Darkside Service

API penetration testing

APIs are the new perimeter. Test them like one.

Darkside tests API security across authentication, object-level authorisation, input handling, rate limits, and data exposure. We can work from OpenAPI/Swagger specs, Postman collections, GraphQL schemas, or black-box discovery.

Why it matters

Practical evidence, not scanner noise.

API vulnerabilities often sit behind polished front ends. We help engineering teams find the authorisation and data-flow failures that create real breach paths.

What we test

  • Broken object-level authorisation and IDOR
  • Broken authentication, token handling, and JWT weaknesses
  • Excessive data exposure in responses
  • Rate limiting and resource exhaustion
  • Mass assignment and parameter pollution
  • GraphQL introspection, batching, and query depth abuse
  • Insecure direct object references
  • Server-side request forgery
  • Injection through API parameters
  • Improper versioning and legacy endpoint exposure

What you receive

  • OWASP API Security Top 10 coverage report
  • Annotated request and response evidence
  • Severity-ranked findings
  • Fix guidance by endpoint
  • Free retest within 90 days
  • CI/CD and gateway hardening recommendations

Methodology

How the engagement runs

  1. 01

    Gather API specs, collections, roles, authentication flows, and rate-limit expectations.

  2. 02

    Map endpoints, object ownership, trust boundaries, and data sensitivity.

  3. 03

    Test authorisation, injection, abuse cases, and failure modes manually.

  4. 04

    Validate impact with reproducible requests and safe proof-of-concepts.

  5. 05

    Retest remediated endpoints and confirm fixes do not break adjacent controls.

FAQ

Common questions

Can you test GraphQL APIs?

Yes. We test schema exposure, batching, query depth, object authorisation, resolver behaviour, and data leakage specific to GraphQL.

Do you need documentation?

Documentation helps, but it is not mandatory. We can work from OpenAPI specs, Postman collections, captured traffic, or black-box discovery.

Can this fit into a release process?

Yes. We can test a defined release candidate, produce evidence for sign-off, and retest critical fixes before launch.

Get started

Ready to scope this test?

Book a 30-minute call. We will confirm scope, timelines, evidence requirements, and the fastest path to start.