VVeyraSecurity
Services · gray-box-api-penetration-test

Gray-Box API Penetration Test.

Authenticated assessment of a REST or GraphQL API against the OWASP API Security Top 10 and provided documentation. Per-role coverage and object-level access checks.

§ 01 — Scope

What it covers.

  • Item 01

    Authentication and session handling across every documented role.

  • Item 02

    Object-level and function-level authorization, including IDOR and broken role boundaries.

  • Item 03

    Input validation, mass assignment, and injection paths.

  • Item 04

    Rate-limiting, throttling, and abuse resistance on enumerated endpoints.

  • Item 05

    Webhook authenticity, signature verification, and replay protection where webhooks are in scope.

  • Item 06

    Misconfiguration of the gateway, transport, and CORS where applicable.

§ 02 — Inputs

What we need from you.

  • Item 01

    Per-role test credentials covering each authorization tier in the API.

  • Item 02

    OpenAPI / GraphQL schema, Postman collection, or equivalent endpoint inventory.

  • Item 03

    Architecture context: hosting, gateway, authentication provider, and any shared services.

  • Item 04

    Authorization to test (signed Authorization to Test before any traffic is sent).

  • Item 05

    Stakeholder contact for emergency-stop and credential rotation.

§ 03 — Operating method

How it runs.

  • Item 01

    Pre-engagement intake captures scope, environments, and emergency-stop rules.

  • Item 02

    Mutual non-disclosure agreement is signed before any sensitive scope crosses.

  • Item 03

    Statement of Work, Authorization to Test, and Rules of Engagement are countersigned.

  • Item 04

    Active testing runs against a non-production or production environment per the agreed scope.

  • Item 05

    Findings are validated manually before any severity is assigned.

  • Item 06

    Report is reviewed against a defensibility checklist before delivery.

  • Item 07

    Remediation verification (retest) is offered as a separate engagement.

§ 04 — Deliverable

What the deliverable is.

  • Item 01

    Executive summary describing scope, methodology, and the disposition of findings.

  • Item 02

    Per-finding write-up with reproduction steps, evidence, severity, and specific remediation guidance.

  • Item 03

    Manifest of tools, queries, and scripts used during testing, with version stamps.

  • Item 04

    Evidence pack suitable for marketplace and vendor-questionnaire review when applicable.

  • Item 05

    Retest letter format provided in advance so remediation work can target it.

§ 05 — Defensibility

What Veyra will not claim.

  • Item 01

    We will not say the API is secure. We will say what was tested, what was found, and what was verified after remediation.

  • Item 02

    We will not claim accreditation we do not hold. Reviewer independence is described accurately when an independent reviewer is engaged.

  • Item 03

    We will not include findings without reproducible evidence.

Next step

Read a redacted sample report, or describe the system you want assessed.

Engagement requests receive a reply from a named assessor within one business day.

Read a sample reportRequest an engagement