REST API & GraphQL
Security Testing
Find vulnerabilities before attackers do.
Manual testing. Fixed price after scoping. Retest always included.
01 // API Types Covered
REST APIs
OWASP API Top 10 coverage. Auth bypass, BOLA, BFLA, injection, mass assignment, rate limiting.
GraphQL
Introspection abuse, batching attacks, field-level authorisation, query depth & complexity limits.
WebSocket APIs
Authentication persistence, message injection, CSRF over WebSocket, authorisation checks per message.
Microservices
Inter-service trust assumptions, API gateway bypass, JWT propagation flaws. Scoped individually — on request.
02 // What You Need to Provide
Or equivalent REST documentation. If none exists, I treat it as an undocumented API and scope accordingly.
What does each endpoint do? What business process does it support? What data does it handle?
List every user role and what each can access, modify, create, and delete. Example:
Which data is isolated per organisation or user? What must never cross tenant boundaries?
- › Non-production environment access
- › One test account per role (pre-created)
- › Sample test data that can be safely manipulated
Why role definitions matter
Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) are the two most common critical findings in every API I test.
Finding them requires knowing what each role should be able to do — so I can prove it can do things it shouldn't. A Reader accessing Admin endpoints. An Editor modifying another user's data. Tenant A reading Tenant B's records.
Without a role matrix, I'm guessing your intended access control model. That guessing takes time — and time increases the price.
A well-structured OpenAPI spec + role matrix = I test vulnerabilities, not map your API. Undocumented or non-standard API = additional discovery work → reflected in the final quote.
03 // Indicative Pricing
Exact quote issued after a free scoping call and review of your API documentation. Retest always included.
- › Well-documented API (Swagger / OpenAPI)
- › Standard auth (API keys, basic token)
- › OWASP API Top 10 coverage
- › Executive + technical report
- › Full retest included
- › OpenAPI spec or equivalent docs
- › OAuth 2.0, JWT, multi-role auth
- › Business logic & BOLA / BFLA testing
- › Rate limiting, mass assignment
- › Executive + technical report
- › Full retest included
- › Undocumented or non-standard API
- › GraphQL / WebSocket / gRPC
- › 60+ endpoints or microservices
- › Custom scope defined in scoping call
- › Full retest included
All prices are indicative. Final quote issued after scoping call and documentation review. Testing performed in non-production environment where possible.
Book Free Scoping Call04 // How We Collaborate
We review your API docs, role matrix, and architecture. I issue a fixed-price quote. No surprises.
You provide non-production access and one test account per role. I confirm scope and rules of engagement.
I test your API against the OWASP API Top 10 and custom scenarios derived from your role matrix and business logic.
Executive summary for management. Technical findings with reproduction steps and remediation guidance for your dev team.
We walk through findings together. After you remediate, I retest every finding at no extra charge.
Ready to secure your API?
Start with a free 30-minute scoping call. I'll tell you what I need, what I'll test, and what it will cost — before you commit to anything.