Broken object & function level authorization (BOLA/BFLA)
The number-one API risk: accessing other users’ objects or privileged functions by manipulating identifiers, roles and parameters across every endpoint.
Authentication & token security
Weak or missing authentication, JWT and API-key handling, OAuth/OIDC misconfigurations, and credential and session attacks.
Excessive data exposure & mass assignment
Endpoints returning more data than the client needs, and accepting unexpected parameters that let attackers change protected fields.
Rate limiting, resource consumption & business logic
Unrestricted resource consumption (DoS), scraping, and abuse of legitimate workflows and quotas.
GraphQL & schema-specific testing
Introspection exposure, deeply nested query denial-of-service, batching abuse and resolver-level authorization gaps.
Frameworks & standards
What you get
- Findings per endpoint with severity (CVSS) and reproduction
- Remediation guidance for developers
- Executive summary for management and auditors
- Free remediation retest
FAQ
What do you need to start?
API documentation (OpenAPI/Swagger or a Postman collection) and test accounts with different roles.
Do you test GraphQL?
Yes — including introspection, nested-query DoS, batching and resolver authorization.
Can this be combined with the web app test?
Yes — APIs and their web front-ends are often scoped together for full coverage.