Browse categories
Explore
Fiverr Pro
English
$
USD
I will perform a professional rest or graphql API security penetration test
About this Gig
yet most go untested. I am an OSCP & CPTS certified penetration tester specializing in API security. I manually test your REST or GraphQL API against the OWASP API Security Top 10.
WHAT I TEST:
- BOLA/IDOR: accessing other users' resources
- - Broken Authentication: weak tokens, JWT issues, API key exposure
- - Broken Function Level Authorization: admin endpoints accessible to users
- - Unrestricted Resource Consumption: rate limiting, resource exhaustion
- - SSRF via API parameters
- - Security Misconfiguration: verbose errors, debug endpoints, CORS
- - Injection: SQL, NoSQL, command injection via API parameters
- - OData Injection in enterprise/Microsoft APIs
- DELIVERABLES:
- - Professional PDF VAPT report
- - CVSS scores per finding
- - PoC requests (cURL/Postman) for every vulnerability
- - Remediation guidance
- - Re-test included (Standard & Premium)
- NDA available. Testing is non-destructive.APIs are the most targeted attack surface in modern apps
FAQ
What do you need to start?
At minimum, I need the API base URL and a test account. Swagger/OpenAPI docs or a Postman collection help but are not required — I can enumerate endpoints manually.
Can you test our production API?
I can, but I strongly recommend a staging environment. All tests are non-destructive — no data will be modified or deleted without explicit consent.
Do you test mobile app APIs?
Yes. If you have an Android/iOS app, I can intercept and test the underlying API traffic. Contact me before ordering for a custom quote.
What is OData injection?
OData is a query protocol used by many enterprise APIs. OData injection lets attackers manipulate filter/select queries to access unauthorized data — a vulnerability I regularly find in professional engagements.
Is GraphQL testing included?
Yes. GraphQL-specific issues (introspection abuse, batching attacks, nested query DoS, auth bypass) are covered in Standard and Premium packages.
Can you sign an NDA?
Yes, before every engagement.
What if I need more than 30 endpoints?
Select Premium or message me for a custom quote with your endpoint count.
