What this is
A manual penetration test of your API layer: REST, GraphQL, and the backends behind your mobile apps, USSD gateways, and partner integrations. The attack surface is the API contract, not the user interface, so we test the full endpoint inventory with multiple roles rather than clicking through screens. API testing is also available as one track inside a wider engagement: see our penetration testing service for the full web, network, mobile, and cloud scope.
Methodology
Testing follows the OWASP API Security Top 10 (2023), executed by hand and anchored in how payment APIs actually fail:
- Inventory and recon: undocumented, versioned, and forgotten endpoints, the improper-inventory problem that keeps deprecated APIs exploitable
- Authorization matrix: every endpoint crossed with every role and foreign object IDs to surface BOLA, broken function-level authorization, and mass-assignment of object properties
- Authentication and session handling: JWT validation, token replay and revocation, refresh-flow weaknesses, and OTP and PIN verification logic
- Rate limiting and abuse: brute-force resistance where it matters (login, OTP, PIN), enumeration, and abuse of sensitive business flows such as transfers and onboarding
- Business logic: transaction tampering, negative and boundary amounts, race conditions on balance-changing operations, and signature or callback validation in open-banking integrations
Every finding is demonstrated with reproducible proof-of-concept requests, not flagged from a scanner signature. For the vulnerability classes we encounter most in this region, read our field notes on API vulnerabilities in banking systems and mobile money security testing.
Who this is for
- Fintechs and payment service providers: wallet platforms, payment switches, and the merchant and aggregator APIs partners build on
- Mobile-money operators: USSD gateway backends, agent-network endpoints, and the PIN-gated transaction flows that carry the float
- Banks and lenders exposing APIs: open-banking interfaces, third-party integrations, and mobile-banking backends
The engagement also supplies the technical evidence regulatory frameworks require. For BNR-supervised institutions in Rwanda, see our BNR-compliant penetration testing service. Testing is led by an OSCP-credentialled practitioner whose engagement history spans a Tier-1 Nordic bank red team, a pan-African banking group, and a top-5 South African bank.
Deliverables
- Evidence-led report: executive summary, technical findings mapped to OWASP API Security Top 10 categories, proof-of-concept requests and responses, and CVSS v3.1 ratings
- Prioritised remediation guidance: concrete fixes at the code, gateway, and configuration level, ordered by exploitability and business impact
- Live debrief: a walkthrough with your engineering team so findings are understood, not just received
- Free retest: verification of remediated findings with a clean retest report for your auditor, partner bank, or regulator
Frequently asked questions
What does an API penetration test cover?
How is API testing different from a web application test?
Do you test mobile-money and USSD platform APIs?
What access do you need to test our API?
Will testing disrupt our production API?
How much does an API penetration test cost?
For the full scope of our manual testing across web, network, mobile, API, and cloud, see our penetration testing service. For what we find in the field, read the API vulnerabilities we find in banking systems and mobile money security testing: MoMo, M-Pesa and USSD.
Shipping or integrating a payment API?
Tell us your endpoint count, roles, and timeline. We reply within 24 hours, and a scoped proposal follows within 48 hours of the scoping call.