A web app pentest targets browser-side vulnerabilities like XSS, CSRF, and session management, while an API pentest targets server-side issues like broken authorization, data exposure, and injection at the endpoint level. If your SaaS has a separate frontend and API backend, you need both because they have different attack surfaces.
You have a React frontend and a Node.js or Python API backend. Your enterprise prospect wants a pentest report. You ask a vendor for a quote and they ask: web app pentest or API pentest?
They are not the same thing. They test different attack surfaces, use different tools, and find different vulnerabilities. Here is what each covers and how to decide what your SaaS startup actually needs.
5 Signs Your Last Pentest Skipped the API
Before deciding what to scope next, look at the pentest you already have. Plenty of “web application pentest” reports we see in the wild barely touch the API. Five things to check.
1. The report does not cite the OWASP API Security Top 10. A real API pentest references the OWASP API Security Top 10 categories: BOLA, broken authentication, broken object property level authorization, unrestricted resource consumption, broken function level authorization, and so on. If your report only cites the OWASP (web) Top 10 (XSS, CSRF, injection, etc.), the API layer was not in scope.
2. The scope statement says “application” but never enumerates API endpoints. Real scope documents list either explicit endpoint groups (/api/v1/orders/*, /api/v1/users/*), API surfaces (REST, GraphQL, gRPC), or an OpenAPI/Swagger spec attached. A scope that says “test the application” and stops there is web-only by default.
3. There is no object-level authorization testing on tenant-isolated endpoints. This is the most common critical finding we see in SaaS APIs. The test pattern is: log in as user A, capture a request that returns user A’s resource, change the ID to user B’s resource, see if the API returns it. If no finding in this category exists and no negative test case is documented, the tester did not look. BOLA is the OWASP API #1 for a reason.
4. Authentication flow testing stops at “we tried to log in.” A real API pentest tests token refresh logic, JWT signature verification, session-coupled mobile auth, OAuth state parameter handling, password reset token reuse, API key rotation, and brute-force protection on every credential-accepting endpoint, not just the login form. If the auth section reads in one paragraph, the API auth was not tested.
5. There is no rate limiting or resource exhaustion testing per endpoint. A web app pentest tests the login page for rate limiting. An API pentest tests every endpoint that accepts user input: search, file upload, expensive aggregations, GraphQL nested queries. If the report does not include per-endpoint throughput numbers or DoS findings, this category was skipped.
If three or more of these are missing from your last pentest report, the API was not meaningfully tested. The next engagement should scope an API pentest explicitly.
What a Web Application Pentest Tests
A web app pentest targets the frontend, the application as a user interacts with it through a browser. The tester loads your app in a browser, clicks through workflows, and tries to break things the way an attacker would.
What gets tested:
- Cross-Site Scripting (XSS): Can an attacker inject JavaScript into your app that runs in another user’s browser? Stored XSS in comments, profile fields, or shared content is especially dangerous in multi-tenant SaaS.
- Cross-Site Request Forgery (CSRF): Can a malicious site trick a logged-in user into performing actions? Think changing email, adding team members, or modifying billing.
- Session Management: How are sessions created, stored, and invalidated? Are cookies set with
Secure,HttpOnly, andSameSiteflags? Do sessions expire properly on logout? - File Upload: If your app accepts file uploads, can an attacker upload a web shell or a malicious SVG?
- Business Logic Flaws: Can a user skip steps in a workflow, apply discount codes multiple times, or access features their plan doesn’t include?
- Client-Side Security: Are secrets exposed in JavaScript bundles? Is sensitive data stored in localStorage?
Common findings in SaaS web apps:
- Stored XSS in user-generated content fields
- Missing CSRF protection on state-changing actions
- Session tokens that survive password changes
- Sensitive data in JavaScript source maps shipped to production
- Client-side validation that the server doesn’t enforce
What an API Pentest Tests
An API pentest bypasses the frontend entirely. The tester hits your endpoints directly using tools like Burp Suite and custom scripts. No browser, no UI. Just raw HTTP requests against your REST, GraphQL, or gRPC endpoints.
What gets tested:
- Broken Object-Level Authorization (BOLA/IDOR): Change
/api/orders/1001to/api/orders/1002. Does the API return another tenant’s data? This is the number one API vulnerability according to the OWASP API Security Top 10 (see also our detailed breakdown). - Authentication Flaws: Weak JWT implementation, tokens that don’t expire, API keys with excessive permissions, brute-forceable OTPs.
- Broken Function-Level Authorization: Can a regular user call admin-only endpoints? The frontend hides the button, but the API endpoint still responds.
- Rate Limiting: Can an attacker brute-force login, enumerate users, or scrape data without getting throttled?
- Mass Assignment: Send extra fields in a PATCH request. Can a user set
is_admin: trueorplan: enterprisebecause the API binds all incoming fields? - Data Exposure: Does the API return more data than the frontend displays? Internal IDs, email addresses of other users, billing details.
- GraphQL-Specific Issues: Introspection enabled in production, deeply nested queries causing denial of service, missing authorization on individual resolvers.
Common findings in SaaS APIs:
- IDOR vulnerabilities across tenant boundaries (the most common critical finding we see)
- API endpoints that bypass the authorization middleware
- Verbose error messages leaking stack traces and database details
- No rate limiting on authentication endpoints
- GraphQL introspection enabled, exposing the entire schema to attackers
Why They Are Different Attack Surfaces
Consider a typical SaaS architecture: React frontend, REST API backend, PostgreSQL database.
When a pentester tests the web app, they interact through the browser. Every request goes through the frontend code. The React app might sanitize inputs, enforce workflows, and hide admin features.
When a pentester tests the API, none of that frontend logic exists. They send requests directly. Every endpoint is exposed. Every field is testable. Every authorization check (or missing check) is visible.
This is why a web app pentest that only tests through the browser misses API-level flaws. The frontend might correctly prevent a user from accessing another tenant’s data, but the API might return it if you just change the ID in the request.
When You Need Both
flowchart TD
A[Your SaaS] --> B{Frontend and<br/>API separate<br/>deployments?}
B -->|Yes| C[Need both scopes]
B -->|No| D{Mobile app uses<br/>the same API?}
D -->|Yes| C
D -->|No| E{Third-party<br/>or partner systems<br/>call your API?}
E -->|Yes| C
E -->|No| F[One scope likely fine]
C --> G[API first if<br/>budget-constrained]
F --> H[Pick the higher-risk target]
You need both if:
- Your frontend and API are separate deployments (React + Express, Next.js + Python FastAPI, etc.)
- You have third-party integrations hitting your API directly
- Your mobile app uses the same API
- You are going through SOC 2 or ISO 27001 and need to demonstrate thorough testing
You might get away with one if:
- Your app is a server-rendered monolith where the frontend and backend are tightly coupled (traditional Rails, Django, or Laravel app with no separate API)
- You only have a public-facing API with no web frontend (API-only product)
For most modern SaaS startups building with React/Next.js and a separate API, both scopes are the right call.
How Scoping Works
Each pentest scope covers one target. A web application is one scope. An API is a separate scope.
At Cyber Secify:
- Startup Pentest Plan (INR 74,999) covers 1 scope. Pick the higher-risk target. For most SaaS apps, that is the API.
- Growth Pentest Plan (INR 1,79,999) covers 2 scopes. This is the plan most SaaS startups choose because it covers both your web app and API in one engagement.
Both plans include a Brand Protection Snapshot and retest after you fix the findings.
What to Do Next
If you are not sure which scoping makes sense for your architecture, talk to us. We will review your setup and recommend the right scope before you commit to anything. You can also check what each engagement covers on our web application pentest and API pentest service pages.
If you want to understand the API side deeper, read our breakdown of the OWASP API Security Top 10. It covers each vulnerability with real examples and what to test.
For a broader overview of penetration testing, start with Penetration Testing 101.