API Security

API Security Testing for Modern Applications

Your API is your attack surface. Every endpoint is a door. We test whether any of them are unlocked.

Sherlock Forensics provides API penetration testing covering REST, GraphQL and gRPC endpoints. Full OWASP API Top 10 validation including BOLA, BFLA, broken authentication and injection. OAuth, JWT and API key testing. Over 20 years of certified security experience. Contact 604.229.1994.

APIs now carry more traffic than traditional web pages. They handle authentication, process payments, transfer sensitive data and connect your application to third-party services. A single misconfigured endpoint can expose your entire database. API security testing is not a subset of web application testing. It is its own discipline with its own methodology, its own vulnerability classes and its own tooling.

Order an API Security Assessment Scope Your Assessment

Methodology

How API Pentests Differ from Web App Pentests

No UI to Guide Testing

Web application testers follow the user interface. API testers work directly with HTTP requests, reading documentation (or discovering undocumented endpoints) and crafting payloads that the frontend would never send. The most dangerous API vulnerabilities exist in logic that no browser ever invokes. A web app pentest that only tests what the UI exposes misses the majority of the API attack surface.

Authorization Is the Primary Risk

In web applications, the server often controls what data the user sees through rendered pages. In APIs, the client requests specific resources by ID. If the server does not verify that the requesting user owns that resource, any authenticated user can access any other user's data. This class of vulnerability (BOLA) is the number one item on the OWASP API Security Top 10 and is almost never caught by automated scanners.

Multiple Protocols and Formats

Web apps typically use HTML over HTTP. APIs use REST with JSON, GraphQL with its own query language, gRPC with Protocol Buffers, SOAP with XML and sometimes custom binary formats. Each protocol has distinct attack vectors. GraphQL introspection exposes your entire schema. gRPC reflection reveals service definitions. Testing requires protocol-specific tooling and knowledge.

Coverage

OWASP API Security Top 10 Testing

Every API security assessment from Sherlock Forensics covers the full OWASP API Security Top 10. These are the vulnerability categories that appear most frequently in real-world API breaches.

Category What We Test
API1 - BOLA Object-level authorization on every endpoint. We manipulate resource IDs to verify access controls enforce ownership.
API2 - Broken Authentication Token validation, credential stuffing protection, password reset flows, OAuth implementation and session management.
API3 - Object Property Authorization Mass assignment testing. We send additional properties in requests to check if the server accepts fields users should not control.
API4 - Resource Consumption Rate limiting validation, pagination abuse, file upload size limits and query complexity restrictions.
API5 - BFLA Function-level authorization. We test whether lower-privilege users can invoke admin-only API functions.
API6 - Sensitive Business Flows Abuse of business logic through API automation: bulk purchases, referral fraud, data scraping and workflow manipulation.
API7 - SSRF Server-side request forgery through URL parameters, webhook configurations and file import features.
API8 - Security Misconfiguration CORS policy, HTTP headers, error messages exposing internals, unnecessary HTTP methods and default credentials.
API9 - Improper Inventory Discovery of undocumented endpoints, deprecated API versions still active and shadow APIs that bypass security controls.
API10 - Unsafe Consumption Risks from third-party API integrations: insufficient validation of external data, trust assumptions and supply chain risks.

Scope

API Testing Coverage by Protocol

01 - REST

REST API Testing

Endpoint enumeration across all HTTP methods. Authentication and authorization testing on every route. Input validation for all parameters including path, query, header and body. Response analysis for data leakage. We test pagination, filtering and sorting parameters for injection and information disclosure. Versioned APIs are tested across all active versions to identify security regressions in older implementations.

02 - GraphQL

GraphQL Security Testing

Introspection query analysis to map the full schema. Query depth and complexity attacks to test for denial of service. Batching and aliasing abuse to bypass rate limiting. Field-level authorization testing to verify that users cannot query fields they should not access. Mutation authorization testing. Subscription security validation. GraphQL-specific injection vectors that differ from REST attack patterns.

03 - gRPC

gRPC Security Testing

Server reflection analysis to discover service definitions. Protocol Buffer message manipulation to test input validation. TLS configuration and certificate validation. Authentication metadata testing. Stream handling security for both unary and streaming RPCs. gRPC-web proxy configuration review. Deadline and timeout abuse testing.

04 - Auth

Authentication and Authorization

OAuth 2.0 flow testing across authorization code, client credentials, PKCE and implicit grants. JWT validation including signature verification, algorithm confusion attacks, claim manipulation and token expiry enforcement. API key security including transmission, storage and rotation practices. Bearer token scope validation. We verify that every endpoint enforces authentication and that privilege boundaries hold under manipulation.

05 - Rate

Rate Limiting and Abuse Prevention

Rate limit testing across all endpoints with different authentication contexts. Bypass testing through header manipulation, IP rotation simulation and request parameter variation. Cost analysis for resource-intensive endpoints. Pagination abuse testing. Bulk operation limits. We identify endpoints where absence of rate limiting enables data scraping, credential stuffing or denial of service.

06 - Inject

Injection Testing

SQL injection through all input vectors including JSON body parameters, path parameters and query strings. NoSQL injection for MongoDB and similar datastores. Command injection through parameters that interact with system processes. LDAP injection, XPath injection and template injection where applicable. We test every parameter that reaches a backend interpreter.

Authorization Flaws

BOLA and BFLA: The Vulnerabilities Scanners Miss

Broken Object Level Authorization (BOLA)
BOLA is the most common API vulnerability and the hardest to detect automatically. It occurs when an API accepts a resource identifier from the client (a user ID, order ID or document ID) without verifying that the authenticated user has permission to access that specific resource. The fix is straightforward: check ownership on every request. The challenge is applying that check consistently across hundreds of endpoints. We test every endpoint that accepts an object identifier.
Broken Function Level Authorization (BFLA)
BFLA occurs when a regular user can invoke administrative API functions. The frontend may hide admin buttons from regular users, but the API endpoints still exist and respond to requests. We test whether standard user tokens can access admin routes, whether changing HTTP methods (GET to DELETE, PUT to PATCH) bypasses restrictions and whether role escalation is possible through parameter manipulation.
Why Automated Scanners Fail
Automated API scanners test for known vulnerability signatures: SQL injection patterns, XSS payloads, missing headers. BOLA and BFLA are not signature-based. They require understanding of the application's business logic, user roles and data ownership model. A scanner cannot determine whether User A should be able to access Order #12345. A human tester with two authenticated sessions and an understanding of the authorization model can. This is why manual API testing finds what scanners cannot.

References

Standards and Resources

OWASP API Security Project

The industry standard for API vulnerability classification. Our testing methodology maps directly to the OWASP API Security Top 10 categories.

NIST SP 800-95

Guide to Secure Web Services from the National Institute of Standards and Technology. Covers security considerations for web services and APIs.

CISA Best Practices

Cybersecurity and Infrastructure Security Agency guidance on securing APIs and web services in critical infrastructure.

Frequently Asked Questions

API Security Testing FAQs

What is the difference between an API pentest and a web application pentest?
A web application pentest tests the full user-facing application including the browser UI and client-side logic. An API pentest focuses on the programmatic interface: endpoint enumeration, authentication mechanisms, authorization logic, input validation, rate limiting and business logic flaws. Many API vulnerabilities are invisible from the browser because they require crafted requests that the UI never generates.
What does the OWASP API Security Top 10 cover?
BOLA, Broken Authentication, Object Property Authorization, Resource Consumption, BFLA, Sensitive Business Flows, SSRF, Security Misconfiguration, Improper Inventory Management and Unsafe Consumption of APIs. We test all ten categories in every API security assessment.
Can you test GraphQL APIs?
Yes. GraphQL introduces specific attack surfaces including introspection disclosure, query depth attacks, batching abuse, field-level authorization bypass and alias-based rate limit evasion. GraphQL APIs require specialized tooling and methodology that differs from REST testing.
How do you test API authentication security?
We test OAuth 2.0 flows, JWT token validation (signature verification, algorithm confusion, claim manipulation), API key security, bearer token scope and session management. We verify that authentication is enforced consistently across all endpoints including undocumented and deprecated routes.
What is BOLA and why is it the number one API vulnerability?
BOLA (Broken Object Level Authorization) occurs when an API accepts an object identifier without verifying the requesting user has permission to access that resource. An attacker changes a resource ID and accesses another user's data. It is common, easy to exploit and nearly impossible for automated scanners to detect. Manual testing is the only reliable way to find BOLA flaws.

FAQ

Frequently Asked Questions

What is the difference between an API pentest and a web application pentest?
A web application pentest tests the full user-facing application including the browser UI and client-side logic. An API pentest focuses on the programmatic interface: endpoint enumeration, authentication mechanisms, authorization logic, input validation, rate limiting and business logic flaws. Many API vulnerabilities are invisible from the browser because they require crafted requests the UI never generates.
What does the OWASP API Security Top 10 cover?
The OWASP API Security Top 10 covers Broken Object Level Authorization (BOLA), Broken Authentication, Object Property Authorization, Resource Consumption, Broken Function Level Authorization (BFLA), Sensitive Business Flows, Server Side Request Forgery, Security Misconfiguration, Improper Inventory Management and Unsafe Consumption of APIs. We test all ten categories in every assessment.
Can Sherlock Forensics test GraphQL APIs?
Yes. GraphQL introduces specific attack surfaces including introspection disclosure, query depth attacks, batching abuse, field-level authorization bypass and alias-based rate limit evasion. GraphQL APIs require specialized tooling and methodology that differs from REST testing.
What is BOLA and why is it the number one API vulnerability?
BOLA (Broken Object Level Authorization) occurs when an API accepts an object identifier without verifying the requesting user has permission to access that resource. An attacker changes a resource ID and accesses another user's data. It is common, easy to exploit and nearly impossible for automated scanners to detect reliably.
How do you test API authentication and OAuth security?
We test OAuth 2.0 flows across authorization code, client credentials and PKCE grants. JWT validation includes signature verification, algorithm confusion attacks, claim manipulation and token expiry enforcement. We verify that authentication is enforced consistently across all endpoints including undocumented and deprecated routes.

Related

Penetration Testing

Our full penetration testing methodology covering web applications, APIs, infrastructure and mobile platforms.

SaaS Penetration Testing

Multi-tenant security testing for SaaS companies including API security, data isolation and compliance-ready reporting.

Kubernetes Security Assessment

Container and cluster security testing including RBAC, network policies, secrets management and pod security standards.

Get Started

Your APIs are exposed. Find out where.

Comprehensive API security assessment covering REST, GraphQL and gRPC. OWASP API Top 10 validated.

Since 20064.8/5 ratingCISSP, ISSAP, ISSMP certified
Order Online

Scope Your API Security Assessment

Tell us about your API architecture, authentication mechanisms, endpoint count and compliance requirements. We will scope an assessment that covers your specific attack surface.

Call 604.229.1994
Phone
604.229.1994
Burnaby Office
Burnaby, BC, Canada
Coquitlam Office
Coquitlam, BC, Canada