API Security · DeepScan Research
API pentest checklist for BOLA, GraphQL, and SaaS authorization
The API testing areas that matter most for multi-tenant SaaS teams preparing for security reviews.
Most serious SaaS API issues are authorization issues. Broken object-level authorization, tenant boundary confusion, weak token scopes, and field-level access failures create attack paths that a generic scanner cannot understand.
Start with coverage. Pull OpenAPI specs, GraphQL schemas, mobile traffic, frontend calls, background jobs, and admin-only workflows into one endpoint inventory. If a route exists but nobody tests it with multiple roles and tenants, it is a risk.
For REST APIs, test object IDs across accounts, role transitions, deleted users, suspended accounts, invite flows, billing state, and organization switching. For GraphQL, add introspection, batching, depth, query cost, field authorization, and mutation chains.
Evidence matters. A useful API finding should include request and response pairs, the role or token used, the object touched, the business impact, and the expected authorization behavior. Without that, engineering has to rediscover the bug before fixing it.
DeepScan API agents are designed around these workflows. They map API surfaces, attempt controlled authorization variations, validate exploitability, and package reproducible evidence for remediation and audit review.