// API Pentest

API Penetration Testing.

API penetration testing is a manual security assessment of your REST and GraphQL APIs — focused on authorization, object-level access control (BOLA/IDOR), authentication, and injection — to find and prove the flaws that automated scanners miss in the services powering your apps.

> Get_in_touch > Methodology
01 // What we test

We test every endpoint against the OWASP API Security Top 10, working from your documentation, traffic, or a discovery pass when no spec exists.

api // 01

Broken object-level auth (BOLA/IDOR)

The number-one API risk — accessing other users’ or tenants’ objects by manipulating identifiers.

api // 02

Broken authentication

Weak tokens, JWT flaws, missing rate limits on auth, and credential-stuffing exposure.

api // 03

Function & property-level auth

Privilege escalation via hidden methods, and mass assignment that lets clients set fields they should not.

api // 04

Injection & SSRF

SQL/NoSQL injection, command injection, and server-side request forgery through API parameters.

api // 05

GraphQL-specific

Introspection abuse, batching attacks, deeply nested queries, and field-level authorization gaps.

api // 06

Rate limiting & resource use

Unrestricted resource consumption and business-flow abuse that enables denial-of-wallet or fraud.

02 // What you get
  • check_circle An executive summary that ties API risk to real business impact.
  • check_circle Each finding with reproduction steps, evidence, and CVSS-scored severity.
  • check_circle Developer-ready remediation for each endpoint and class of issue.
  • check_circle A complimentary retest to confirm your fixes are effective.
03 // Standards & methodology

API testing is aligned with the OWASP API Security Top 10 and mapped to the Indonesian regulatory context. Warpstar is a collective of certified operators; we do not claim organizational certifications we do not hold.

verified_user OWASP API Security Top 10 (2023)
verified_user OWASP WSTG for shared web concerns
verified_user PTES & NIST SP 800-115 testing process
verified_user Findings mapped to OJK and UU PDP expectations
04 // Frequently asked questions
Do you test both REST and GraphQL APIs? add

Yes. We test REST, GraphQL, and SOAP APIs. GraphQL gets specific attention for introspection, batching, and nested-query abuse on top of the standard authorization and injection checks.

Do you need API documentation? add

It helps but is not required. We work from an OpenAPI/Swagger spec, a Postman collection, or captured traffic. If none exists, we can discover endpoints as part of the engagement.

Is API testing not already covered by a web pentest? add

A web pentest covers the APIs behind that specific app. A dedicated API pentest is the right choice when the API is a standalone product, serves mobile or third-party clients, or has many endpoints that warrant focused authorization testing.

How much does an API pentest cost? add

It scales with the number of endpoints and roles in scope. Send us your spec or endpoint list and we will provide a fixed quote up front.

05 // Related services
language

Web Application Pentest

Read arrow_forward smartphone

Mobile Application Pentest

Read arrow_forward hub

Infrastructure Pentest

Read arrow_forward

Have an API that needs testing?

> Get_in_touch