OWASP API TOP 10:2023 ALIGNED
API & Microservices Penetration
Testing
Protocol-aware assessment across REST, GraphQL, gRPC, and SOAP — expert manual tradecraft combined with automated discovery, delivered through NST Assure.
Schedule Assessment View Services
Every integration point is an attack surface. We assess REST, GraphQL, gRPC, SOAP, and event-driven architectures — covering authorisation, business logic, protocol-specific risks, and microservices boundaries — delivered through NST Assure, our PTaaS platform for continuous assurance.
01
AUTHORISATION, DATA EXPOSURE & MASS ASSIGNMENT
REST API Security
Targets the authorisation and data-handling flaws that represent the most exploited API attack surface.
Object-level authorisation — privilege escalation, IDOR, and resource-level access bypass
Property-level access — excessive data exposure and mass-assignment abuse
Function-level authorisation — admin-endpoint discovery and role-boundary bypass
Input validation — parameter tampering, injection, and content-type manipulation
Shadow API discovery — undocumented endpoints and OpenAPI contract deviation
Let's Start →
OWASP API TOP 10 — AUTHORISATION
API1 — Broken Object Level Auth
Critical
API3 — Object Property Level Auth
High
API5 — Broken Function Level Auth
High
API9 — Improper Inventory Management
Shadow
BOLA
BFLA
MASS ASSIGN
SHADOW API
02
QUERY ABUSE, INTROSPECTION & BINARY PROTOCOLS
GraphQL & gRPC Security
Protocol-specific testing for modern architectures where flexible queries and binary serialisation introduce unique risk.
GraphQL query abuse — depth attacks, batch amplification, and cost-exhaustion vectors
Introspection leakage — production schema exposure and field enumeration
Resolver-level authorisation — field access gaps and subscription-channel hijacking
gRPC reflection — service discovery, method enumeration, and stream injection
Binary protocol risks — protobuf flaws, HTTP/2 smuggling, and metadata injection
Let's Start →
PROTOCOL-SPECIFIC ATTACK SURFACE
GraphQL Depth & Cost Exhaustion
DoS
Introspection & Schema Leakage
Recon
gRPC Reflection & Method Discovery
gRPC
HTTP/2 Smuggling & Stream Injection
H2
GRAPHQL
GRPC
INTROSPECTION
PROTOBUF
03
OAUTH, JWT, API KEYS & MTLS
Authentication & Token Security
Validates every layer of API authentication — from OAuth grant flows and JWT implementation to key management and mTLS.
OAuth 2.0 & OIDC — grant-flow interception, redirect abuse, and token-exchange weaknesses
JWT security — algorithm confusion, claim tampering, and token lifetime abuse
API key management — leakage vectors, scope binding, and rotation policy gaps
Certificate & mTLS — validation bypass, trust-chain weaknesses, and pinning circumvention
Token lifecycle — refresh rotation, revocation enforcement, and cross-service propagation
Let's Start →
API AUTHENTICATION VECTORS
API2 — Broken Authentication
Critical
JWT Algorithm Confusion & Forgery
JWT
OAuth 2.0 Grant Flow Exploitation
OAuth
mTLS & Certificate Validation Bypass
Cert
OAUTH
JWT
MTLS
API KEY
04
RATE LIMITING, RESOURCE ABUSE & BUSINESS FLOWS
Business Logic & Abuse Prevention
Expert-driven testing of business flows and resource controls that automated scanners cannot detect.
Sensitive business flows — automated abuse of registration, checkout, and transfer endpoints
Resource consumption — unbounded pagination, retrieval amplification, and compute exhaustion
Rate limiting bypass — throttle evasion, header manipulation, and distributed circumvention
Race conditions — concurrent-request abuse, double-spend, and state-machine bypass
Unsafe API consumption — third-party trust assumptions and upstream data injection
Let's Start →
API ABUSE VECTORS
API6 — Unrestricted Sensitive Business Flows
New
API4 — Unrestricted Resource Consumption
DoS
API10 — Unsafe Consumption of APIs
New
Race Conditions & State-Machine Abuse
Logic
RATE LIMIT
BIZ FLOW
UNSAFE API
RACE
05
EAST-WEST TRAFFIC, CONTAINERS & SERVICE MESH
Microservices & Service Mesh Security
Assesses inter-service communication, container boundaries, and mesh configuration across distributed architectures.
East-west traffic — inter-service authorisation gaps and lateral movement paths
Service mesh validation — policy enforcement, sidecar bypass, and mTLS coverage
Container & orchestration — RBAC, secret exposure, and namespace isolation
API gateway bypass — direct backend access and upstream policy circumvention
Event-driven architectures — broker security, webhook integrity, and async endpoint testing
Let's Start →
MICROSERVICES ATTACK SURFACE
East-West Lateral Movement
Lateral
Service Mesh Policy & mTLS Gaps
Mesh
API Gateway Bypass & Direct Access
GW
Event Broker & Webhook Security
Async
SERVICE MESH
K8S
GATEWAY
EVENT-DRIVEN
06
NST ASSURE — PTAAS DELIVERY
NST Assure — Standards & Continuous Assurance
Findings mapped to industry frameworks and delivered through NST Assure for collaborative remediation.
OWASP API Top 10:2023 — full coverage across all ten risk categories
OWASP ASVS — API verification across L1, L2, and L3 assurance levels
PCI DSS v4.0.1 — continuous testing aligned to payment-industry mandates
NST Assure platform — real-time reports, trackers, POC artefacts, and revalidation workflows
Continuous assurance — regression validation and posture tracking across releases
Let's Start →
NST ASSURE — STANDARDS & DELIVERY
OWASP API Top 10:2023
Latest
OWASP ASVS L1 / L2 / L3
Verify
PCI DSS v4.0.1 Compliance
PCI
NST Assure — PTaaS Platform
Delivery
NST ASSURE
OWASP API 2023
PCI DSS
PTAAS

Our Approach

At NetSentries, we follow a comprehensive approach combining advanced automated techniques to identify commonly occurring vulnerabilities and expert manual assessment to identify and exploit gaps in the implementation of microservices. As part of the assessment, customized business logic test cases are prepared based on the context and use case of the applications and related APIs. This hybrid methodology ensures a thorough assessment of security weaknesses, allowing us to provide a detailed report with clear remediation steps and a workflow for remediation management.

Ready to secure your APIs?
Share your requirements — we'll scope an assessment aligned to your API architecture and integration landscape.
Get in Touch
OWASP API Top 10 aligned REST · GraphQL · gRPC · SOAP 6 assessment domains NST Assure PTaaS delivery