Skip to content

Case Study / API security assessment

300+ APIs, one structured assessment

An enterprise survey platform runs its core services across more than 300 APIs spanning multiple microservices. The API estate had grown without a formal security review — sensitive data volume had not. We were engaged to assess the full surface.

Enterprise SaaS platform · 300+ APIs

What we found

Missing role-based access controls

Key endpoints lacked privilege checks, allowing operations that should have been restricted to elevated roles.

Weak input validation

Parameter validation was thin across endpoint groups, creating injection and data-manipulation risk.

Internal API exposure

Frontend JavaScript unintentionally disclosed private endpoints — expanding the reachable attack surface beyond anything documented.

Ungoverned API sprawl

With 300+ endpoints across microservices and no security testing history, no one could say with confidence what was exposed.

How we worked

Complete endpoint discovery

Systematic mapping of all 300+ APIs — documented and undocumented — including relationships and access patterns between services.

OWASP API Security Top 10

Assessment structured against the OWASP API Top 10, covering authorization, authentication, injection, and resource-abuse classes.

Hybrid testing

Manual testing, open-source tooling, and custom scripts — the combination needed to find both misconfigurations and deep logic flaws.

Chained exploit demonstration

Real attack paths shown end to end — e.g., a public API leak escalating into broken authorization — so priorities set themselves.

What changed

  • The client received a prioritized, developer-ready remediation guide with code-level examples.
  • Knowledge-transfer workshops raised the engineering team's API-security baseline.
  • The platform gained its first complete, security-reviewed API inventory.

Client identity is confidential by agreement. Findings are published with the client’s engagement anonymized; we never publish metrics we didn’t measure.

Ready to scope the work?

A 30-minute call with the engineers who will do the testing — not a sales gate.

Book a scoping call