When you start shopping for a penetration test, you will encounter two distinct service offerings: web application pentesting and API pentesting. Some providers treat them as the same thing. They are not. Understanding the difference determines whether your security investment covers the right attack surface or leaves critical gaps.
This guide explains what each type of test covers, where they overlap, where they differ, and how to determine which one, or which combination, your organization actually needs.
What a web application pentest covers
A web application penetration test evaluates the security of a user-facing web application in its entirety. The tester interacts with the application the way a user would, through a browser, and tests everything from the login page to the deepest functionality available to each user role.
The scope of a web app pentest includes:
- Frontend security: Cross-site scripting (XSS), DOM manipulation, client-side storage, content security policy, and clickjacking.
- Authentication flows: Login, registration, password reset, account lockout, session management, and multi-factor authentication.
- Authorization and access control: Role-based access testing, privilege escalation, and horizontal access control (accessing other users' data).
- Server-side vulnerabilities: SQL injection, server-side request forgery, file upload flaws, and command injection.
- Business logic: Workflow bypass, price manipulation, feature abuse, and race conditions.
- Configuration: Security headers, error handling, information disclosure, and transport security.
A web app pentest typically follows the OWASP Testing Guide methodology and covers the OWASP Top 10 vulnerability categories. The tester uses both automated scanning tools and manual techniques, with the manual work focused on the logic and authorization flaws that tools cannot find.
What an API pentest covers
An API penetration test evaluates the security of your API endpoints directly, without going through a frontend interface. The tester sends requests to your API using tools like Burp Suite, Postman, or custom scripts, testing each endpoint for the full range of API-specific vulnerabilities.
The scope of an API pentest includes:
- OWASP API Top 10 coverage: BOLA, broken authentication, broken object property level authorization, unrestricted resource consumption, broken function level authorization, SSRF, security misconfiguration, improper inventory management, and unsafe API consumption.
- Endpoint-level authorization: Testing every endpoint against every user role, including endpoints the frontend never calls.
- Rate limiting and resource controls: Verifying that the API enforces limits on request frequency, response size, and query complexity.
- Input validation: Testing all parameters for injection flaws, type confusion, boundary conditions, and unexpected input handling.
- API versioning: Checking for old API versions that remain accessible and may have weaker security controls.
- GraphQL-specific testing: Introspection, query depth attacks, batching abuse, and resolver authorization (if applicable).
- Documentation and schema exposure: Checking for exposed Swagger/OpenAPI specs, debug endpoints, and verbose error responses.
Where they overlap and where they diverge
| Testing Area | Web App Pentest | API Pentest |
|---|---|---|
| Frontend security (XSS, CSRF) | Full coverage | Not applicable |
| Authentication testing | Via browser flows | Direct token/key testing |
| Authorization testing | Through UI actions | Endpoint-level, every role |
| Business logic | User workflow focused | API operation focused |
| Rate limiting | Basic checks | Comprehensive per-endpoint |
| Hidden endpoints | Limited to browser traffic | Full endpoint discovery |
| GraphQL testing | Surface level | Deep query-level testing |
| Injection testing | Through form inputs | Through all parameter types |
The key difference is depth versus breadth. A web app pentest covers the full application experience but tests the API only as far as the frontend exercises it. An API pentest goes deeper into the API layer but does not test frontend-specific vulnerabilities. A web app pentest might test 60% of your API endpoints because those are the ones the frontend calls. An API pentest tests 100% of your endpoints, including the ones nobody is supposed to know about.
The hidden endpoint problem: In most SaaS applications we test, 15-30% of API endpoints are not called by the current frontend. These include legacy endpoints, admin functions, internal tools, and endpoints from previous versions. They are still accessible and often less secured than the endpoints the frontend uses. Only an API-focused pentest finds these.
Which one do you need?
The answer depends on your architecture and your risk profile. Here is a decision framework.
You need a web app pentest if:
- Your application is primarily server-rendered with forms and page navigation
- You have a simple API that only your own frontend consumes
- Frontend security (XSS, CSRF, clickjacking) is a significant concern
- You are early stage and need a single comprehensive assessment
You need an API pentest if:
- You offer a public API that third parties consume
- Your application is API-first with a decoupled frontend (React, Vue, Angular)
- You have a mobile app that communicates with your API
- You process sensitive data through API endpoints
- You use GraphQL
You need both if:
- You are a SaaS company with a web application and a public API
- You have multiple client applications (web, mobile, partner integrations) consuming the same API
- Your compliance framework requires testing of both the application and the API
- You are preparing for enterprise sales where security due diligence is thorough
Most modern SaaS companies need both. The good news is that a combined engagement is more efficient than two separate ones because the testing team develops a deep understanding of the application that applies to both the web and API assessments.
How Lorikeet Security handles combined engagements
At Lorikeet Security, our standard web application penetration test includes API testing as part of the engagement scope. We do not treat the API as separate from the application because, in practice, the API is the application.
For companies with a public API or a complex API surface that warrants dedicated testing, we offer standalone API assessments that go deeper into endpoint-level security, rate limiting, and API-specific vulnerability categories.
Our combined web and API assessments start at $12,000 and include full OWASP Top 10 and API Top 10 coverage, authorization matrix testing across all roles and endpoints, retesting of critical and high findings, and remediation support.
Not Sure Which Test You Need?
Tell us about your application and we will recommend the right scope. No sales pitch, just honest guidance on what will actually protect your business.
