CREST-Certified API Penetration Testing for UK Businesses
API penetration testing for REST, GraphQL, gRPC, and SOAP. Manual exploitation of the OWASP API Top 10 — BOLA, BFLA, BOPLA, mass assignment, SSRF, broken authentication, and unsafe consumption of upstream APIs. Fixed-price quotes within 24 hours.
Scanners check syntax. Attackers check authorization.
A REST API security scan can confirm your endpoints respond. It cannot tell you whether /users/123/orders returns User 124’s data when you swap the ID. That’s a human’s job — and it’s the single most common API vulnerability in UK production environments.
Our API penetration testing is delivered with full schema awareness (OpenAPI / Swagger / Postman / GraphQL introspection), authenticated and unauthenticated coverage, and explicit role-hopping across every defined permission tier. Reports satisfy ISO 27001 Annex A.12.6.1, SOC 2 CC7.1, PCI DSS Req 11.3, and align with NCSC API security guidance — without translation work.
What We Test in API Penetration Testing
Full coverage of the 2023 OWASP API Security Top 10 — REST, GraphQL, gRPC, and SOAP. Each category exploited manually with Burp Suite Pro, Postman, custom scripts, and schema-aware fuzzing.
API1:2023Broken Object Level Authorization (BOLA)
Swap object IDs in URLs / payloads to access resources owned by other users. The single most common API vulnerability — accounts for ~40% of API attacks.
API2:2023Broken Authentication
JWT signature validation flaws, weak refresh token handling, OAuth flow misconfigurations, password reset abuse, account takeover via token replay.
API3:2023Broken Object Property Level Authorization (BOPLA)
Mass assignment / mass update — attackers add unexpected fields like is_admin: true in JSON payloads to escalate privilege at the property level.
API4:2023Unrestricted Resource Consumption
Rate-limit bypass, denial-of-wallet via expensive cloud calls, GraphQL query nesting attacks, batch endpoint abuse, regex / cryptographic DoS patterns.
API5:2023Broken Function Level Authorization (BFLA)
Hidden admin endpoints reachable from user roles. HTTP verb tampering. Tier-bypass on multi-role APIs. Privilege escalation across function classes.
API6:2023Unrestricted Access to Sensitive Business Flows
Bot-driven abuse of high-value flows: ticket scalping, sign-up fraud, gift-card brute force, refund abuse — anywhere business logic lacks anti-automation controls.
API7:2023Server-Side Request Forgery (SSRF)
Force the API server to make internal requests on attacker behalf. Cloud metadata exfiltration (IMDSv1), internal service discovery, partial port scanning via response timing.
API8:2023Security Misconfiguration
Verbose error messages leaking stack traces, exposed admin / debug endpoints, missing CORS hardening, default credentials on management interfaces.
API9:2023Improper Inventory Management
Old API versions still online (v1, v2-deprecated), staging endpoints reachable from prod DNS, third-party integration endpoints with weaker controls than primary API.
API10:2023Unsafe Consumption of APIs
Your API trusts upstream / third-party APIs implicitly. Compromised SaaS dependency injects malicious data downstream — supply chain at the API layer.
FOUR-PHASE METHODOLOGY
API Penetration Testing — From Schema to Attestation
Schema-first scoping. Authenticated and unauthenticated testing across every role tier. Automation handles breadth; humans exploit business logic.
Schema & Scoping
Recon & Enumeration
Manual Exploitation
Report & Retest
Verified Accreditations Auditors Accept
Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.
COMPLIANCE READY
API Reports Mapped to Every Framework
Findings tagged to OWASP API IDs and the specific compliance framework controls your auditors require.
OWASP API Top 10 (2023)
Full coverage of all 10 categories with proof-of-exploit, business impact, and remediation guidance.
ISO 27001
Annex A.12.6.1 vulnerability management plus A.14.2 secure development for API services.
SOC 2 Type I & II
CC7.1 vulnerability identification evidence accepted by auditors as production-grade assurance.
PCI DSS
Req 6.5.x and Req 11.3.x application-layer testing for payment APIs and PCI-scoped services.
FCA / PRA Operational Resilience
API resilience evidence for regulated firms — outsourcing risk, Operational Resilience tests.
NHS DSPT & UK GDPR Art 32
Patient-data API testing, healthcare integrations, technical and organisational measures evidence.
TRANSPARENT PRICING
Transparent API Penetration Testing Pricing
All tiers include the same depth of testing. Price varies by API complexity, number of endpoints, role tiers, and protocol mix (REST / GraphQL / gRPC / SOAP).
Depends on API complexity
Single REST API, < 25 endpoints, 1-2 user roles, OpenAPI spec available. Typically 4-5 day engagement.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on API complexity
REST + GraphQL, multi-version, 25-100 endpoints, 3+ role tiers, OAuth / OIDC flows, third-party integrations. Typically 7-10 day engagement.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on API complexity
Microservice mesh, 100+ endpoints, gRPC + GraphQL + REST, multi-tenant gateway, regulated workloads, schema-less endpoints. Typically 12-15 day engagement.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
API Penetration Testing for Your Sector
API risk profiles vary by sector. We test the controls your regulators and auditors specifically demand.
Fintech
Open Banking APIs, PSD2 SCA flows, payment APIs, FCA SYSC alignment, PCI DSS scoping.
SaaS
Multi-tenant API isolation, SSO/SAML/OIDC, webhooks, role-based access, SOC 2 evidence.
Healthcare
FHIR / HL7 APIs, NHS DSPT, patient-portal back-ends, telehealth integrations.
Insurance
Quote / bind APIs, claims-data exposure, broker-portal integrations, FCA / PRA evidence.
Law
Document-management APIs, privileged-data exposure, SRA Cyber Standard alignment.
Public Sector
Citizen-facing APIs, GOV.UK integrations, NCSC API guidance, SC-cleared testers available.
What You Actually Get
Five things that distinguish our API testing from automated scans and one-protocol-only competitors.
What You Get From API Penetration Testing
Schema-First Approach
Authorization at Every Tier
Multi-Protocol Coverage
UK CREST + IASME + ISO 27001 + ISO 9001
Frequently Asked
How long does an API penetration test take?
A small REST API engagement (under 25 endpoints, 1-2 roles) typically takes 4-5 working days. Mid-market APIs (REST + GraphQL, 25-100 endpoints, 3+ roles) take 7-10 days. Enterprise microservice meshes with 100+ endpoints take 12-15 days. Test duration is determined during scoping based on endpoint count, role complexity, and protocol mix.
How much does API penetration testing cost in the UK?
Small-API engagements range from £4,000 to £7,000. Mid-market (the most commonly commissioned tier) ranges £7,000 to £12,000. Enterprise microservice or multi-protocol APIs start at £12,000. All quotes are fixed-price after scoping; no day-rate surprises.
Do you test against the OWASP API Top 10?
Yes — every engagement covers all 10 categories of the OWASP API Security Top 10 (2023 edition). Findings are tagged to specific OWASP IDs (API1:2023 BOLA, API2:2023 Broken Authentication, etc.) so your audit team can submit evidence directly. We also reference the OWASP API Security Top 10 changelog from 2019 to 2023 in the executive report.
What is BOLA and why does it matter?
BOLA (Broken Object Level Authorization) is the #1 entry on the OWASP API Top 10 (2023). It accounts for an estimated 40% of all API attacks. BOLA happens when an API endpoint returns data based on an object ID without verifying the requesting user owns that object. Example: GET /users/123/orders returns data when called with an attacker’s auth token. Automated scanners almost never find BOLA — it requires manual role-by-role testing.
Do you test REST, GraphQL, gRPC, and SOAP?
Yes — all four. REST is most common, but modern UK production environments commonly mix REST + GraphQL, with gRPC for internal microservice mesh and SOAP for legacy integrations. Each protocol has unique attack surfaces (GraphQL introspection / nested-query abuse, gRPC reflection, SOAP XXE) and we test for protocol-specific issues alongside the common OWASP API Top 10 categories.
Can you test if we don’t have an OpenAPI / Swagger spec?
Yes. Schema-less testing is supported but takes longer because we have to discover endpoints via traffic capture, brute-force, or proxy interception. We strongly recommend providing OpenAPI / Swagger / Postman exports if available — it makes testing more thorough and saves 1-2 days of recon. For GraphQL, introspection is enabled by default for testing (can be disabled in production).
Do you test authentication flows (OAuth / JWT / OIDC)?
Yes. Authentication is tested at every layer: token issuance, token validation, refresh-token handling, token replay attacks, JWT signature flaws (none algorithm, key confusion, weak secrets), OAuth 2.0 misconfigurations (open redirects, PKCE bypass, scope abuse), and OIDC ID-token validation. Authentication issues are #2 on the OWASP API Top 10.
Can you exploit business logic flaws?
Yes — manual exploitation of business logic is what distinguishes manual penetration testing from automated scanners. We test for OWASP API6:2023 (Unrestricted Access to Sensitive Business Flows): refund abuse, gift-card brute force, sign-up fraud, ticket scalping, racing-condition exploits in payments, and price manipulation. These findings cannot be found by signature-based tools.
Do you test third-party API consumption?
Yes. OWASP API10:2023 (Unsafe Consumption of APIs) covers risks where your API trusts upstream / third-party data without validation. We test how your API handles malicious or unexpected responses from external services — important for SaaS aggregators, fintech open-banking consumers, and any API that trusts third-party feeds.
What about rate limiting and DoS testing?
Yes. OWASP API4:2023 (Unrestricted Resource Consumption) tests for rate-limit bypass, GraphQL nested-query DoS, batch-endpoint abuse, regex DoS (ReDoS), denial-of-wallet via expensive cloud calls, and cryptographic DoS patterns. Limited-impact testing only — we never run full DoS attacks against production without explicit authorization.
Are your testers UK-based and what certifications do they hold?
All API testers are vetted UK or international engineers matched to your engagement. Relevant certifications across the team include CREST CRT and CCT App, OSCP, OSWE (Offensive Security Web Expert), and protocol-specific specialisms. SC-cleared testers are available for public-sector and regulated-financial engagements.
Do you sign NDAs?
Yes. Standard NDA before any technical detail is shared, and we operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.
Book an API Pen Test Scoping Call
30 minutes with a CREST-certified API tester. Fixed-price quote within 24 hours. No sales pipeline.
