API Penetration Testing: OWASP API Security Top 10 (2023), Proven

APIs are where modern applications actually live — and where modern breaches actually happen. A single-page app or mobile client is just a thin shell over REST and GraphQL endpoints that hold all the logic and all the data. API penetration testing assesses those endpoints directly against the OWASP API Security Top 10 (2023), with broken object-level authorization (BOLA) and broken authentication as the dominant risks. Matproof Sentinel tests your APIs the way an attacker does, confirms each finding with proof-of-exploit, and returns an audit-ready report mapped to ISO 27001, SOC 2, NIS2 and DORA. Free 3-minute scan, full report from €149.

Run free API scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

Why API security is its own discipline — and why scanners miss it

Testing the front end of an application is no longer the same as testing the application. The browser or mobile app is a convenience layer; the real attack surface is the API behind it, and APIs fail in ways that are specific to APIs. The OWASP API Security Top 10 exists precisely because the web-application Top 10 does not capture how APIs break. The number-one API risk — Broken Object Level Authorization (BOLA, API1:2023) — is an authorization flaw that lets one user read or modify another user's objects by changing an ID, and it is the single most common cause of large-scale API data breaches. Automated scanners are almost useless against it because every malicious request looks like a perfectly valid, authenticated 200 response; only a test that understands which user should be allowed to access which object can find it. Add GraphQL's introspection and query-depth issues, broken function-level authorization, mass-assignment, and unrestricted resource consumption, and API testing becomes a discipline of its own. With enterprise buyers and ISO 27001/SOC 2 auditors increasingly asking specifically about API security, an API pentest is no longer optional for any product that exposes endpoints.

Broken Object Level Authorization (API1:2023, BOLA/IDOR) is the dominant API breach cause — and is invisible to scanners because exploit requests are valid, authenticated calls; only authorization-aware testing finds it.
Broken authentication (API2:2023): weak JWT validation (CWE-347), missing token expiry, credential stuffing reachability and refresh-token abuse are routine in APIs that were 'secured' only at the gateway.
Broken object property level authorization (API3:2023): excessive data exposure (the API returns more fields than the client shows) and mass-assignment (the API accepts fields the client should not set, e.g. isAdmin=true).
GraphQL-specific risks: introspection left enabled in production, unbounded nested queries enabling denial-of-service, and authorization checks missing on individual resolvers.
Unrestricted resource consumption (API4:2023): missing rate limiting and pagination caps that allow scraping, brute force and cost-amplification attacks.
Auditors and enterprise buyers now ask specifically for API security evidence — testing only the rendered front end leaves the actual data layer untested and the question unanswered.

What Matproof tests in an API penetration test

Broken Object Level Authorization (API1:2023, BOLA): can user A read/modify user B's objects by manipulating identifiers — tested across every object-referencing endpoint
Broken Authentication (API2:2023): JWT signature and algorithm validation (CWE-347), token expiry and revocation, refresh-token abuse, credential-stuffing exposure
Broken Object Property Level Authorization (API3:2023): excessive data exposure in responses, mass-assignment of restricted properties (CWE-915)
Broken Function Level Authorization (API5:2023): can a standard user call admin-only endpoints by guessing or altering routes/methods
Unrestricted Resource Consumption (API4:2023): rate-limit and pagination enforcement, query-cost limits, brute-force resistance
Server-Side Request Forgery (API7:2023, CWE-918) reachable via API parameters; injection (SQL/NoSQL/command) at the API layer
GraphQL specifics: introspection exposure, query depth/complexity limits, per-resolver authorization, batching abuse
Security misconfiguration (API8:2023): verbose errors, permissive CORS, missing security headers on API responses, unguarded debug endpoints
Improper inventory management (API9:2023): undocumented, deprecated and shadow API versions still reachable in production
Findings risk-rated with CVSS 3.1 and mapped to MITRE ATT&CK and to ISO 27001 / SOC 2 / NIS2 / DORA controls for audit-ready evidence

Sample finding

Critical

BOLA in the orders API let any user read every customer's order

Sentinel found that GET /api/v2/orders/{orderId} returned the full order — customer name, shipping address, items and payment-method last-four — whenever the caller presented any valid access token, without checking whether the token's owner actually placed that order. By iterating orderId values, an authenticated low-privilege account enumerated the entire order history of every customer. This is OWASP API1:2023 Broken Object Level Authorization, the most common and most damaging API vulnerability, and it produces only valid 200 responses — so an automated scanner reports nothing.

Fix: Implement object-level authorization at the data-access layer: every API handler that loads an object by ID must verify the authenticated principal owns or is explicitly entitled to that object, and return 404 (not 403) for unauthorized references to avoid confirming their existence. Add automated contract tests asserting cross-account access is denied for every object-referencing endpoint, and run them in CI. Sentinel re-tests the endpoint family after remediation and records verification in the audit-ready report.

Reference: OWASP API1:2023 Broken Object Level Authorization · CWE-639 Authorization Bypass Through User-Controlled Key · ISO 27001:2022 A.8.3 Information Access Restriction · MITRE ATT&CK T1530 Data from Cloud Storage

API pentest: free scan vs Matproof Sentinel vs traditional consultancy

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

API penetration testing pricing

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about API penetration testing

What is API penetration testing?

API penetration testing is the assessment of REST and GraphQL endpoints directly — rather than only the web or mobile front end — against API-specific attack classes, primarily the OWASP API Security Top 10 (2023). Because APIs hold the real logic and data, testing them directly catches authorization and business-logic flaws that front-end testing alone misses.

Why isn't web application testing enough to cover the API?

The front end only exercises the API paths the UI happens to use, in the order the UI uses them. An attacker calls the API directly, in any order, with any values, including endpoints and parameters the UI never touches. The most damaging API flaws — BOLA, mass-assignment, broken function-level authorization — are reached by calling the API outside the UI's intended flow, which is exactly what dedicated API testing does.

Do you test GraphQL as well as REST?

Yes. GraphQL has its own failure modes — production introspection exposure, unbounded nested queries that cause denial-of-service, authorization checks missing on individual resolvers, and batching abuse — and Sentinel tests for all of them in addition to the standard OWASP API Top 10 categories that apply to both REST and GraphQL.

How much does API penetration testing cost?

Standalone consultancy API pentests typically fall in a similar band to web application engagements — roughly £4,000–£12,000 depending on the number of endpoints and complexity — delivered over 2–4 weeks. Matproof Sentinel tests your APIs as part of an audit-ready report from €149 (single run) or €299/month continuous, with API testing included on every plan.

Will the API pentest report satisfy my auditor?

Yes. The report maps API findings to ISO 27001:2022 A.8.3 (Information Access Restriction), A.8.8 (Technical Vulnerability Management) and A.8.26 (Application Security Requirements), to SOC 2 CC6/CC7 criteria, and to NIS2 Art. 21 and DORA Art. 24 — with proof-of-exploit and re-test evidence per finding — so it stands as compliance evidence, not just a technical document.

Go deeper — related blog articles

Test your APIs against the OWASP API Top 10

Run a free 3-minute scan now, or get a full API penetration test report — BOLA, broken auth, GraphQL and more, proof-of-exploit per finding, mapped to your compliance controls — from €149.