CREST-Certified API Penetration Testing for UK Businesses
API penetration testing for REST, GraphQL, gRPC, and SOAP. Manual exploitation of the OWASP API Top 10: BOLA, BFLA, BOPLA, mass assignment, SSRF, broken authentication, and unsafe consumption of upstream APIs. Fixed-price quotes within 24 hours.
- Unlimited retesting
- Unlimited pre-retesting
- No hidden fees
“I would highly recommend EJN Labs to any organisation seeking reliable, detailed, and well-managed penetration testing services, particularly for government or enterprise-level projects.”
“There wasn’t another company we could find that could deliver what we needed in the timeframe we needed. The client loved it, and we got instant ROI from the engagement.”
of all API attacks exploit BOLA
Scanners check syntax. Attackers check authorization.
A REST API security scan can confirm your endpoints respond. It cannot tell you whether /users/123/orders returns User 124’s data when you swap the ID. That’s a human’s job, and it’s the single most common API vulnerability in UK production environments.
Our API penetration testing is delivered with full schema awareness (OpenAPI / Swagger / Postman / GraphQL introspection), authenticated and unauthenticated coverage, and explicit role-hopping across every defined permission tier.
Reports satisfy ISO 27001 Annex A.12.6.1, SOC 2 CC7.1, PCI DSS Req 11.3, and align with NCSC API security guidance, without translation work.
OWASP API TOP 10 (2023)
What We Test in API Penetration Testing
Manual exploitation of every OWASP API Top 10 (2023) category across REST, GraphQL, gRPC and SOAP, with full schema awareness (OpenAPI / Swagger / Postman / GraphQL introspection).
Broken Object Level Authorization (BOLA)
Swap object IDs in URLs / payloads to access resources owned by other users. The single most common API vulnerability, accounts for ~40% of API attacks.
Broken Authentication
JWT signature validation flaws, weak refresh token handling, OAuth flow misconfigurations, password reset abuse, account takeover via token replay.
Broken Object Property Level Authorization (BOPLA)
Mass assignment / mass update: attackers add unexpected fields like is_admin: true in JSON payloads to escalate privilege at the property level.
Unrestricted Resource Consumption
Rate-limit bypass, denial-of-wallet via expensive cloud calls, GraphQL query nesting attacks, batch endpoint abuse, regex / cryptographic DoS patterns.
Broken Function Level Authorization (BFLA)
Hidden admin endpoints reachable from user roles. HTTP verb tampering. Tier-bypass on multi-role APIs. Privilege escalation across function classes.
Unrestricted Access to Sensitive Business Flows
Bot-driven abuse of high-value flows: ticket scalping, sign-up fraud, gift-card brute force, refund abuse, anywhere business logic lacks anti-automation controls.
Server-Side Request Forgery (SSRF)
Force the API server to make internal requests on attacker behalf. Cloud metadata exfiltration (IMDSv1), internal service discovery, partial port scanning via response timing.
Security Misconfiguration
Verbose error messages leaking stack traces, exposed admin / debug endpoints, missing CORS hardening, default credentials on management interfaces.
Improper Inventory Management
Old API versions still online (v1, v2-deprecated), staging endpoints reachable from prod DNS, third-party integration endpoints with weaker controls than primary API.
Unsafe Consumption of APIs
Your API trusts upstream / third-party APIs implicitly. Compromised SaaS dependency injects malicious data downstream: supply chain at the API layer.
METHODOLOGY
API Penetration Testing: From Schema to Attestation
Schema-first scoping. Authenticated and unauthenticated testing across every role tier. Automation handles breadth; humans exploit business logic.
Schema & Scoping
OpenAPI / Swagger / Postman / GraphQL schema review. Authenticated role matrix. Threat model. Fixed-price quote signed off.
Recon & Enumeration
Endpoint discovery, hidden / undocumented routes, version enumeration, deprecated paths. GraphQL introspection. gRPC reflection. JWT structure analysis.
Manual Exploitation
BOLA / BFLA / BOPLA at every role tier. Mass assignment. JWT signature attacks. Rate-limit bypass. SSRF chains. Business-logic abuse.
Report & Retest
CVSS-scored findings, OWASP API ID tagging, executive + technical reports. Free retest within 30 days. Direct engineer access via portal.
CREDENTIALS
Verified Accreditations Auditors Accept
Every credential below is independently verifiable. UK procurement teams, FCA supervisors, ISO 27001 / SOC 2 auditors, and cyber insurance underwriters all recognise these standards.
GET YOUR QUOTE
Get a fixed API pen test quote in 24 hours
A fixed-price quote back in one business day, from a named CREST assessor. No sales pipeline, no chasing.
- CREST and IASME accredited. Testing your auditors and clients already recognise.
- Fast-track testing within 24 hours where required. Free retest of every fix included.
- Live findings via your client portal, not a four-week PDF.
- Fixed price from £3,500 for a single-role, single-app scope, agreed up front. Most engagements run £5,000 and up. No day-rate surprises.
Under NDA Further named references available on a scoping call.
- We reply within one business day with a fixed-price quote from a named CREST assessor.
- You approve the scope and we book a start date, usually within 24 hours.
- Live findings land in your client portal as we test, with a free retest of every fix.
Get your fixed pen test quote in 24 hours
Quote request received
We will reply within one business day with your fixed-price quote from a named CREST assessor.
Your data stays with us. No newsletter signup.
or book a 20-min scoping call first
We reply within one business day. Your data stays with us. No newsletter signup.
COMPLIANCE READY
API Reports Mapped to Every Framework
Findings tagged to the frameworks your auditors, regulators and insurers already use.
OWASP API Top 10 (2023)
Full coverage of all 10 categories with proof-of-exploit, business impact, and remediation guidance.
ISO 27001
Annex A.12.6.1 vulnerability management plus A.14.2 secure development for API services.
SOC 2 Type I & II
CC7.1 vulnerability identification evidence accepted by auditors as production-grade assurance.
PCI DSS
Req 6.5.x and Req 11.3.x application-layer testing for payment APIs and PCI-scoped services.
FCA / PRA Operational Resilience
API resilience evidence for regulated firms: outsourcing risk, Operational Resilience tests.
NHS DSPT & UK GDPR Art 32
Patient-data API testing, healthcare integrations, technical and organisational measures evidence.
PRICING
Transparent API Penetration Testing Pricing
All tiers include the same depth of testing. Price varies by API complexity, number of endpoints, role tiers, and protocol mix (REST / GraphQL / gRPC / SOAP).
Depends on API complexity
Single REST API, < 25 endpoints, 1-2 user roles, OpenAPI spec available. Typically 4-5 day engagement.
Get a fixed quoteDepends on API complexity
REST + GraphQL, multi-version, 25-100 endpoints, 3+ role tiers, OAuth / OIDC flows, third-party integrations. Typically 7-10 day engagement.
Get a fixed quoteDepends on API complexity
Microservice mesh, 100+ endpoints, gRPC + GraphQL + REST, multi-tenant gateway, regulated workloads, schema-less endpoints. Typically 12-15 day engagement.
Get a fixed quoteBY SECTOR
API Penetration Testing for Your Sector
Sector-specialist scoping for UK businesses with sector-specific compliance regimes and threat models.
Fintech & FCA-Regulated
Open Banking APIs, PSD2 SCA flows, payment APIs, FCA SYSC alignment, PCI DSS scoping.
Fintech sector pageSaaS Companies
Multi-tenant API isolation, SSO/SAML/OIDC, webhooks, role-based access, SOC 2 evidence.
SaaS sector pageLaw Firms
Document-management APIs, privileged-data exposure, SRA Cyber Standard alignment.
Law firm sector pageHealthcare
FHIR / HL7 APIs, NHS DSPT, patient-portal back-ends, telehealth integrations.
Healthcare sector pageInsurance
Quote / bind APIs, claims-data exposure, broker-portal integrations, FCA / PRA evidence.
Insurance sector pagePublic Sector
Citizen-facing APIs, GOV.UK integrations, NCSC API guidance, SC-cleared testers available.
Public sector pageWHY EJN LABS
What You Actually Get
Six things that distinguish our API testing from automated scans and one-protocol-only competitors.
End-to-End OWASP API Coverage
Manual exploitation of every OWASP API Top 10 category, schema-aware coverage, role-by-role authorization testing, and free retests until validated.
Schema-First Approach
We ingest your OpenAPI / Swagger / Postman / GraphQL schema before testing starts. No more ‘we missed an endpoint’ six months later.
Authorization at Every Tier
BOLA and BFLA are the #1 and #5 OWASP API risks. We test each role tier against each endpoint, not ‘admin can access admin only’.
Multi-Protocol Coverage
REST, GraphQL, gRPC, SOAP, WebSocket. Most competitors test REST only. We test what you actually built.
UK CREST + IASME + ISO 27001 + ISO 9001
Independently accredited. Verifiable on the CREST marketplace. Reports accepted by FCA, NCSC, NHS, ICO, SOC 2 auditors, and cyber insurers.
Free Retests Until Validated
Re-test every fixed finding at no extra cost until it is confirmed closed. No time limit, no per-retest fee.
FAQ
Frequently Asked
How long does an API penetration test take?
A small REST API engagement (under 25 endpoints, 1-2 roles) typically takes 4-5 working days. Mid-market APIs (REST + GraphQL, 25-100 endpoints, 3+ roles) take 7-10 days. Enterprise microservice meshes with 100+ endpoints take 12-15 days. Test duration is determined during scoping based on endpoint count, role complexity, and protocol mix.
How much does API penetration testing cost in the UK?
Small-API engagements range from £4,000 to £7,000. Mid-market (the most commonly commissioned tier) ranges £7,000 to £12,000. Enterprise microservice or multi-protocol APIs start at £12,000. All quotes are fixed-price after scoping; no day-rate surprises.
Do you test against the OWASP API Top 10?
Yes, every engagement covers all 10 categories of the OWASP API Security Top 10 (2023 edition). Findings are tagged to specific OWASP IDs (API1:2023 BOLA, API2:2023 Broken Authentication, etc.) so your audit team can submit evidence directly. We also reference the OWASP API Security Top 10 changelog from 2019 to 2023 in the executive report.
What is BOLA and why does it matter?
BOLA (Broken Object Level Authorization) is the #1 entry on the OWASP API Top 10 (2023). It accounts for an estimated 40% of all API attacks. BOLA happens when an API endpoint returns data based on an object ID without verifying the requesting user owns that object. Example: GET /users/123/orders returns data when called with an attacker’s auth token. Automated scanners almost never find BOLA; it requires manual role-by-role testing.
Do you test REST, GraphQL, gRPC, and SOAP?
Yes, all four. REST is most common, but modern UK production environments commonly mix REST + GraphQL, with gRPC for internal microservice mesh and SOAP for legacy integrations. Each protocol has unique attack surfaces (GraphQL introspection / nested-query abuse, gRPC reflection, SOAP XXE) and we test for protocol-specific issues alongside the common OWASP API Top 10 categories.
Can you test if we don’t have an OpenAPI / Swagger spec?
Yes. Schema-less testing is supported but takes longer because we have to discover endpoints via traffic capture, brute-force, or proxy interception. We strongly recommend providing OpenAPI / Swagger / Postman exports if available; it makes testing more thorough and saves 1-2 days of recon. For GraphQL, introspection is enabled by default for testing (can be disabled in production).
Do you test authentication flows (OAuth / JWT / OIDC)?
Yes. Authentication is tested at every layer: token issuance, token validation, refresh-token handling, token replay attacks, JWT signature flaws (none algorithm, key confusion, weak secrets), OAuth 2.0 misconfigurations (open redirects, PKCE bypass, scope abuse), and OIDC ID-token validation. Authentication issues are #2 on the OWASP API Top 10.
Can you exploit business logic flaws?
Yes, manual exploitation of business logic is what distinguishes manual penetration testing from automated scanners. We test for OWASP API6:2023 (Unrestricted Access to Sensitive Business Flows): refund abuse, gift-card brute force, sign-up fraud, ticket scalping, racing-condition exploits in payments, and price manipulation. These findings cannot be found by signature-based tools.
Do you test third-party API consumption?
Yes. OWASP API10:2023 (Unsafe Consumption of APIs) covers risks where your API trusts upstream / third-party data without validation. We test how your API handles malicious or unexpected responses from external services, important for SaaS aggregators, fintech open-banking consumers, and any API that trusts third-party feeds.
What about rate limiting and DoS testing?
Yes. OWASP API4:2023 (Unrestricted Resource Consumption) tests for rate-limit bypass, GraphQL nested-query DoS, batch-endpoint abuse, regex DoS (ReDoS), denial-of-wallet via expensive cloud calls, and cryptographic DoS patterns. Limited-impact testing only; we never run full DoS attacks against production without explicit authorization.
Are your testers UK-based and what certifications do they hold?
All API testers are vetted UK or international engineers matched to your engagement. Relevant certifications across the team include CREST CRT and CCT App, OSCP, OSWE (Offensive Security Web Expert), and protocol-specific specialisms. SC-cleared testers are available for public-sector and regulated-financial engagements.
Do you sign NDAs?
Yes. Standard NDA before any technical detail is shared, and we operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.
20+ CREST-certified testing services in one place
Web, mobile, API, cloud, AI, infrastructure, red team. Pick the test that fits your environment.
Get a fixed API pen test quote in 24 hours
A CREST-certified API tester will contact you within one business day with a fixed price, a realistic timeline, and the named consultant. No sales pipeline.



