Test your applications, methods and systems for vulnerabilities using our API pen testing. NFIR offers professional API pentesting services that can help you secure your applications from outside attacks. How secure are your APIs really? Have it tested by our certified ethical hackers.
Scope examples
During an API pen test, the API can be tested from different perspectives: unauthorized (Black Box) or authorized (Grey Box).
What attack scenarios are possible for API pen testing?
The most common attack scenario for an API is a combination of a Black and Grey Box. An illustrative example is provided below for both attack scenarios. During an intake, requirements will be identified in order to then choose an appropriate scenario with the client.
Black Box of the API
With minimal information, a picture of vulnerabilities in the API will be formed. The possibility of using API requests without sending along the required authentication will also be explored. Open source research (OSINT) will be used to gather as much information as possible to discover potential vulnerabilities based on this information.
Grey Box of the API
Testing the API from an authorized perspective is at least as important as from a non-authorized environment. This scenario mimics the actions of a malicious hacker should they gain access to a valid API token. This is accomplished, for example, by conducting a phishing attack or a social engineering attack. Questions this can answer include: What vulnerabilities are present and is it possible to request more information than intended or send API requests that do not belong to the token’s rights profile?
White Box of the API
In this attack perspective, the pentester has not only all the information about how the API works and login credentials, but also the source code of the API. This allows for more efficient pen testing, as well as checking for vulnerabilities in the software dependencies used.
NFIR and International Standards.
NFIR uses the OWASP Web Security Testing Guide (WSTG) and the OWASP API Security Top 10 for pen testing APIs. These standards give you the guarantee that the pen test will be carried out according to the correct standards and completely. We find it important to be as transparent as possible about the execution of the pen test. For this reason, we offer a checklist for various pen testing standards which is added to the report. This allows you to see which checks were performed, which could not be performed and which, if any, were not applicable.
What clients have to say
Pen tests
Among other things, NFIR assisted VWS in pen testing the various digital assets being developed as part of the pandemic response. CoronaMelder, for example. This was carried out satisfactorily and in pleasant partnership. The results were also shared with the House of Representatives. 
Ron RoozendaalCISO Ministry of Health, Welfare and Sport
Digital Forensics & Pentesting
When an incident occurred, we were looking for a partner who could perform digital forensics for us and advise us on how to proceed. We ended up with NFIR. The expertise and thoughtfulness made us also have our Pentests performed by NFIR. We welcome the way NFIR is going about this and helping us make and keep our digital environments more secure with their advice. 
André PootPolicy advisor ICT & Education Willem van Oranje Onderwijsgroep
Security Monitoring & Pentesting
Countering cybercrime is obviously not something you can do alone. That is why we partnered with cyber security specialist NFIR. We started a very meaningful pentest. We now purchase almost all security services from NFIR to our great satisfaction. We recently launched Security Monitoring. It gives a sense of security because there is a structured, proactive and broad look at our systems. We cannot gather this knowledge and experience ourselves. It also keeps us on our toes, as the service provides insights we don’t think of ourselves. With NFIR as a partner, we remain at the forefront. 
Rob HordijkOperations Manager Royal Hordijk Previous Next
Sample API Pen Testing Report
Sample API Pen Testing Report
A sample report (NL/EN) of a grey box web application pen test is available. In this report, a pen test was performed on a fictitious environment, revealing vulnerabilities Request a sample report of an API pen test here Pentest
Pen tests
Please leave your information so a professional can call you back as soon as possible.
“*” indicates required fields
Get in touch with our professionals
Which systems can you have tested by NFIR’s experts?
Among other things, our ethical hackers check the technical resilience of (web) applications, websites, IT and OT infrastructures, API links and mobile apps. If you have another area that you would like us to check, we would be happy to discuss it with you.
Mobile application pen testing
