Burp Suite Professional
Primary proxy. Extensions: Autorize, JWT Editor, GraphQL Raider, Param Miner.
An API penetration test that finds what OWASP API Security Top 10 says you should care about.
BOLA, broken function access, cross-tenant failures — the categories that matter most in a multi-tenant API cannot be found by scanning. Our six-phase methodology covers every OWASP API Security Top 10 category with a real person walking every role and tenant boundary.
Why methodology matters
The highest-severity API findings require a real person.
Authorization failures — a regular user reading another tenant's records, a standard role calling an admin operation — are not detectable by an automated scanner. They require accounts across multiple roles and tenants, and a tester systematically walking every protected resource in the role × tenant matrix.
These are also consistently the highest-severity findings we deliver. The methodology below is structured to reach them on every engagement.
The methodology
Six phases, every engagement.
- 01
Scoping and inventory
Endpoint inventory from OpenAPI/Swagger specs, Postman collections, and JS file analysis. Confirm the auth model, tenant model, and partner or webhook integrations.
- 02
Surface mapping
Validate inventory against actual exposed surface — undocumented endpoints, versioned routes, internal-only routes reachable externally, and shadow APIs from older deploys.
- 03
Authentication and session testing
JWT handling (algorithm confusion, none-alg, expiry), OAuth flow abuse (PKCE, scope creep, refresh-token replay), rate limits on auth endpoints, and account-enumeration paths.
- 04
Authorization — BOLA and BFLA across the role matrix
OWASP API Security Top 10 #1 (BOLA) and #5 (BFLA) on every protected ID and operation. Cross-tenant boundary testing on every multi-tenant endpoint. The highest-value phase on most engagements.
- 05
Business logic, mass assignment, and integration abuse
Mass assignment on creation and update endpoints, rate-limit bypass, race conditions on money paths, webhook SSRF, and GraphQL-specific issues (introspection, batching abuse, query depth/cost).
- 06
Reporting and retest
Per-finding writeup with curl/HTTP PoC, severity, CVSS, paste-ready remediation. Same-day disclosure of criticals. Retest and reissued report after fixes.
What we look for
Coverage aligned to OWASP API Security Top 10.
- · API1 — Broken Object Level Authorization (BOLA): every protected ID, every role, every tenant.
- · API2 — Broken Authentication: JWT handling, OAuth flows, session and token lifecycle.
- · API3 — Broken Object Property Level Authorization: mass assignment on create and update; excessive property exposure on read.
- · API4 — Unrestricted Resource Consumption: rate limits, quota enforcement, expensive queries.
- · API5 — Broken Function Level Authorization (BFLA): privileged operations reachable from lower-tier roles.
- · API6 — Unrestricted Access to Sensitive Business Flows: money paths, refunds, account merges, exports.
- · API7 — Server-Side Request Forgery: webhook callbacks, URL-fetcher endpoints, internal metadata endpoints.
- · API8 — Security Misconfiguration: default credentials, CORS misconfig, verbose errors, debug endpoints.
- · API9 — Improper Inventory Management: shadow and zombie APIs, versioned endpoints, internal-only routes reachable externally.
- · API10 — Unsafe Consumption of APIs: blind trust in third-party data, downstream SSRF, dependency abuse.
Not sure which API surfaces to prioritize?
A quick scoping call maps your role and tenant model to a fixed scope and price.
Get a straight answer Tools we use
The API testing toolkit.
Postman and Insomnia
Spec-driven API exploration, environments per role/tenant, scripted replay.
ProjectDiscovery suite
Nuclei templates for API-specific checks, Subfinder, httpx.
ffuf
Parameter discovery and endpoint enumeration on REST surfaces.
GraphQL Voyager and graphql-cop
GraphQL schema visualization and security-test automation.
Custom Python and Go tooling
Tenant-aware scripts for systematic BOLA/BFLA walks and cross-tenant validation.
Quality controls
How we keep the report honest.
- · Peer review on every finding before the report.
- · Evidence standard — every finding has a reproducible curl/HTTP PoC; no PoC, no finding.
- · Severity calibration using CVSS plus real exploitability in your environment.
- · Senior throughout — same person from scoping call to retest. No subcontractors.
- · Same-day disclosure of critical findings to your security and engineering leads.
Deliverables
One report, three audiences.
- · Board summary; executive section with compliance control mapping; developer section with curl PoCs, reproduction steps, severity, and paste-ready remediation.
- · Retest of all reported findings and reissued report after fixes — included in the base price.
- · Direct line to the lead tester through the engagement and for a defined window after delivery.
FAQ
API methodology — common questions
How do you handle APIs without published OpenAPI specs?
We build the inventory from proxy traffic, JS file analysis, Postman collections you provide, and parameter fuzzing. By the end of phase 02, our working inventory is consistently larger than what was documented going in.
Do you test GraphQL specifically?
Yes. GraphQL gets focused work in phase 05 — introspection in production, batching and aliasing abuse, query depth and cost limits, field-level authorization, and operations the schema exposes but resolvers do not authorize.
How do you scope multi-tenant APIs?
You provide accounts in at least two tenants, ideally across multiple roles. We walk the role × tenant × resource matrix systematically. Cross-tenant BOLA is consistently among the highest-severity findings in multi-tenant SaaS engagements.
Want a credible answer when a customer, auditor, or your board asks how secure you are?
A quick scoping call with the senior tester who would run your engagement. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fixed scope, price, and date.