Pentest for REST and GraphQL APIs
Full OWASP API Top 10: BOLA, BFLA, mass assignment, insecure JWT, rate limit, GraphQL injection, field-level authorization.
Why now
The real pain
APIs are the fastest-growing and most-attacked surface. Attackers don't need a UI — they hit the endpoint directly. BOLA, BFLA and mass assignment account for 70% of modern data leaks in Brazil. Scanners can't see ownership. Manual API pentest is the only path to validate granular authorization.
Applicable frameworks
/attack-surface
Pentest de API
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
BOLA — Broken Object Level Authorization
Object IDOR: swap the ID in the URL and access another user/tenant's data. The most common finding in modern APIs.
BFLA — Broken Function Level Authorization
Access to admin functions without being admin, horizontal escalation across roles.
Mass assignment / property abuse
Setting privileged fields via JSON (is_admin=true, role=owner). Frequent in auto-bind ORMs.
JWT, OAuth2, OIDC
Algorithm none, RS256→HS256 confusion, kid injection, public JWKs, eternal refresh, issuer/audience validation.
Rate limit, DoS and open cost
Paid endpoint without rate limit, LLM DoS, OpenAI/Anthropic key drain, catastrophic regex.
GraphQL specifics
Exposed introspection, nested queries (DoS), batching abuse, field-level authorization, alias overload.
SSRF, CORS, headers
Server-Side Request Forgery in integrations, open CORS with credentials, missing security headers.
API Gateway, WAF and BFF
WAF bypass, smuggling, routing rules, BFF→backend segregation, mTLS.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
PIX API, Open Finance FAPI 1.0 Adv., payment gateway, fintech BFF, microservices in service mesh with mTLS.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/faq
FAQ — Pentest de API
Is API pentest the same as web pentest?
No. Web covers UI + frontend + backend. APIs focus on REST/GraphQL endpoints: BOLA, BFLA, mass assignment, JWT, rate limit. Methodology is OWASP API Top 10 (separate from the web Top 10).
Do you need Swagger/Postman?
Strongly recommended. Without docs, 20-30% of time goes to recon. With Swagger/OpenAPI or Postman collections, price drops 15-25%.
Does GraphQL need a different pentest?
Yes. GraphQL has specific attacks: introspection, nested queries (DoS), batching, field authorization. We run InQL, GraphQL Voyager and custom payloads.
Do you cover BFF, API Gateway and WAF?
Yes. BFF, API Gateway (Kong, AWS API Gateway, Apigee) and WAF (Cloudflare, AWS WAF) are in scope if part of the attack surface. Often that's where the bypass lives.
Price range?
Small API (up to 30 endpoints): BRL 6-15k. Medium (30-100): BRL 15-35k. GraphQL with rich schema: BRL 18-45k. Regulated API (FAPI/PIX/Open Finance): BRL 40-100k.
/contact
Get an API pentest quote
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.