Key Takeaways
- OWASP API Security Top 10 (2023) is the dedicated framework for API security testing. It overlaps with web app Top 10 but emphasises API-specific issues: BOLA, mass assignment, broken authentication, lack of resources/rate limiting.
- BOLA (Broken Object Level Authorization) is consistently the #1 finding in API pentests. Object IDs in URLs / request bodies that bypass authorisation on the backend.
- GraphQL APIs add their own attack surface: introspection abuse, nested IDOR through related fields, query depth DoS, batching rate-limit bypass.
- JWT handling issues are common: algorithm confusion (alg:none, HS256 vs RS256), weak signing keys, claim tampering, missing audience validation.
- Modern API threats: server-side request forgery via webhook URLs, IDOR through GraphQL nested fields, mass assignment on PATCH endpoints, cloud metadata leakage.
Why API Security Is a Separate Discipline From Web App Security
Modern Indian SaaS applications are typically built as a single-page application frontend plus a REST or GraphQL API backend. The API is the actual security boundary; the frontend is largely cosmetic. Testing only the visible frontend misses the real attack surface because the frontend can be bypassed entirely (Postman, curl, custom client) and the backend handles the actual authorisation, data access and business logic.
API security is structurally different from traditional web app security because APIs typically: do not have client-side rendering (so injection and XSS look different), handle JSON or GraphQL payloads (parsing layers introduce different vulnerabilities), use bearer tokens or JWTs (different from session cookies), expose granular CRUD operations on objects (BOLA risk), often power multiple clients (web SPA, mobile app, partner integrations) which means under-tested integration paths.
OWASP recognised this with a dedicated OWASP API Security Top 10 framework. The 2023 version covers the API-specific issues that the web app Top 10 does not enumerate.
OWASP API Security Top 10 (2023): Category-by-Category Testing
API1: Broken Object Level Authorization (BOLA)
The #1 API finding. Object IDs exposed in URL paths, query strings, or request bodies that the backend trusts without authorisation check. Tested via: enumerate one tenant's objects, replay the API calls with another tenant's authentication, observe if data leaks across tenants. Manual chained testing finds these; scanners typically miss them. Indian SaaS finding rate: 40-60 percent of engagements have at least one BOLA.
API2: Broken Authentication
Tested via: JWT manipulation (alg:none, algorithm confusion HS256 vs RS256, weak signing keys), token replay after logout, missing expiration, weak password reset tokens, missing rate limiting on authentication endpoints enabling credential stuffing or brute force. Modern Indian SaaS with custom JWT issuers frequently has these issues.
API3: Broken Object Property Level Authorization
A 2023 expansion of the BOLA category. The user has legitimate access to an object but should not have access to specific properties of that object (admin notes, internal flags, calculated cost, etc.). Tested via: GET object as low-privilege user, observe response, look for sensitive fields that should be filtered. Frequently a sensitive data exposure finding.
API4: Unrestricted Resource Consumption
Missing or weak rate limiting, query complexity controls, pagination limits, file upload limits. Tested via: send many concurrent requests, send very large requests, request very large pages of data, request very deeply nested GraphQL queries. Enables DoS, billing abuse on cloud-cost APIs, scraping risk.
API5: Broken Function Level Authorization
Function-level authorisation gaps: a regular user can call admin endpoints because backend trusts the frontend role enforcement. Tested via: enumerate API routes including admin paths (introspection on GraphQL, OpenAPI docs, JavaScript bundle analysis), call admin endpoints with regular-user authentication, observe if access is granted. Common high-severity finding in Indian SaaS.
API6: Unrestricted Access to Sensitive Business Flows
Business flow abuse: buying limited inventory programmatically, automated bidding/booking, mass account creation, fake review submission, coupon abuse. Tested via: identify business-critical flows, design abuse scenarios, test for missing rate limiting, missing CAPTCHA, missing behavioural anti-abuse. Important for e-commerce, fintech, marketplace, gaming.
API7: Server-Side Request Forgery (SSRF)
SSRF on URL-accepting parameters: webhook URLs, image upload by URL, PDF generation from URL, OAuth callback validation, file fetch by URL. Tested via: pass attacker-controlled URLs targeting internal services (cloud metadata 169.254.169.254, internal admin interfaces, AWS IAM credentials). Cloud metadata SSRF on AWS without IMDSv2 enforcement is the most common high-severity SSRF finding in Indian SaaS.
API8: Security Misconfiguration
Tested via: missing security headers, verbose error messages leaking stack traces, misconfigured CORS allowing arbitrary origins, exposed API documentation (Swagger UI on production), missing input validation at API gateway, default credentials on management interfaces.
API9: Improper Inventory Management
Old API versions still accessible (v1, v2 alongside current v3), deprecated endpoints still functional, sandbox/staging APIs exposed on internet without authentication, undocumented internal endpoints discoverable through inference. Tested via: subdomain enumeration, JavaScript bundle analysis, Wayback Machine, certificate transparency for historic deployments.
API10: Unsafe Consumption of APIs
Your API trusts upstream APIs without validation. Tested via: identify third-party APIs your backend consumes (payment gateways, KYC providers, geolocation, weather, etc.), assess input validation on responses, test for injection through upstream API responses, verify TLS validation. Frequent issue in Indian fintech integrating multiple payment partners.
Need a Pentest Engagement?
Codesecure runs manual + AI-augmented VAPT for Indian businesses: web, API, mobile, network, cloud, AD, IoT, source code. Named OSCP/CEH/CISSP consultants, ISO/IEC 27001:2022 certified delivery, free retest within 90 days.
See Pentest Services →GraphQL Specifics: What Makes GraphQL Pentest Different
Schema Introspection Abuse
GraphQL introspection lets clients query the schema (queries, mutations, types, fields). If left enabled in production, attackers map the complete API including hidden mutations and field-level permissions. Tested via: introspection query, schema dump using tools like graphql-voyager or InQL, identify hidden mutations and admin operations. Disable introspection in production unless your business model requires it.
Nested IDOR Through Related Fields
GraphQL queries can traverse object relationships: user { organisation { members { email } } }. If authorisation is enforced per-query rather than per-field, a low-privilege user can leak related-object data through nested fields. Tested via: identify nested relationships, craft queries that traverse into related objects, observe if authorisation correctly filters per-field. Common high-severity GraphQL finding.
Query Depth and Complexity Abuse
Deeply nested queries can cause exponential backend load. Tested via: craft a query that goes 10-15 levels deep, observe response time, escalate to denial-of-service potential. Mitigated by query depth limits, complexity scoring, timeouts.
Batching Abuse
GraphQL supports batching multiple queries in a single HTTP request. If rate limits are applied per HTTP request rather than per query, attacker can bypass rate limit by batching N queries in one request. Tested via: batch many queries for sensitive endpoints (login, password reset, OTP), observe if rate limit applies. Mitigation: count queries within batch toward rate limit.
API Pentest Scope and Pricing for Indian Businesses
Codesecure API pentest pricing tiers: INR 1L-2L for REST API with up to 30-50 endpoints, OWASP API Top 10 + business logic testing, 1 week. INR 1.5L-2.5L for GraphQL API including introspection, nested IDOR, depth and batching abuse testing. INR 2.5L-4L for large API portfolios with 100+ endpoints across multiple services or microservices.
Most Indian SaaS engagements combine web app + API pentest because the same backend powers both. Combined pricing typically 1.5-1.7x of either alone (not 2x) due to shared scoping and reporting. All Codesecure API pentest engagements include free retest within 90 days and audit-ready reporting (OWASP API Top 10, CWE, CVSS v3.1).
Frequently Asked Questions
Should we test our API separately or as part of the web app pentest?
Both. Modern Indian SaaS web app + API pair shares a backend so combined pentest is most economical. The pentest report distinguishes web app findings (frontend-related) from API findings (backend-related, business logic, authorisation). For headless products (mobile-only or B2B API products), API-only pentest is appropriate.
What is BOLA and why is it the #1 API finding?
BOLA (Broken Object Level Authorization) is when an API exposes object IDs in URLs or request bodies and the backend trusts the ID without verifying the requesting user has access to that specific object. Example: GET /api/v1/invoices/12345 where 12345 is the invoice ID. Backend should check 'does this user own invoice 12345?' but often only checks 'is this user authenticated?'. BOLA is #1 because: it is a manual-testing finding (scanners miss it), it is endemic in multi-tenant SaaS, the impact is direct data leakage across tenants.
How is GraphQL pentest different from REST pentest?
Several specific concerns beyond standard API security: schema introspection abuse, nested IDOR through related fields, query depth and complexity DoS, batching rate-limit bypass. Also positive aspect: GraphQL strongly-typed schema makes many input validation issues impossible, replacing them with schema-validated equivalents. Codesecure GraphQL pentest covers both REST-equivalent issues and GraphQL-specific issues in the same engagement.
Do we need rate limiting on every API endpoint?
Authentication endpoints (login, password reset, OTP) absolutely. Sensitive business flows (checkout, withdrawal, account creation) yes. Read-heavy public endpoints (search, listing) probably yes to prevent scraping. Internal admin endpoints can be less strict but should have at minimum monitoring. Default position: rate-limit everything; loosen specific endpoints if business need justifies.
How do we test JWT security issues?
Manual JWT manipulation using jwt.io, jwt_tool, Burp Suite JWT Editor extension. Test for: alg:none acceptance, algorithm confusion (HS256 forgery using RS256 public key), weak HS256 signing keys via brute force or dictionary attack, missing expiration claim, missing audience validation, missing issuer validation, replay after logout, mixing tokens between environments. Codesecure API pentest always includes structured JWT testing when JWTs are in scope.
Will the API pentest report satisfy SOC 2 / ISO 27001 / PCI DSS auditors?
Yes. Codesecure API pentest reports map findings to OWASP API Top 10, CWE, CVSS v3.1, MITRE ATT&CK and the specific control families relevant to each audit (SOC 2 CC7.x, ISO 27001 A.8.x, PCI DSS Req 11.4). Indian and global auditors routinely accept our reports as pentest evidence including for API-only engagements.
How quickly can we start an API pentest?
Instant response, no delay. We respond within an hour during business hours, send a fixed-fee scoped proposal in 24-48 hours under NDA, and kick off the API pentest the same week. Typical API-only pentest runs 1-2 weeks; combined web app + API runs 2-3 weeks.
Get an API Security Audit Aligned to OWASP API Top 10
Codesecure runs API security audits covering REST and GraphQL with OWASP API Top 10 methodology, manual BOLA and authorisation testing, JWT analysis. Named OSCP/CEH/CISSP consultants, ISO/IEC 27001:2022 certified delivery, free retest within 90 days.
