I perform API-specific penetration tests covering attack surfaces that standard web app testing misses — Broken Object Level Authorization (BOLA/IDOR), mass assignment, excessive data exposure, rate limiting absence, and GraphQL-specific vulnerabilities.
Testing follows OWASP API Security Top 10. For REST APIs I test: authentication (JWT weaknesses, token entropy, missing expiry); authorization (BOLA across all endpoints, function-level access control); input validation and injection; mass assignment on PUT/PATCH endpoints; rate limiting and resource exhaustion; and error message information disclosure.
For GraphQL I test: introspection exposure; query depth and complexity attacks; batching abuse for rate limit bypass; field-level authorization gaps (different fields on the same type can have different auth requirements); and mutations lacking proper authorization.
Deliverables: full API pentest report, Postman collection of all tested requests and attack payloads, CVSS-rated findings, and remediation guidance. Requires API documentation (OpenAPI/Swagger or Postman collection), test credentials, and written authorization. Staging environment strongly preferred.