OWASP API Top 10 (2023) · ASVS · CVSS 4.0 · PCI DSS · DORA · NIS2 · ISO 27001
Security audit for REST and GraphQL APIs
Manual + automated audit of your API. Full OWASP API Top 10 (2023) coverage: BOLA, BFLA, BOPLA, mass exposure, rate limiting, JWT/OAuth/mTLS authentication, endpoint abuse. And, above all, the business logic exposed through the API that no scanner detects. Each finding with evidence, CVSS 4.0 severity and remediation prioritised by real risk.
Executive summary
Your API is probably the most exposed and at the same time most critical component of your product: consumed from web frontend, mobile, B2B integrations and third parties. An API audit done properly covers full OWASP API Top 10 (2023), validates authentication and authorisation at object, function and property level, measures resistance to abuse and, above all, tests the business logic exposed that no scanner detects.
Typical projects at Hard2bit close in 7-35 working days depending on complexity, with immediate notification of critical findings and retesting included in scope. The report is delivered ready to pass external audit: PCI QSA if it touches CDE, financial supervisor for DORA, ISO 27001 certifier, ENS auditor for public services, enterprise customer requirement.
OWASP API Top 10 + logic
Full coverage of the standard + human verification of exposed business logic. Where a scanner sees structure, the auditor sees abuse.
Auditor-ready
Report designed to pass external audit: PCI QSA, ISO 27001, ENS, DORA, financial supervisor, enterprise customer demands.
Useful remediation
Each finding with immediate mitigation rule (WAF/API Gateway) + code remediation. So you can contain while development fixes.
What we cover in an API audit
Baseline is full OWASP API Security Top 10 (2023) plus additional areas that the standard leaves out but appear in real projects.
API1 — BOLA (Object Authorization)
Object-level authorisation bypass: change an ID in URL/payload and access resources of another user or tenant. #1 vulnerability in modern APIs.
API2 — Broken Authentication
Misconfigured or unverified JWT, client-side OAuth, long tokens without expiry, refresh tokens without rotation, login bypass, weak password recovery.
API3 — BOPLA (Property Auth)
Mass assignment: sending protected fields (isAdmin=true, role=manager, balance=999999) that the backend accepts without filtering. And inversely: exposure of sensitive properties in responses.
API4 — Unrestricted Resource Use
No rate limiting, no max payload size, no max depth in GraphQL: abuse for denial-of-wallet (mass consumption) or DoS.
API5 — BFLA (Function Auth)
Function-level authorisation bypass: admin endpoints accessible to normal users, privilege escalation by changing HTTP verb or path.
API6 — Unrestricted Business Flows
Abuse of legitimate flows without protection: buying limited stock in bulk, mass account creation, draining inventory, manipulating checkout pricing.
API7 — SSRF in API
Endpoints accepting URLs as parameter and allowing requests to be redirected to cloud metadata (IMDS), internal services or private segments.
API8 — Misconfiguration
Wide-open CORS, headers missing Cache-Control on sensitive responses, verbose errors with stack trace, unnecessary HTTP methods enabled.
API9 — Improper Inventory
Old APIs (v1, v2) undocumented but accessible, internal endpoints exposed by mistake, stale documentation hiding real endpoints.
API10 — Unsafe API Consumption
Your API trusts third-party APIs without validating responses: supply chain vector when that third party is compromised.
Service-to-service authentication
Microservices: mTLS properly configured, OAuth client_credentials with minimum scope, JWT between services without signature validation, shared secrets without rotation.
GraphQL specifics
Query complexity attacks, batching abuse, abusive introspection, field-level authorisation, verbose errors leaking schema.
Anatomy of a critical finding
Real technical pattern of a BOPLA finding with privilege escalation. Anonymised, based on a real project on a B2B SaaS platform's REST API.
Discovery
Mass assignment in POST /api/v3/orders
The endpoint accepted the full Order entity payload on creation, without filtering
sensitive properties. Sending { "items": [...], "total": 0.01, "status": "PAID" }
the backend persisted the order with manipulated total and PAID status without
verifying payment. The frontend never sent those fields but the backend accepted them
without validating ownership or property whitelist.
Severity
CVSS 4.0 = 9.0 (Critical)
AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N. Network, low complexity, requires an authenticated account (any registered user). Impact: high integrity (orders created without payment, no fraud detected in billing systems because the legitimate flow is skipped). Confidentiality and availability unaffected. Business impact higher than CVSS suggests: any customer could order products without paying.
Evidence
Proof without real abuse
Demonstration with a test account created for the project, in staging with identical configuration to production. Capture of request/response, backend log showing acceptance of the payload, screenshot of the record in the database. No production tests were run to avoid inconsistencies in real billing.
Remediation
Mitigation + permanent patch
Immediate (6 hours): API Gateway rule dropping total and status properties from incoming payload. Medium-term (1 week): code patch using input DTO limited to customer fields (items, billingAddress, shippingAddress); the rest is calculated server-side. Long-term: audit of every POST/PUT/PATCH endpoint looking for the same pattern. Five more endpoints with mass assignment were found.
Anonymised technical case based on real patterns from B2B SaaS with embedded e-commerce. Sector, magnitudes and names altered. No public NDAs, no customer name.
When it fits and when it does not
Strong fit
When it makes sense
- Your API is the central piece of the product (B2B SaaS, fintech, healthtech, marketplace)
- Public API consumed by third parties or by your own mobile app
- An API v2 goes to production or the authentication model changes
- Multi-tenant: validate isolation between customers
- Auditor requires evidence: PCI DSS, DORA, NIS2, ISO 27001, enterprise contract
- Migration to microservices or move to GraphQL
- Post-incident: there was a leak, abuse or impersonation via API
Weaker fit
When it is not the first move
- API in prototype phase with no real traffic: let it mature first
- If your product is essentially web and the API is just a minor internal BFF: web audit already covers it
- Problem comes from development process (secrets in repos, no code review): start with source code audit
- Need continuous monitoring, not point-in-time: combine with attack surface management
- After an active incident, first incident response; audit later
How we deliver
Four real phases, with immediate notification of critical findings. For public APIs with live traffic this changes the real cost of the project: containment starts the day a finding is detected, not at the end of the report.
1. Technical walkthrough (1-2 days)
Session with the developer maintaining the API. We review OpenAPI spec or Postman collection if available; if not, we map endpoints in session. We agree scope, window, source IPs, communication plan with IT/SOC, and test account model (especially important in multi-tenant SaaS to verify isolation).
2. Manual + automated audit (60-80% of time)
Burp Suite Pro, Postman/Bruno, custom scripts. For GraphQL we add InQL and graphw00f. Exhaustive tests on authentication (JWT manipulation, OAuth flows, refresh), authorisation (BOLA/BFLA/BOPLA), rate limiting, exposed business logic. Critical findings reported instantly with immediate mitigation rule proposed.
3. Documentation and verification
Each finding with request/response, CVSS 4.0, business impact, proof-of-concept, code remediation recommendation + immediate mitigation rule for WAF/API Gateway. Double verification to avoid false positives in the final report.
4. Closing and retesting
90-minute session with API development and operations. Discussion of findings, remediation plan, real priority. If contracted, retesting at 4-8 weeks certifying corrections work and issuing verification letter suitable for external auditor.
What the documentation package includes
1. Technical report
Each finding with description, request/response, CVSS 4.0, business impact, code remediation recommendation + immediate mitigation rule for WAF/API Gateway.
2. Executive report
2-3 pages without technical jargon. Findings in business terms, aggregate risk, action plan. Board or enterprise customer ready.
3. Prioritised matrix
Findings ordered by real risk: exposure + exploitability + impact + remediation effort. Actionable list for development.
4. Mitigation rules
For findings that can be contained at WAF/API Gateway (rate limiting, payload denial, headers): rules ready to apply on Cloudflare, AWS API Gateway, Kong, Apigee.
5. Evidence repository
ZIP signed with timestamps, captured request/response, test scripts, logs. For external auditor or regulated customer.
6. Closing session + retesting
90 minutes with development. If retesting is contracted: second pass + verification letter suitable for external auditor or enterprise customer.
Sector adaptation
B2B SaaS and platforms
Heavy focus on multi-tenant isolation, OAuth, BOLA/BFLA/BOPLA. Compatible with SOC 2 if applicable. Almost always also requires evidence to respond to enterprise customer security questionnaires.
Fintech and financial entities
DORA (art. 24-27) compliance on resilience testing. PCI DSS 6.4.3 and 11.4.3 if it touches CDE. Focus on payment flows, fraud prevention, transfer race conditions, strong customer authentication (SCA).
Healthtech and healthcare platforms
Focus on special data exposure (GDPR art. 9), HL7/FHIR integrations, medical role authorisation, access auditing. If ENS High applies (essential operators): op.exp.5.
Public sector and digital services
ENS compliance by system categorisation. National e-ID identity, digital certificates, accessibility where applicable. Citizen-facing platforms need privacy and special data focus.
Marketplace or third-party platforms
API consumed by external partners: focus on service-to-service authentication, minimum OAuth scope, per-consumer rate limiting, anomalous usage monitoring. Fits NIS2 art. 21 (ICT risk management) and third parties.
Mobile applications with own backend
Focus on certificate pinning, traffic encryption, secure token storage on client, secret obfuscation in bundles, server-side validation of everything the client sends.
Regulatory fit
API audits are required (sometimes implicitly) by every relevant framework for organisations in Spain and the EU. The report is delivered ready to support external audit.
| Framework | Reference | What it requires and how we cover it |
|---|---|---|
| DORA | Art. 24-27 | Digital resilience testing programme on critical ICT systems. APIs are central pieces: the audit covers the requirement and produces evidence for supervisor. |
| PCI DSS v4.0.1 | Req. 6.4.3 and 11.4.3 | Validation of public applications (including APIs) and annual pentest on CDE. PCI QSA-ready. |
| NIS2 | Art. 21.2.f | Policies and procedures for evaluating the effectiveness of measures. Documented periodicity and traceability. |
| ISO 27001:2022 | A.8.29 | Security testing in the development cycle, including APIs. Traceable evidence for certification. |
| ENS (High) | op.exp.5 | Periodic technical tests with documentation of findings and remediation. Suitable for ENS audit. |
| GDPR | Art. 32.1.d | Regular verification of the effectiveness of technical measures. Especially relevant if the API processes special category data (art. 9). |
| Open Banking PSD2 | RTS art. 8 | Payment APIs: strong customer authentication, exception management, monitoring. The audit validates controls. |
What we usually do and others do not
Immediate mitigation + code patch
Each finding comes with a WAF/API Gateway rule applicable in hours + the definitive code patch. That lets you contain before development releases the fix.
Immediate notification of critical findings
If there is exploitable BOLA on public API with live traffic, we call you. We do not wait for the final report so you lose two more weeks of exposure.
Multi-tenant isolation validation
In B2B SaaS we verify that one tenant cannot access another tenant's data, with test accounts in different tenants of the customer. It is risk #1 and rarely tested properly.
Service-to-service authentication review
In microservices we review mTLS, OAuth client_credentials, inter-service JWT, shared secrets. This is where most lateral compromise has been seen in 2024-2025.
GraphQL with own methodology
InQL + graphw00f + exhaustive manual work on the schema. Query complexity, batching abuse, field-level authorisation. Most API audits treat GraphQL like REST and miss half.
Tests with active WAF/Gateway
We do not disable WAF to inflate findings. We audit with your production reality + window without WAF for maximum coverage. Knowing what your WAF blocks is also value.
Objections we hear and how we answer them
«Our API is internal, we do not audit it»
The argument works only as long as no one is inside your network. The day an attacker enters through a supply chain, a compromised employee or a vulnerable microservice, your internal APIs are their best pivot. NIS2 and DORA capture this: they ask for controls on ALL critical ICT services.
«We already run monthly DAST scans on the API»
Good. But DAST does not detect BOLA in your data model, nor BOPLA because it does not know which fields are protected, nor business logic abuse because it does not understand what a legitimate order looks like. You cover the wide surface well; we cover what is hidden to the tool.
«We have automated tests in CI, we already cover security»
CI tests validate functionality under expected cases. An attacker does not play under expected cases: they try combinations the developer did not consider. A CI test will never find a BOLA because the team that wrote the test knows the app filters by tenant. The attacker tests what happens if it does NOT.
«It is expensive. Is it worth it for a medium API?»
A multi-tenant SaaS API compromised with BOLA leaks personal data: notification to the supervisor (potential 4% of revenue fine), loss of enterprise customers for contractual breach, DFIR (€15-50k), urgent remediation (€40-80k), reputation. A €12-20k audit that avoids this is the most profitable investment of the year.
«Our API is simple REST, we do not need a dedicated audit»
The most critical modern findings are BOLA, BFLA and BOPLA. They appear in simple REST the same as in complex GraphQL. If your API handles money, personal data or business decisions, you deserve the dedicated audit. If it is just internal BFF for a small web, a chapter within a web audit covers it.
«We have no OpenAPI spec, can you still audit?»
Yes. We map endpoints in the initial technical walkthrough, with developer or Postman collection. Takes 1-2 hours more, does not change the result. In fact, in audits without spec we sometimes find forgotten endpoints the security team did not know existed (API9 — Improper Inventory).
How we measure the quality of our API audits
Six indicators benchmarked against our own historic baseline. Shared in the closing session so your team can see how the project compares to the internal standard.
OWASP API Top 10 coverage
Percentage of the 10 categories tested in depth. Target: 100% on standard audits.
Endpoints per auditor day
Productivity and depth. Too many endpoints/day = shallow coverage.
BOLA/BFLA detection ratio
On authenticated APIs, if we do not detect at least one, we suspect insufficient coverage and review methodology.
Critical finding notification time
Hours from detection of a critical finding to customer notification. Target: <6 hours on public API, <12 hours on internal API.
False positives in report
Percentage of findings rejected by customer after verification. Target: <3%.
Retest closed rate
Percentage of findings the customer actually closes on retest. Indicator of recommendation quality.
Common mistakes when buying an API audit
- Assuming a DAST scanner covers APIs. It detects injection and XSS, but not a single BOLA/BFLA/BOPLA because it does not know what is legitimate in your data model.
- Auditing only the public API and ignoring internal ones. The day someone gets in through supply chain, the internal ones are the preferred path.
- Auditing without OpenAPI spec or Postman collection and no developer available. The auditor wastes 30% of time mapping endpoints; cost/value drops.
- Not testing multi-tenant isolation in B2B SaaS. It is your product's #1 risk and rarely validated properly unless explicitly required.
- Treating GraphQL like REST. It needs its own methodology: complexity, batching, introspection, field-level authorisation.
- Not retesting after remediation. Without a second pass, the report is worthless to a regulated auditor or enterprise customer.
- Confusing high CVSS with priority. CVSS 9 on an internal endpoint with no traffic may be less urgent than CVSS 6 on public API with 10k req/s.
- Accepting a cheap audit without prior technical walkthrough. Without understanding the API, any quote is fiction.
Quick glossary of API security jargon
OWASP API Top 10
Ranking of the 10 most critical vulnerability categories in APIs. Updated in 2023.
BOLA
Broken Object Level Authorization. Access to resources by changing an ID without backend validating ownership. #1 in APIs.
BFLA
Broken Function Level Authorization. Access to admin functions from non-privileged account.
BOPLA
Broken Object Property Level Authorization. Mass assignment (input) or mass exposure (output) of properties.
Rate limiting
Limit on requests per time unit and origin. Prevents abuse, brute force, denial-of-wallet.
JWT
JSON Web Token. Signed authentication token. Vulnerable if signature is weakened or not verified.
OAuth 2.0 / OIDC
Standard authorisation (and authentication with OIDC) protocols for APIs. Multiple flows: authorization code, client credentials, etc.
mTLS
Mutual TLS. Mutual authentication between client and server with certificates. Common between microservices.
GraphQL introspection
Ability to query the full schema of a GraphQL API. Disable in production.
Query complexity attack
GraphQL: nested queries or with cyclic types generating exponential load on the server.
API Gateway
Layer between clients and internal APIs. Can apply authentication, rate limiting, transformation, observability.
Denial-of-wallet
Abuse of APIs that charge by consumption (cloud, LLM, third parties) to generate cost on the target.
Related services at Hard2bit
Pentesting
Parent service. API audit is a discipline within enterprise pentesting.
View →
Web application audit
Complementary. If your product is attacked by web and API, audit both in same project.
View →
Source code audit
Finds flaws invisible from outside: defective logic, hardcoded secrets, vulnerable dependencies.
View →
Non-human identities
Tokens, API keys, OAuth client credentials, secrets: the other 50% of modern API risk.
View →
Third-party risk management
If your API consumes third-party APIs (or vice versa), risk is supply chain. Programme to manage it.
View →
Attack surface management
Continuous monitoring after the audit: detect new APIs the development team exposes without warning.
View →
Integral audit
When beyond API there is infrastructure, identity, cloud and processes: a single project.
View →
Cloud security
If your API lives in cloud, complementary: IAM posture, exposed services, secrets in pipelines.
View →
Incident response
If the audit reveals active compromise in the API, immediate escalation to response.
View →
Frequently asked questions
How does auditing an API differ from auditing a web application?
The web application is the façade; the API is where the business lives. A web audit covers what the user sees; an API audit goes into the layer where modern risk materialises: object-level authorisation (BOLA), function-level (BFLA), property-level (BOPLA), mass exposure, endpoint abuse without rate limiting, errors in service-to-service authentication. When the same product is attacked from web frontend and mobile, the API is the common point; auditing it well protects both channels with one project. If the API is the central piece of your product, a dedicated audit goes deeper than any chapter within a generic web audit.
What methodology do you follow?
We combine OWASP API Security Top 10 (2023) as minimum check, OWASP ASVS L2/L3 as verification criteria when there is an associated client application, and the principles of the OWASP API Security Project for broad coverage. On top we add manual verification of business logic exposed through the API (where no scanner reaches), specific tests for JWT/OAuth/SAML where applicable, multi-tenant isolation validation if the API is SaaS, and review of mTLS or client-credentials tokens for service-to-service authentication. In regulated environments we add the specific requirements: PCI DSS 6.4.3 if it touches CDE, DORA articles 24-27 if it is a financial entity, NIS2 article 21.2 for essential services.
How long does a typical API audit take and how much does it cost?
A REST API with 20-40 endpoints, 2-3 client profiles and standard authentication (JWT or OAuth) is audited in 7-14 working days with 1-2 auditors. Indicative cost in Spain: €7,500-18,000. Large APIs (100+ endpoints, multi-tenant, complex GraphQL, mTLS, many service integrations) take 20-35 days and €25-45k. If your API is public and consumed by third parties (typical in fintech, healthtech, platforms), cost rises because each consumer opens different vectors. We always request access to the API and, if available, OpenAPI spec or Postman collection before quoting firmly; without that, any number is fiction.
How do you audit a GraphQL API? Is it very different from REST?
Yes, it requires a different approach. GraphQL exposes a single endpoint with a flexible schema the client composes at will, opening specific vectors: schema introspection abuse, query complexity attacks (nested queries that take down backend), authorisation bypass through unvalidated fields, batching abuse and sensitive information exposed through overly verbose errors. We use specific tools (InQL, GraphQL Cop, graphw00f for fingerprinting) and exhaustive manual work on the schema. Standard OWASP API Top 10 coverage still applies but is complemented with GraphQL-specific risks.
Do you need a staging environment or can you audit APIs in production?
We prefer staging with representative data. Production is feasible with agreed plan, source IPs, load limits and exclusion of destructive tests (DoS, mass DELETE, mass data modification). If the API is financial or healthcare, staging is usually mandatory because regulators do not accept testing on real personal data. For multi-tenant SaaS APIs we always generate test accounts in different tenants from the customer's own to verify isolation without touching real data.
What deliverables do we get at the end of the project?
Same package as other audits: technical report with each finding (description, evidence with request/response, CVSS 4.0 criticality, business impact, recommendation), executive report of 2-3 pages for the board, prioritised matrix by real risk, signed evidence repository with timestamps for external auditor, and closing session with IT and development. Additional for API: updated Postman/Bruno collection or OpenAPI spec if the customer needs it for internal integrations, proposed WAF/API Gateway rules to mitigate while code is remediated. Retesting included if contracted.
Does it count as evidence for PCI DSS, DORA, NIS2 or ISO 27001?
Yes, when properly documented. PCI DSS v4 (req. 6.4.3 and 11.4.3) mandates tests on accessible APIs if they touch the CDE. DORA (articles 24-27) regulates digital resilience testing on critical ICT systems, where APIs are central pieces. NIS2 (art. 21.2.e/f) requires policies for managing and assessing the effectiveness of measures. ISO 27001:2022 (A.8.29) requires security testing in the development cycle. The technical report + matrix + timestamped evidence meets all four frameworks and is suitable for QSA, ISO auditor, ENS body or financial supervisor.
Our APIs are internal, not public. Is it still worth auditing them?
Almost always yes. Internal APIs are the attacker's preferred path once a peripheral piece is compromised (typical in supply chain, compromised employee account, vulnerable microservice). The 'they are not public' argument works while nobody is inside your network, which stops being true the first day something happens. In recent audits we have seen internal APIs assuming implicit trust: no authentication, no authorisation, limited logging. The day an attacker reaches that point, those APIs are the pivot lever. NIS2 and DORA capture this logic by requiring controls on ALL critical ICT services, not just external ones.
What do you do if you find something critical during the audit?
Immediate notification through a previously agreed channel (encrypted email, Signal, phone call). We do not wait for the final report. The customer receives the finding with description, evidence, estimated impact and temporary containment recommendation (typically: WAF/API Gateway rule that mitigates while code is remediated). If the customer requests it, we help coordinate urgent remediation with their development team. The gap between 'report at end' and 'report on detection' is weeks of avoidable exposure, especially in public APIs with live traffic.
How does an engagement start at Hard2bit?
We begin with a 30-minute call to understand the API, the consumers, scope, authentication model, the moment in the cycle (release, post-incident, regulatory requirement) and the customer's goal. If it makes sense, we schedule a 1-hour technical walkthrough with the API owner (ideally with the developer who maintains it). After that we issue a firm proposal in 48-72 hours: scope, window, assigned team, deliverables and closed price. No commitments until signature.
Got an API that needs an audit?
30-minute call to understand the API, consumers, authentication model and the moment in the cycle. If it makes sense, firm proposal in 48-72 hours. No commitments until signature.