Endpoint Discovery & Functional Coverage
- Shadow and zombie API discovery beyond your documented schema
- REST, GraphQL, gRPC, SOAP and WebSockets endpoint enumeration
- OpenAPI / Swagger and Postman collection parsing for full coverage
- Deprecated and undocumented version detection
Authentication, Identity & Access Control
- JWT and OAuth 2.0 validation: token forgery and replay testing
- Session invalidation, refresh-token and logout flow testing
- BOLA (Broken Object Level Authorization) and BFLA exploitation
- Rechteausweitung und Umgehung horizontaler/vertikaler Zugriffskontrollen
Data Security & Business Logic Integrity
- Mass assignment and excessive data exposure testing
- Eingabevalidierung, Injektion und Parametermanipulation
- Business-logic abuse, workflow bypass and race conditions
- Leckage sensibler Daten in Antworten, Fehlermeldungen und Protokollen
Infrastructure, Gateways & Standards Alignment
- Rate-limiting, throttling and resource-exhaustion testing
- Analysen von CORS- und CSP-Fehlkonfigurationen
- Überprüfung der API-Gateway-, WAF- und TLS-Konfiguration
- Alignment with OWASP API Security Top 10 and SANS Top 25