API Security Testing
Security testing for REST, GraphQL, SOAP, and gRPC APIs.
APIs are where most of the interesting attack surface lives in modern applications. I test them against the OWASP API Security Top 10 and beyond — focusing on authentication and token handling, broken object-level authorisation (BOLA/IDOR), rate limiting, mass assignment, and business logic flaws specific to your API's domain.
What Gets Tested
- Authentication — token lifecycle, OAuth flows, JWT validation
- Authorisation — BOLA/IDOR, function-level access control, tenant isolation
- Input validation — injection, type confusion, oversized payloads
- Rate limiting and resource consumption
- Data exposure — verbose errors, excessive response data, debug endpoints
- GraphQL-specific: introspection, batching attacks, nested query depth
Process
- Documentation review — I start with your API specs (OpenAPI/Swagger, GraphQL schema, Postman collections) to map the attack surface.
- Endpoint testing — Manual testing of each endpoint for auth, authz, and input handling issues.
- Reporting — Findings with severity, reproduction steps (including raw requests), and remediation guidance.