← Back to main site
← Services

API Security Testing

Dedicated security assessment of REST and GraphQL APIs. For engineering leaders who need to validate API authentication, authorization, and input handling before scale or partner integrations. Aligned with OWASP API Security Top 10; suitable for B2B SaaS and fintech APIs.

Pricing: €3,000 – €10,000

Service overview

  • Focused security assessment of REST and GraphQL APIs, aligned with OWASP API Security Top 10.
  • For engineering and product leaders exposing APIs to partners, third parties, or public consumers (B2B SaaS, fintech).
  • Solves: unclear API auth and authz posture; risk of BOLA, injection, or data exposure before scale or audit.

Typical security risks discovered

  • Broken object-level authorization (BOLA): access to other tenants’ or users’ resources by ID manipulation.
  • Broken authentication: weak or missing API keys, JWT issues, token leakage, or insufficient rate limiting on auth endpoints.
  • Excessive data exposure: APIs returning more fields than needed; sensitive data in default responses.
  • Lack of resources and rate limiting: no throttling, leading to abuse or denial of service.
  • Broken function-level authorization: admin or internal endpoints callable with user credentials.
  • Mass assignment and injection: accepting client-controlled fields or unsanitized input into queries or commands.

Assessment scope

  • API authentication (API keys, OAuth2, JWT validation, token storage and transmission).
  • Authorization (resource-level checks, tenant isolation, role- and scope-based access).
  • Input validation and injection (path and query parameters, body, headers, GraphQL queries).
  • Rate limiting, quotas, and abuse resistance.
  • Data exposure (response shaping, error messages, PII and secrets).
  • Configuration (CORS, security headers, logging of auth and access).

Deliverables

  • Executive summary with risk overview and impact for API consumers and the business.
  • Technical report with API-specific findings, severity, steps to reproduce, and sample requests/responses.
  • Proof-of-concept for critical and high issues (e.g. BOLA, auth bypass).
  • Remediation guidance with code-level or design recommendations.
  • Optional re-test after fixes.

Expected outcomes

  • Clarity on API-specific risks (authz, auth, injection) rather than generic web findings.
  • Actionable remediation for engineering to implement before partner or public rollout.
  • Reduced risk of data leakage or abuse via APIs; support for compliance (e.g. PCI, SOC 2).
  • Optional re-test to confirm critical and high issues are fixed.
Request a consultation

Support my work

If my articles, case studies, or security resources helped you, you can support my work. Your support helps me maintain free content and keep publishing practical security guides.

Revolut

Quick support in seconds.

Buy me a spritz

Bank transfer (EUR)

If you prefer a traditional bank transfer, request IBAN and bank details via the contact form

Request bank details

Support is optional. For consulting or security work, please use the Services or Contact pages.