API Security

Secure the interfaces that power your applications.

APIs are the backbone of modern applications, connecting services, mobile apps, and third-party integrations. Our CREST-certified testers assess your APIs for authentication flaws, authorisation bypass, injection vulnerabilities, and business logic issues that automated scanners miss.

Get in Touch View Our Methodology

What we offer

API security, tested thoroughly.

REST & GraphQL Coverage

We test both REST and GraphQL APIs, covering endpoint enumeration, query depth attacks, introspection exposure, and schema analysis alongside standard API security testing.

Authentication & Authorisation Focus

API security issues most commonly stem from broken authentication and authorisation. We test token handling, OAuth flows, API key management, and privilege escalation across user roles.

Documentation-Led Approach

Where API documentation is available (Swagger, OpenAPI, Postman collections), we use it to ensure comprehensive endpoint coverage and identify undocumented or shadow API routes.

Scope

Areas we can test.

Authentication & Token Security

JWT validation, OAuth flow testing, API key exposure, token expiry, refresh token handling, and session management across API endpoints.

Authorisation & Access Control

Broken Object Level Authorisation (BOLA), broken function level authorisation, horizontal and vertical privilege escalation, and IDOR vulnerabilities.

Input Validation & Injection

SQL injection, NoSQL injection, command injection, and parameter tampering across all API input vectors including headers, query parameters, and request bodies.

Rate Limiting & Resource Consumption

Testing for missing or inadequate rate limiting, unrestricted resource consumption, and denial-of-service conditions through excessive API calls.

Data Exposure & Sensitive Information

Excessive data exposure in API responses, verbose error messages leaking implementation details, and sensitive data returned without proper filtering.

Business Logic & Workflow

API-specific business logic flaws such as sequence bypass, state manipulation, and abuse of intended functionality through unexpected API call patterns.

How we work

Our methodology.

Step 01

Scoping & Documentation

Defining the test scope, reviewing available API documentation (Swagger, OpenAPI, Postman), and identifying authentication mechanisms and user roles.

Step 02

Reconnaissance

Endpoint discovery, schema analysis, and mapping of API routes including undocumented or deprecated endpoints that may still be accessible.

Step 03

Testing & Exploitation

Automated and manual testing to identify vulnerabilities across authentication, authorisation, injection, and business logic, with chaining to demonstrate real-world attack paths.

Step 04

Reporting & Debrief

Detailed reporting with CWE classifications, CVSS scores, proof-of-concept evidence, and practical remediation guidance, followed by a debrief with your team.

What you receive

Your deliverables.

Penetration Test Report

A single report covering executive summary, technical findings with CWE classifications and CVSS scores, proof-of-concept evidence, and prioritised remediation guidance.

Findings Debrief

A walkthrough of the results with your technical team, covering key findings, risk context, and remediation priorities, with time for questions.

Ongoing Support

Post-engagement support from the Illume team to answer questions about findings and remediation guidance.

FAQ

Frequently asked questions.

What is the difference between API testing and web application testing?

Web application testing assesses the full application including the user interface, session management, and client-side behaviour. API testing focuses specifically on the programmatic interfaces, testing authentication, authorisation, input validation, and business logic at the API layer. Many organisations benefit from both, particularly where APIs serve mobile apps or third-party integrations independently of the web interface.

Do you need API documentation to test?

Documentation is not required but it helps. Where Swagger, OpenAPI specs, or Postman collections are available, they allow us to ensure comprehensive coverage. Without documentation, we perform endpoint discovery and mapping as part of the assessment, though this may require additional time.

Do you test both REST and GraphQL APIs?

Yes. We test REST APIs, GraphQL APIs, and hybrid architectures. GraphQL introduces specific security considerations such as introspection queries, query depth attacks, and batching abuse that require targeted testing beyond standard API assessment techniques.

What access do you need?

We typically need access to the API environment (staging or production), valid authentication credentials for each user role in scope, and any available documentation. We agree the specific access requirements during scoping based on your API architecture and testing objectives.