API Penetration Testing for REST, GraphQL & SOAP

API penetration testing is a security assessment of your REST, GraphQL, or gRPC APIs that identifies vulnerabilities in authentication, authorization (BOLA/BFLA), rate limiting, data exposure, and business logic (the attack surface that automated scanners miss).

Cyber Secify provides API penetration testing across REST, GraphQL, gRPC, and SOAP API surfaces. We cover the OWASP API Security Top 10 (BOLA, broken authentication, broken object property level authorization, unrestricted resource consumption, broken function level authorization, unrestricted access to sensitive business flows, server-side request forgery, security misconfiguration, improper inventory management, unsafe consumption of APIs) and protocol-specific issues like GraphQL introspection abuse, query depth attacks, SOAP XXE, and gRPC reflection.

Yes. BOLA is OWASP API #1 and the highest-frequency critical finding we surface on SaaS APIs. Our methodology systematically tests every endpoint that accepts an ID parameter (user IDs, resource IDs, tenant IDs) for cross-user and cross-tenant access. We log in as user A, capture a request, change the ID to user B and verify the API correctly rejects the request. We test predictable ID formats (UUIDs vs sequential integers) and indirect references (slugs, email addresses, custom identifiers).

Yes. GraphQL testing covers introspection abuse (querying the schema to map the attack surface), query depth attacks (nested queries that exhaust server resources), aliasing-based rate limit bypass, field-level authorization gaps (a user authorized for a type but not all its fields), and batched query abuse. We test against schemas in production and staging, with documented or undocumented surface.

Yes. Authentication testing covers OAuth 2.0 flows (authorization code, client credentials, device flow, refresh token rotation), OAuth state parameter handling, JWT signature verification, JWT algorithm confusion (alg=none, RS256→HS256), JWT expiry and replay, API key rotation, key entropy, and per-endpoint authentication bypass.

API pentest is one scope. Cyber Secify pricing: Startup Pentest INR 74,999 (single API scope, 7 calendar days, audit-acceptable report). Growth Pentest INR 1,79,999 (2 scopes typically web app + API, 10 days, includes SOC 2 + ISO 27001 audit prep + 2 retests + Brand Protection Snapshot).

Single API scope: 7 calendar days from kick-off to report. Two-scope engagement (typically API + web app): 10 calendar days. The report includes findings, reproduction steps, business impact, CVSS v3.1 scoring, and remediation guidance. Retest after fixes takes 1-3 business days.

Yes. Reports follow PTES (Penetration Testing Execution Standard) and OWASP API Security Top 10 (2023), produce technical + executive summaries with reproduction steps, business impact, CVSS v3.1, and remediation. The Growth Pentest plan adds explicit SOC 2 Trust Services Criteria + ISO 27001 Annex A control mapping per finding. Reports have been accepted by SOC 2 Type 1, SOC 2 Type 2, and ISO 27001 auditors.

Yes. We test rate limits on every endpoint that accepts user input (login, search, file upload, expensive aggregations, GraphQL nested queries), not just the login form. We document per-endpoint throughput, identify denial-of-service candidates, and test for resource exhaustion via parameter manipulation (large pagination limits, unbounded query depth, file size, JSON nesting depth).