← Back to services // Offensive

API Pentest

REST, GraphQL & SOAP - BOLA, auth bypass and business logic

€175 /hour CCV certified Get in touch

We pentest your APIs against the OWASP API Security Top 10 and beyond. From Broken Object Level Authorization (BOLA/IDOR) and broken authentication to mass assignment, rate limiting and business-logic flaws. REST, GraphQL and SOAP, tested manually by CCV-certified pentesters.

What is an API pentest?

An API pentest is a targeted security assessment of your APIs. We examine your REST, GraphQL and SOAP endpoints the way a real attacker would and demonstrate what can actually go wrong: can a user retrieve another account's data, bypass authorization or compromise your backend through the API?

APIs are the heart of nearly every modern application: mobile apps, single-page applications, microservices and B2B integrations all run on APIs. That shifts the attack surface. The vulnerabilities we report most often, BOLA/IDOR in object references, broken authentication, mass assignment and business-logic flaws, live in the API layer and are structurally missed by automated scanners.

We test against the OWASP API Security Top 10 and go further. Zolder is a CCV-certified pentest company, so you get an independent, high-quality report that is also usable for NIS2 or ISO 27001.

What we test in your API

  • BOLA / IDOR - can user A reach user B's data via an object ID? The most common and impactful API vulnerability.
  • Broken authentication & JWT abuse - weak token validation, key confusion, infinitely valid tokens.
  • Broken function level authorization - can a regular user call admin endpoints?
  • Mass assignment - sending extra fields to manipulate privileges or prices.
  • Excessive data exposure - does the API return more data than the front-end shows?
  • Resource consumption / rate limiting - DoS via missing limits or excessive use.
  • Injection & SSRF - SQL/NoSQL injection, command injection and server-side request forgery via API parameters.

Why have an API pentest carried out?

Your API is directly reachable over the internet and often processes your most sensitive data:

  • Prevent data breaches: a single BOLA vulnerability can expose your entire customer database.
  • Mobile and SPA backends: the real security lives in the API behind the app, not in the app itself.
  • B2B connections: partners and customers increasingly require a pentest report before connecting to your API.

Our approach

Our API pentests combine methodical manual work with targeted automation:

  1. Scoping - you speak directly with the pentester. We review your OpenAPI/Swagger spec, Postman collection or GraphQL schema and determine which endpoints, roles and objects are in scope.
  2. Mapping & discovery - all endpoints, methods, parameters and object IDs, including undocumented and hidden endpoints.
  3. Authentication & authorization - the core. BOLA/IDOR across accounts and roles, JWT analysis, function-level authorization, session and token handling. We prefer to run an authenticated API pentest: with valid accounts at different privilege levels we uncover authorization flaws such as BOLA that stay hidden in an unauthenticated test.
  4. Input & data handling - injection (SQL, NoSQL, command), mass assignment, excessive data exposure, SSRF and parameter pollution.
  5. Business logic - can a user skip steps, manipulate prices or repeat one-time actions? We test this manually.
  6. Reporting - executive summary and technical write-ups with reproduction steps per endpoint. We normally use a qualitative risk analysis (severity); CVSS scores are available on request. We call you immediately about critical findings.
  7. Retest - after your fixes we verify the vulnerabilities are actually resolved.

What does an API pentest cost?

Our hourly rate is €175 per hour (excl. VAT). The total investment depends on the number of endpoints and the complexity of the authorization model. After a free scoping call you receive a fixed quote.

Frequently asked questions

What is an API pentest?

An API pentest is a security assessment in which we attack your APIs (REST, GraphQL or SOAP) the way a real attacker would. We test against the OWASP API Security Top 10: Broken Object Level Authorization (BOLA/IDOR), broken authentication, mass assignment, excessive data exposure and business-logic flaws. The focus is on authorization and logic, exactly the vulnerabilities scanners structurally miss.

What is the difference between an API pentest and a web application pentest?

A web application pentest covers the full application including the browser front-end. An API pentest focuses specifically on the API layer: endpoints, authentication, object-level authorization and data validation. If you have a headless API, mobile backend or microservices, a dedicated API pentest is the right choice. We often combine both.

Do you test both REST and GraphQL?

Yes. We test REST, GraphQL and SOAP APIs. For GraphQL we pay extra attention to introspection, query depth/complexity (DoS), batching attacks and per-resolver authorization. For REST the focus is on BOLA/IDOR, HTTP method tampering and parameter pollution.

Do you need documentation or a schema?

It helps enormously. With an OpenAPI/Swagger specification, Postman collection or GraphQL schema we test more efficiently and thoroughly. Without it, the test gives more limited insight; with documentation there is considerably more to find. No documentation? We map the API ourselves, but that takes more time.

Do you follow the OWASP API Security Top 10?

Yes. The OWASP API Security Top 10 is our starting point, not our finish line. We test all categories (BOLA, broken authentication, broken object property level authorization, unrestricted resource consumption, SSRF) and then dig deeper manually into the business logic of your specific API.

Ready to test your security?

Get in touch with our team for a no-obligation conversation about your security challenges.