and integration surface; per-role abuse cases enumerated.

API Top 10
04

Authorisation matrix

Manual fuzzing across every role pair - the highest-yield activity on every API engagement. Custom Burp Pro extensions for matrix generation.

Multi-role
05

Exploitation & chaining

BOLA into account takeover, mass assignment into privesc, JWT alg confusion into impersonation, SSRF into cloud STS.

PoC chains
06

Reporting

API Top 10 + classic Top 10 references, CWE root cause, CVSS v3.1 scoring, prioritised remediation guidance.

Audit-ready
07

Free remediation retest

Every closed finding revalidated, attestation letter issued.

Included

// 07 Standards & compliance mapping

StandardReferenceWhat our test covers
OWASP API Security Top 10API1-API10 (2023)Risk-class coverage matrix
OWASP Top 10A01, A03, A04, A05, A07, A10Application-layer overlap (injection, authz, SSRF)
OWASP ASVS 4.0.3V1, V4, V13 (API), V14Verification standard for API controls
PCI DSS v4.0Req 6.2.4, 11.4Cardholder data APIs
SOC 2CC6.1, CC6.6, CC7.1Logical access & detection evidence
ISO/IEC 27001:2022A.8.25, A.8.28, A.8.29Secure development & testing
HIPAA164.312(a), 164.312(e)ePHI access via APIs

// 08 Frequently asked questions

What is the OWASP API Security Top 10?

The OWASP API Security Top 10 (2023) is the canonical list of API-specific risk classes - API1 BOLA, API2 Broken Authentication, API3 Broken Object Property Level Authorization, API4 Unrestricted Resource Consumption, API5 Broken Function Level Authorization, API6 Unrestricted Access to Sensitive Business Flows, API7 SSRF, API8 Security Misconfiguration, API9 Improper Inventory Management, API10 Unsafe Consumption of APIs.

Do you test undocumented endpoints?

Yes. A significant portion of API findings come from endpoints not in the public OpenAPI spec - admin surfaces, internal-only routes, deprecated versions, debug endpoints. Discovery uses JS-bundle parsing, mobile binary analysis and traffic observation, and is part of every CyberFortify API engagement.

How is GraphQL pen testing different from REST?

GraphQL has its own risk shape: introspection-driven schema discovery, alias-based authorisation bypass, query-depth and complexity attacks, batched-query authorisation gaps and mutation chains. CyberFortify's GraphQL testing covers each plus the underlying resolvers and the data sources they expose.

Do you test gRPC services?

Yes. gRPC testing covers protocol-buffer message fuzzing, server-reflection exposure, metadata-based authentication, mTLS posture and streaming-RPC authorisation. Where reflection is disabled, .proto files are accepted as scope input or reverse-engineered from clients.

Do you test the underlying microservices?

On request. Where in scope, testing extends past the public API into the internal service mesh - mTLS posture, service identity, internal-only authorisation and lateral movement risk. Frequently overlaps with our cloud penetration testing service.

How long does an API pen test take?

Five to ten business days of active testing depending on endpoint count, role count for the authorisation matrix and protocol mix. Total elapsed time including scoping, reporting and the free remediation retest is typically three to five weeks.

Ready for an API penetration test?

Schedule a free 30-minute scoping call. CyberFortify will review your OpenAPI / GraphQL schema and quote a fixed-price engagement - usually within 48 hours.

Schedule scoping call → Back to CyberFortify home →