Skip to content
Jalwan
Security testing for REST, GraphQL, and webhook APIs

API Security Testing

API penetration testing for REST and GraphQL backends. Deep testing of authorization, injection, rate limiting, and data exposure — the OWASP API Security Top 10 and beyond.

Overview

APIs are where the real data lives, and they are frequently under-tested. Broken object-level authorization (BOLA) and broken function-level authorization remain the most damaging and most common API vulnerabilities — and they are invisible to most automated tooling.

I test your API the way an attacker with a valid account would: enumerating objects, swapping identifiers, abusing under-protected endpoints, and probing every trust boundary between services.

What you walk away with

  • Full authorization matrix tested across roles and tenants
  • Reproducible requests for every confirmed finding
  • Guidance mapped to the OWASP API Security Top 10
  • Retest included once fixes are deployed
Coverage

What gets tested

A representative view of the attack surface I probe by hand during this engagement.

Broken Object-Level Authorization

The #1 API risk — accessing other tenants' or users' data by manipulating IDs.

Broken Function-Level Authorization

Calling admin or privileged endpoints from lower-privileged accounts.

Mass Assignment

Overwriting protected fields like roles, flags, or ownership via request bodies.

Injection & Data Exposure

Injection across parameters plus excessive data returned in API responses.

GraphQL-Specific Abuse

Introspection, deeply nested queries, batching attacks, and resolver-level authorization.

Rate Limiting & Abuse

Resource exhaustion, enumeration, and missing throttling on sensitive actions.

FAQ

API Security Testing — common questions

Yes. GraphQL introduces its own risks — introspection exposure, query depth abuse, batching, and resolver-level authorization gaps — and each is covered as part of a GraphQL engagement.

Absolutely. APIs are tested directly using documentation, an OpenAPI/GraphQL schema, or a Postman collection, along with test credentials for each role.

You provide test accounts and I generate tokens through your normal auth flow, testing how those tokens are issued, scoped, and validated across endpoints.

Ready to find your vulnerabilities before attackers do?

Book a security assessment and get a clear, prioritized picture of your application's real risk. No obligation, no automated-scan fluff.