BOLA
Critical Finding
Remediated
OWASP API
Security Top 10 tested
REST / GraphQL
And SOAP supported
Auth flaws
Most common API vulnerability
Business logic
Tested not just technical
Broken Object Level Authorization (BOLA)
BOLA: formerly known as IDOR: is the most commonly exploited API vulnerability. We test every endpoint that accepts object identifiers to verify that authorization is enforced at the object level, not just at the resource type level. This includes horizontal privilege escalation between users and vertical escalation to admin-level objects.
Authentication & Authorization Testing
We test API authentication mechanisms including JWT validation, OAuth flows, API key management, and session handling. Authentication failures at the API layer often have broader impact than equivalent failures in a web interface because APIs are designed for machine-to-machine communication and often have access to more sensitive data and operations.
Excessive Data Exposure
Many APIs return far more data than the client interface displays, filtering sensitive fields client-side rather than server-side. We analyze API responses for sensitive data that should not be returned to the caller, including PII, internal system details, and data belonging to other users.
Rate Limiting & Resource Management
Absence of rate limiting on API endpoints enables credential stuffing, enumeration attacks, and resource exhaustion. We test for missing or bypassable rate limits, lack of input size restrictions, and server-side resource consumption vulnerabilities that could lead to denial of service.
Injection & Server-Side Vulnerabilities
We probe API endpoints for SQL injection, NoSQL injection, command injection, XML/JSON injection, and SSRF vulnerabilities. These attacks are often more impactful at the API layer because APIs frequently interact directly with databases and internal services with minimal sanitization.
GraphQL-Specific Testing
GraphQL introduces unique attack vectors including introspection abuse, deeply nested queries for DoS, field-level authorization failures, and batch query attacks. We test GraphQL APIs specifically for these vectors in addition to the OWASP API Top 10 coverage applied to all API types.
What Makes Us Different From Others
- OWASP API Top 10 Coverage Every engagement is mapped to the full OWASP API Security Top 10 so you have documented evidence of what was tested and what was found.
- REST and GraphQL Expertise We test REST, GraphQL, and gRPC APIs. GraphQL in particular has unique security considerations that require specific testing approaches beyond what standard API tools cover.
- Business Logic Testing at the API Layer We test for business logic flaws specific to your API: price manipulation, workflow bypass, and operations that should require human approval but do not. These cannot be found by automated tools.
- Authentication Flow Coverage OAuth, JWT, API keys, session tokens: we test every authentication mechanism your API uses, including token expiry, signature validation, and scope enforcement.
- Integration with Web App Testing API testing is included as part of web application penetration testing engagements, or available as a standalone service for organizations that need focused API coverage.
- Retesting Included Remediation verification is built into every engagement. We confirm that fixes are complete before the engagement closes.
We had a third-party security review pending for a $1.5M contract and our API had never been formally tested. garrisonOne found broken object-level authorization on our core data API: any authenticated user could access any other account's data. We fixed it in a week, passed the customer review, and closed the contract. The cost of the test was trivial compared to what we would have lost.
Client results
See how we have helped
Technology / SaaS
SaaS Startup — AWS Security Hardening
A seed-stage SaaS startup had customer data in a public S3 bucket. garrisonOne conducted a full AWS security assessment against CIS benchmarks and hardened the environment in 4 weeks.
3
Public S3 buckets closed
19
Overprivileged IAM roles fixed
100%
Security review passed
Industry focus
Industries we serve
Related Services: Penetration Testing | Web App Penetration Testing | Cloud Penetration Testing | Vulnerability Assessment
Frequently asked questions
What is OWASP API Security Top 10?
The OWASP API Security Top 10 is a list of the most critical security risks specific to APIs. The current list includes: Broken Object Level Authorization, Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, Broken Function Level Authorization, Unrestricted Access to Sensitive Business Flows, Server Side Request Forgery, Security Misconfiguration, Improper Inventory Management, and Unsafe Consumption of APIs. Testing against this list ensures coverage of the most commonly exploited API vulnerabilities.
Do you test REST and GraphQL APIs?
Yes. We test REST, GraphQL, and gRPC APIs. GraphQL requires specialized testing approaches due to its introspection capability, query complexity, and the fact that authorization must be enforced at the resolver level rather than the endpoint level.
How is API testing different from web application testing?
Web application testing focuses on the user interface layer and its underlying logic. API testing focuses specifically on the API endpoints, their authentication and authorization logic, input validation, data exposure, and the machine-to-machine communication layer. While there is overlap, API testing requires different techniques: particularly for authorization testing: and uses different tooling.
What information do you need before testing our APIs?
We need API documentation (Swagger/OpenAPI spec if available), test environment credentials with accounts at different privilege levels, details about the authentication mechanism, and a list of any endpoints that should be excluded from testing. More documentation means more complete coverage.
Can you test APIs that require authentication?
Yes. We test authenticated APIs using test credentials provided by your team. We test the authentication mechanism itself, and we also test what an authenticated user at each privilege level can access or manipulate that they should not be able to.
Is API security testing required for compliance?
PCI DSS requires testing of all in-scope APIs. SOC 2 and ISO 27001 do not mandate API testing explicitly but include requirements around software security testing that typically include APIs. Organizations processing sensitive data through APIs should test them regardless of compliance requirements.
How long does API security testing take?
A focused API security test typically takes three to seven days depending on the number of endpoints and complexity. APIs with hundreds of endpoints or complex GraphQL schemas may require more time. We provide a clear timeline after reviewing your API documentation.
What is the most common critical finding in API security testing?
Broken object level authorization (BOLA/IDOR) is consistently the most common critical finding in API security assessments. It occurs when an API endpoint accepts an object identifier in the request and does not verify that the requesting user is authorized to access that specific object: allowing users to access other users' data by changing an ID value.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
