07
API security testing
Your API may expose every user's records by changing one number in the URL.
APIs power mobile apps, third-party integrations, and internal tools, and they are the most frequent source of large-scale data breaches today. This assessment checks whether your API correctly enforces who can access what, for every object and every action, across every endpoint.
What I test
- →Broken object-level access: can user A request user B's records by changing an ID in the request?
- →Broken function-level access: can a regular user call endpoints reserved for administrators?
- →Mass assignment: can an attacker modify hidden fields, such as setting their own role to admin?
- →Authentication gaps: can tokens be forged, replayed after expiry, or bypassed entirely?
- →Rate limiting: can an attacker brute-force passwords or flood endpoints without being blocked?
- →Data over-exposure: does the API return more data than the application actually displays?
- →GraphQL: can the internal data structure be fully mapped? Can bulk queries exhaust the server?
- →Deprecated and undocumented endpoints that are no longer maintained but still active.
RESTGraphQLgRPCAccess controlData exposureAuth bypass
Example findings
CRITICALChanging one number in the URL returns any user's full account data.
HIGHRegular user can grant themselves administrator rights via a hidden request field.
HIGHFull internal API structure exposed. Attackers can map every endpoint and data type.
MEDIUMNo limit on login attempts. Password brute-force attack fully feasible.
Illustrative examples, not exhaustive.
Deliverable
Request this assessment →Full endpoint-level report. Each finding includes the exact request used to reproduce it and a risk score.