API Penetration Testing

CREST-Certified API Penetration Testing for UK Businesses

API penetration testing for REST, GraphQL, gRPC, and SOAP. Manual exploitation of the OWASP API Top 10: BOLA, BFLA, BOPLA, mass assignment, SSRF, broken authentication, and unsafe consumption of upstream APIs. Fixed-price quotes within 24 hours.

  • Unlimited retesting
  • Unlimited pre-retesting
  • No hidden fees
Accredited & recognised
Cyber Essentials certified Cyber Essentials Plus certified IASME certifying body ISO 27001 certified ISO 9001 certified Crown Commercial Service supplier UK Cyber Security Council member
CREST
Approved provider
10
OWASP API Top 10 covered
Free
Retests included
24h
Scope to active testing
CLIENT REFERENCE
“I would highly recommend EJN Labs to any organisation seeking reliable, detailed, and well-managed penetration testing services, particularly for government or enterprise-level projects.”
SquareOneImran SaghirProject Lead, SquareOne
CLIENT REFERENCE
“There wasn’t another company we could find that could deliver what we needed in the timeframe we needed. The client loved it, and we got instant ROI from the engagement.”
CelloriDan WilcocksonCo-Founder, Cellori
WHY IT MATTERS
40%

of all API attacks exploit BOLA

Scanners check syntax. Attackers check authorization.

A REST API security scan can confirm your endpoints respond. It cannot tell you whether /users/123/orders returns User 124’s data when you swap the ID. That’s a human’s job, and it’s the single most common API vulnerability in UK production environments.

Our API penetration testing is delivered with full schema awareness (OpenAPI / Swagger / Postman / GraphQL introspection), authenticated and unauthenticated coverage, and explicit role-hopping across every defined permission tier.

Reports satisfy ISO 27001 Annex A.12.6.1, SOC 2 CC7.1, PCI DSS Req 11.3, and align with NCSC API security guidance, without translation work.

OWASP API TOP 10 (2023)

What We Test in API Penetration Testing

Manual exploitation of every OWASP API Top 10 (2023) category across REST, GraphQL, gRPC and SOAP, with full schema awareness (OpenAPI / Swagger / Postman / GraphQL introspection).

API1

Broken Object Level Authorization (BOLA)

Swap object IDs in URLs / payloads to access resources owned by other users. The single most common API vulnerability, accounts for ~40% of API attacks.

API2

Broken Authentication

JWT signature validation flaws, weak refresh token handling, OAuth flow misconfigurations, password reset abuse, account takeover via token replay.

API3

Broken Object Property Level Authorization (BOPLA)

Mass assignment / mass update: attackers add unexpected fields like is_admin: true in JSON payloads to escalate privilege at the property level.

API4

Unrestricted Resource Consumption

Rate-limit bypass, denial-of-wallet via expensive cloud calls, GraphQL query nesting attacks, batch endpoint abuse, regex / cryptographic DoS patterns.

API5

Broken Function Level Authorization (BFLA)

Hidden admin endpoints reachable from user roles. HTTP verb tampering. Tier-bypass on multi-role APIs. Privilege escalation across function classes.

API6

Unrestricted Access to Sensitive Business Flows

Bot-driven abuse of high-value flows: ticket scalping, sign-up fraud, gift-card brute force, refund abuse, anywhere business logic lacks anti-automation controls.

API7

Server-Side Request Forgery (SSRF)

Force the API server to make internal requests on attacker behalf. Cloud metadata exfiltration (IMDSv1), internal service discovery, partial port scanning via response timing.

API8

Security Misconfiguration

Verbose error messages leaking stack traces, exposed admin / debug endpoints, missing CORS hardening, default credentials on management interfaces.

API9

Improper Inventory Management

Old API versions still online (v1, v2-deprecated), staging endpoints reachable from prod DNS, third-party integration endpoints with weaker controls than primary API.

API10

Unsafe Consumption of APIs

Your API trusts upstream / third-party APIs implicitly. Compromised SaaS dependency injects malicious data downstream: supply chain at the API layer.

METHODOLOGY

API Penetration Testing: From Schema to Attestation

Schema-first scoping. Authenticated and unauthenticated testing across every role tier. Automation handles breadth; humans exploit business logic.

01

Schema & Scoping

OpenAPI / Swagger / Postman / GraphQL schema review. Authenticated role matrix. Threat model. Fixed-price quote signed off.

02

Recon & Enumeration

Endpoint discovery, hidden / undocumented routes, version enumeration, deprecated paths. GraphQL introspection. gRPC reflection. JWT structure analysis.

03

Manual Exploitation

BOLA / BFLA / BOPLA at every role tier. Mass assignment. JWT signature attacks. Rate-limit bypass. SSRF chains. Business-logic abuse.

04

Report & Retest

CVSS-scored findings, OWASP API ID tagging, executive + technical reports. Free retest within 30 days. Direct engineer access via portal.

CREDENTIALS

Verified Accreditations Auditors Accept

Every credential below is independently verifiable. UK procurement teams, FCA supervisors, ISO 27001 / SOC 2 auditors, and cyber insurance underwriters all recognise these standards.

GET YOUR QUOTE

Get a fixed API pen test quote in 24 hours

A fixed-price quote back in one business day, from a named CREST assessor. No sales pipeline, no chasing.

  • CREST and IASME accredited. Testing your auditors and clients already recognise.
  • Fast-track testing within 24 hours where required. Free retest of every fix included.
  • Live findings via your client portal, not a four-week PDF.
  • Fixed price from £3,500 for a single-role, single-app scope, agreed up front. Most engagements run £5,000 and up. No day-rate surprises.
What clients say
There wasn’t another company we could find that could deliver what we needed in the timeframe we needed. The client loved it, and we got instant ROI from the engagement.
CelloriDan WilcocksonCo-Founder, Cellori

Under NDA Further named references available on a scoping call.

What happens next
  1. We reply within one business day with a fixed-price quote from a named CREST assessor.
  2. You approve the scope and we book a start date, usually within 24 hours.
  3. Live findings land in your client portal as we test, with a free retest of every fix.
Accredited & recognised
CREST member Cyber Essentials certified Cyber Essentials Plus certified IASME certifying body ISO 27001 certified ISO 9001 certified UK Cyber Security Council Crown Commercial Service supplier

Get your fixed pen test quote in 24 hours

24h reply CREST tester Free retests

or book a 20-min scoping call first

We reply within one business day. Your data stays with us. No newsletter signup.

COMPLIANCE READY

API Reports Mapped to Every Framework

Findings tagged to the frameworks your auditors, regulators and insurers already use.

OWASP API Top 10 (2023)

Full coverage of all 10 categories with proof-of-exploit, business impact, and remediation guidance.

ISO 27001

Annex A.12.6.1 vulnerability management plus A.14.2 secure development for API services.

SOC 2 Type I & II

CC7.1 vulnerability identification evidence accepted by auditors as production-grade assurance.

PCI DSS

Req 6.5.x and Req 11.3.x application-layer testing for payment APIs and PCI-scoped services.

FCA / PRA Operational Resilience

API resilience evidence for regulated firms: outsourcing risk, Operational Resilience tests.

NHS DSPT & UK GDPR Art 32

Patient-data API testing, healthcare integrations, technical and organisational measures evidence.

PRICING

Transparent API Penetration Testing Pricing

All tiers include the same depth of testing. Price varies by API complexity, number of endpoints, role tiers, and protocol mix (REST / GraphQL / gRPC / SOAP).

✦ ALWAYS · ON EVERY TIER · NO EXCEPTIONS ✦
Free retests, no time limit
Free rescheduling
No cancellation fees
24-hour scope to active testing
Live findings to client portal
Executive + technical report
60-min walkthrough call
Letter of attestation
SMALL / SMB
£4,000–£7,000
Depends on API complexity

Single REST API, < 25 endpoints, 1-2 user roles, OpenAPI spec available. Typically 4-5 day engagement.

Get a fixed quote
ENTERPRISE
£12,000+
Depends on API complexity

Microservice mesh, 100+ endpoints, gRPC + GraphQL + REST, multi-tenant gateway, regulated workloads, schema-less endpoints. Typically 12-15 day engagement.

Get a fixed quote

Full UK pen test cost guide

WHY EJN LABS

What You Actually Get

Six things that distinguish our API testing from automated scans and one-protocol-only competitors.

End-to-End OWASP API Coverage

Manual exploitation of every OWASP API Top 10 category, schema-aware coverage, role-by-role authorization testing, and free retests until validated.

Schema-First Approach

We ingest your OpenAPI / Swagger / Postman / GraphQL schema before testing starts. No more ‘we missed an endpoint’ six months later.

Authorization at Every Tier

BOLA and BFLA are the #1 and #5 OWASP API risks. We test each role tier against each endpoint, not ‘admin can access admin only’.

Multi-Protocol Coverage

REST, GraphQL, gRPC, SOAP, WebSocket. Most competitors test REST only. We test what you actually built.

UK CREST + IASME + ISO 27001 + ISO 9001

Independently accredited. Verifiable on the CREST marketplace. Reports accepted by FCA, NCSC, NHS, ICO, SOC 2 auditors, and cyber insurers.

Free Retests Until Validated

Re-test every fixed finding at no extra cost until it is confirmed closed. No time limit, no per-retest fee.

FAQ

Frequently Asked

How long does an API penetration test take?

A small REST API engagement (under 25 endpoints, 1-2 roles) typically takes 4-5 working days. Mid-market APIs (REST + GraphQL, 25-100 endpoints, 3+ roles) take 7-10 days. Enterprise microservice meshes with 100+ endpoints take 12-15 days. Test duration is determined during scoping based on endpoint count, role complexity, and protocol mix.

How much does API penetration testing cost in the UK?

Small-API engagements range from £4,000 to £7,000. Mid-market (the most commonly commissioned tier) ranges £7,000 to £12,000. Enterprise microservice or multi-protocol APIs start at £12,000. All quotes are fixed-price after scoping; no day-rate surprises.

Do you test against the OWASP API Top 10?

Yes, every engagement covers all 10 categories of the OWASP API Security Top 10 (2023 edition). Findings are tagged to specific OWASP IDs (API1:2023 BOLA, API2:2023 Broken Authentication, etc.) so your audit team can submit evidence directly. We also reference the OWASP API Security Top 10 changelog from 2019 to 2023 in the executive report.

What is BOLA and why does it matter?

BOLA (Broken Object Level Authorization) is the #1 entry on the OWASP API Top 10 (2023). It accounts for an estimated 40% of all API attacks. BOLA happens when an API endpoint returns data based on an object ID without verifying the requesting user owns that object. Example: GET /users/123/orders returns data when called with an attacker’s auth token. Automated scanners almost never find BOLA; it requires manual role-by-role testing.

Do you test REST, GraphQL, gRPC, and SOAP?

Yes, all four. REST is most common, but modern UK production environments commonly mix REST + GraphQL, with gRPC for internal microservice mesh and SOAP for legacy integrations. Each protocol has unique attack surfaces (GraphQL introspection / nested-query abuse, gRPC reflection, SOAP XXE) and we test for protocol-specific issues alongside the common OWASP API Top 10 categories.

Can you test if we don’t have an OpenAPI / Swagger spec?

Yes. Schema-less testing is supported but takes longer because we have to discover endpoints via traffic capture, brute-force, or proxy interception. We strongly recommend providing OpenAPI / Swagger / Postman exports if available; it makes testing more thorough and saves 1-2 days of recon. For GraphQL, introspection is enabled by default for testing (can be disabled in production).

Do you test authentication flows (OAuth / JWT / OIDC)?

Yes. Authentication is tested at every layer: token issuance, token validation, refresh-token handling, token replay attacks, JWT signature flaws (none algorithm, key confusion, weak secrets), OAuth 2.0 misconfigurations (open redirects, PKCE bypass, scope abuse), and OIDC ID-token validation. Authentication issues are #2 on the OWASP API Top 10.

Can you exploit business logic flaws?

Yes, manual exploitation of business logic is what distinguishes manual penetration testing from automated scanners. We test for OWASP API6:2023 (Unrestricted Access to Sensitive Business Flows): refund abuse, gift-card brute force, sign-up fraud, ticket scalping, racing-condition exploits in payments, and price manipulation. These findings cannot be found by signature-based tools.

Do you test third-party API consumption?

Yes. OWASP API10:2023 (Unsafe Consumption of APIs) covers risks where your API trusts upstream / third-party data without validation. We test how your API handles malicious or unexpected responses from external services, important for SaaS aggregators, fintech open-banking consumers, and any API that trusts third-party feeds.

What about rate limiting and DoS testing?

Yes. OWASP API4:2023 (Unrestricted Resource Consumption) tests for rate-limit bypass, GraphQL nested-query DoS, batch-endpoint abuse, regex DoS (ReDoS), denial-of-wallet via expensive cloud calls, and cryptographic DoS patterns. Limited-impact testing only; we never run full DoS attacks against production without explicit authorization.

Are your testers UK-based and what certifications do they hold?

All API testers are vetted UK or international engineers matched to your engagement. Relevant certifications across the team include CREST CRT and CCT App, OSCP, OSWE (Offensive Security Web Expert), and protocol-specific specialisms. SC-cleared testers are available for public-sector and regulated-financial engagements.

Do you sign NDAs?

Yes. Standard NDA before any technical detail is shared, and we operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.

EXPLORE EVERY SERVICE

20+ CREST-certified testing services in one place

Web, mobile, API, cloud, AI, infrastructure, red team. Pick the test that fits your environment.

Penetration testing services
READY TO START

Get a fixed API pen test quote in 24 hours

A CREST-certified API tester will contact you within one business day with a fixed price, a realistic timeline, and the named consultant. No sales pipeline.