Modern applications usually need both. Confusing the two leads to gaps in coverage that real attackers exploit. This guide explains what each test actually covers, when one is sufficient, and when you need both.
A web application penetration test focuses on what a user (authenticated or unauthenticated) can do through the browser interface. It covers the rendered application: authentication flows, session handling, business logic accessible via the UI, input handling, and client-side controls.
An API penetration test focuses on the machine-to-machine interface. It covers REST, GraphQL, or gRPC endpoints, authentication mechanisms (OAuth, JWT, API keys), authorisation logic, rate limiting, and the data transformations between the request and the underlying systems.
Most modern applications are an SPA front-end calling an API back-end. The web app and the API are different attack surfaces with different vulnerability classes. Testing one does not validate the other.
| Dimension | Web App Pentest | API Pentest |
|---|---|---|
| Primary surface | Rendered application, browser-facing | Endpoints, requests, responses |
| Methodology baseline | OWASP Top 10, OWASP ASVS, WSTG | OWASP API Security Top 10 |
| Common findings | XSS, CSRF, authentication flaws, session issues, client-side controls bypass | BOLA / IDOR, broken authentication, excessive data exposure, mass assignment, rate-limiting flaws |
| Auth model tested | User-facing login, MFA, password reset, session management | API keys, OAuth flows, JWT validation, token scopes |
| Discovery effort | Crawling, link following, form interaction | API spec review, endpoint enumeration, parameter fuzzing |
| Typical duration | 5-15 working days | 5-12 working days |
| Coverage if you only test one | Misses authorisation flaws at API layer | Misses UI-layer logic and client-side controls |
You can scope a single web application pentest only when the application is genuinely a monolith with no separable API layer worth testing independently. This is increasingly rare. Legacy server-rendered apps without exposed APIs sometimes qualify.
You can scope a single API pentest only when there is no front-end to test (a pure B2B API, developer-facing service, or microservice with no human user interface).
A modern SaaS application has a browser front-end (React, Vue, Angular) calling REST or GraphQL endpoints. The front-end is one surface, the API is another. Testing only the front-end misses authorisation flaws that the UI does not expose but an attacker can hit directly with cURL. Testing only the API misses session, CSRF, and client-side issues. Both are needed.
Run them concurrently with the same test team. The understanding of business logic carries between the two surfaces, and tester insight on one informs the other. A single combined engagement is usually 15-25% more efficient than two separate ones.
For compliance (SOC 2, ISO 27001, PCI DSS), a combined report covering both surfaces satisfies auditor requirements more cleanly than two separate reports with overlap and gaps.
For mature engineering teams, pair the pentest with a secure code review of authorisation logic. The combination catches issues that runtime testing alone misses.
We scope web and API pentests as separate but coordinated engagements. Both follow CREST-aligned methodology, tested by the same senior tester where possible to maintain context between the two surfaces.
Where the application is genuinely combined (mobile app + API + admin web), we scope a single multi-surface engagement with one report and one remediation cycle.
Yes, and ideally they should. Context carries between the two surfaces. A flaw visible at the API layer often has a UI counterpart (or vice versa) that two separate testers in two engagements would miss.
Usually yes if your application has both a web UI and an API. Auditors expect testing to cover the surfaces that actually carry risk. A single web app pentest on a modern SPA-plus-API application generally does not satisfy this.
GraphQL is a different beast from REST. Endpoint enumeration matters less, but introspection, query complexity, batching, and field-level authorisation matter much more. We scope GraphQL pentests with GraphQL-specific methodology.
Usually similar to web app pentest of equivalent complexity. APIs with extensive endpoints, complex auth, and many roles can be more time-intensive than the web UI sitting on top.
A 30-minute scoping call covers your specific context and lets us recommend the right approach. We will tell you honestly if our service is not the right fit.
Book a scoping callRelated: API Penetration Testing Services →