Skip to main content
CERT-In Empanelled · OWASP API Top 10 · REST + GraphQL + WebSocket

API Security
Testing

BOLA. BFLA. Mass assignment. Business-logic abuse. The bugs that hide behind the UI — found by humans, validated by AI, reviewed three times.

Request a Scoping Call Our Methodology
6,700+
Assessments
OWASP API
Top 10 Aligned
Since 2008
CERT-In Empanelled

Trusted by India's leading enterprises

ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
STEP 01

Scope

Spec ingestion, traffic capture, auth flows. We map every endpoint and parameter in Lemon.

STEP 02

Test

5–14 days of OWASP API Top 10, business-logic abuse, GraphQL/WebSocket specifics, AI coverage validation, and three-layer QA.

STEP 03

Deliver

Executive + technical reports with curl/Postman reproduction, language-specific code fixes, retest, and certificate.

What Is API Security Testing?

API security testing is a structured assessment where certified experts test the REST, GraphQL, gRPC, and WebSocket APIs your applications expose — covering OWASP API Top 10 plus deep manual business-logic abuse, replay, and transaction-flow manipulation that scanners can\'t simulate. Required by RBI PA-PG, PCI DSS v4.0, and DPDP Act for any API processing payments or personal data.

Beyond spec-driven scanning

What scanners can\'t see — authorisation gaps, mass assignment, business-logic abuse, replay attacks.

BOLA / IDOR

Object-level authorisation: can user A read user B's record by changing the ID?

BFLA

Function-level authorisation: can user A call admin functions by changing the verb or path?

Mass Assignment

Sending extra fields the API silently accepts: role=admin, isVerified=true

Auth & Tokens

JWT replay, weak signing, token leakage, refresh-flow abuse, session fixation

GraphQL Specifics

Introspection abuse, query depth/complexity DoS, field-level authz, mutation abuse

Rate-Limit Bypass

Per-endpoint, per-user, per-IP — bypass via header injection, casing, parameter pollution

Webhook Signature Replay

Stripe, Razorpay, partner webhooks — replay, timestamp tolerance, signature validation gaps

Business Logic

Race conditions, workflow tampering, multi-step exploits, payment-flow abuse

Related: Web App Pen Testing → · Related: Mobile App Security →

Methodology

9 steps. Every endpoint exercised.

Every engagement runs through Lemon, our audit-management platform — informed by 6,700+ prior assessments and consistent across the team that delivers it.

Discovery
01

Specification & Traffic Discovery

Ingest OpenAPI / GraphQL schemas / Postman collections plus authenticated traffic captures. Lemon merges declared and observed surfaces — observed always wins on conflict.

02

Endpoint & Parameter Enumeration

Document every endpoint, method, parameter, header, and content type. Identify undocumented endpoints from traffic and JS bundle analysis. Flag deprecated and shadow-API surfaces.

03

Authentication Flow Mapping

OAuth, SAML, JWT, API keys, mTLS, custom schemes. Document every auth path, token lifecycle, refresh flow, scope enforcement, and exception handling.

Testing
04

OWASP API Top 10 Coverage

BOLA (object-level authz), BFLA (function-level authz), broken authentication, mass assignment, security misconfiguration, injection, improper inventory, unrestricted resource consumption.

05

Business Logic Abuse

Workflow tampering, race conditions, replay, transaction-flow manipulation, multi-step exploits — what scanners can't see. Payment-flow logic abuse is its own deep-dive.

06

GraphQL & WebSocket Specifics

GraphQL introspection abuse, query depth/complexity DoS, field-level authz, mutation abuse. WebSocket auth, message-replay, and origin-bypass tests.

07

AI-Augmented Coverage Validation

AI cross-references declared spec, traffic, and JS analysis to find missed endpoints and parameters. Validates test coverage before delivery.

Delivery
08

Three-Layer QA Review

L1 API auditor → L2 senior consultant → L3 security architect. Every finding validated, every reproduction reviewed, every CVSS scored consistently.

09

Reporting & Re-test

Executive + technical reports with curl / Postman reproduction, language-specific code fixes, retest rounds, and security assessment certificate.

Compliance-Ready

Audit-ready reporting for API mandates

API testing reports satisfy the technical-VAPT clauses your regulator and acquirer will check — OWASP API Top 10, RBI PA-PG, PCI DSS, DPDP, ISO 27001 secure-development.

OWASP API Top 10
2023 edition coverage
PCI DSS v4.0
Requirements 6.2 + 11.4
RBI PA-PG Audit
Payment aggregator API mandate
CERT-In
Empanelled since 2008
DPDP Act
India personal-data APIs
GDPR
EU personal-data APIs
ISO 27001
Annex A 8.28 (secure development)
SOC 2
Trust service criteria — security

Common engagement scopes

What clients ask us to test

Across 700+ enterprise customers, API engagements cluster into a handful of well-defined patterns — each sized for our 5–14 day delivery window.

Payment / UPI APIs PA-PG audit, transaction abuse, replay
BFSI core-banking APIs Account, transaction, statement endpoints
GraphQL gateways Introspection, depth, field-level authz
Mobile-app backend APIs BOLA, BFLA, token replay
Partner-integration APIs Webhook signature, mTLS, rate limits
SaaS multi-tenant APIs Tenant isolation, scope enforcement, key rotation

Deliverables

What you get

Reports for two audiences — risk picture for leadership, exact code-level fixes for your API engineers in their language (Node.js, Python, Java, Go, .NET).

Request sample report → Read API-related case studies →

Executive Report

Risk overview, critical findings, business impact, remediation priorities. Board-ready.

Technical Report

POCs, curl / Postman reproductions, request/response data, CVSS, language-specific code fixes.

Retest & Walkthrough

Multiple retest rounds at no extra cost. Walkthrough call with your API engineering team.

Security Certificate

Formal certificate for compliance, customer assurance, and vendor due diligence.

FAQ

Common questions

Can\'t find what you\'re looking for? Talk to our API-security lead.

Contact us
What is API security testing? +
API security testing is a structured assessment where certified experts test the REST, GraphQL, gRPC, and WebSocket APIs your applications expose — covering OWASP API Top 10 categories like BOLA / BFLA, plus deep manual business-logic abuse, replay, and transaction-flow manipulation that automated scanners can't simulate.
Spec-driven or traffic-driven testing? +
Both, always. We ingest your OpenAPI / GraphQL schema / Postman collections AND capture authenticated traffic from your real application. Lemon merges the two — observed traffic always wins on conflict, because the spec is what you think you have, traffic is what you actually expose.
Do you test GraphQL APIs? +
Yes — and GraphQL has its own attack class. We test introspection abuse, query depth and complexity DoS, field-level authorisation gaps (a common BFLA pattern in GraphQL), mutation abuse, and batched-query side-channels. We also handle Relay-style cursor pagination.
How is API testing different from web app testing? +
Web app testing usually exercises the UI front-door. API testing exercises the back-door directly — bypassing client-side validation entirely. Mass assignment, BOLA, and BFLA only show up when you call the API directly with manipulated payloads. Most modern apps need both.
How long does an API security test take? +
A single API surface (~30 to 80 endpoints): 5–8 business days. Larger API estates (microservices, partner-integration APIs, GraphQL gateways): 8–14 days. Lemon enforces daily progress tracking so you always know where it stands.
Is API testing required for RBI / PCI DSS / DPDP compliance? +
Effectively yes. RBI PA-PG cybersecurity audit explicitly calls out payment-API testing. PCI DSS v4.0 6.2 and 11.4 cover API surfaces. DPDP requires technical testing for any personal-data-processing API. CERT-In empanelment is the qualifying standard for all of these.
Do you test mobile-app APIs? +
Yes — the backend APIs your mobile app calls are typically where most authorisation bugs hide. We can run API testing as a standalone engagement or bundle it with our mobile-app pen test for a single coordinated scope.
Do you provide remediation guidance? +
Yes — reports include language-specific code fixes (Node.js, Python, Java, Go, .NET), example secure-by-default middleware, and headers/policy recommendations. Plus retest rounds and a walkthrough call with your API engineering team.

Test your APIs the way attackers call them.

Whether it\'s a single REST surface, a GraphQL gateway, payment APIs ahead of an RBI PA-PG audit, or a full multi-microservice scope — talk to our API-security lead.

Request a Scoping Call View All Services