API Penetration Testing
API Penetration Testing
The security of API services is an often-ignored aspect of application security. Since they aren’t exposed in an application’s normal user interface, developers often pay less attention to security. Very often, they unknowingly expose sensitive information and functionality. The backend deserves equal amount of security attention as frontend applications. Thoroughly testing the security of web services requires a substantial amount of skill combined with a rigorous methodology.
Mudbrix Consultancy helps businessess prevent security vulnerabilities through penetration testing, hybrid security analysis, runtime error detection, and execution of complex authentication, encryption, and access control test scenarios.
Our Approach
Preparation – We verify that we have received the following information from the customer in preparation for the penetration test.
- Web service name
- Brief description of the web service and its purpose
- Documentation for how to use the web service API
- Endpoint URL(s) for testing the web service
- Description of each web method available, with valid sample input data for each web method
- WSDL or WADL if available
- Credentials for each level of access to the web service, including client SSL certificates if required
- (optionally) Server-side source code for the web service
- Time windows for when the automated scanning portion of the penetration test can be run without risk of disrupting other users of the web service.
Exploration – Our pen testers manually explore the web service to verify that all methods can be labelled successfully. A better understanding of the functionality and sensitivity of the web service is gained. Baseline requests are created for each transaction.
Automated Vulnerability Scanning – Top quality commercial vulnerability scanning tools are used to thoroughly scan the web service. This scanning process includes an authenticated application-level scan as well as an infrastructure-level scan. Custom scripts are written if needed to supplement the scan (for example, we dynamically add a digital signature to each request).
Manual Penetration Testing – The web service is manually tested by experienced web application security professionals using our systematic testing process. This manual testing process covers all major aspects of web application security that would apply to a web service, including:
- Authentication
- Authorization
- Session Management (if applicable)
- Input Validation / Output Encoding
- Configuration
- Sensitive Data Handing
- Logical Vulnerability Checks Parameter fuzzing
- SQL injections
- Username harvesting
- XPath injections
- Cross-site scripting
- XML bombs
- External entities
- Schema invalid XML
- Large XML document
- Malformed XML
Report Preparation– Our experts document the results of all scanning, manual testing and (optionally) code review to compile a consolidated report, detailing all vulnerabilities uncovered during the testing process along with severity levels and recommendations on how to remediate each vulnerability that was identified.
Debriefing– We present all findings to executives and key stakeholders, and provide remediation advice.
What you get?
- An actionable, custom-written Web Service Security Assessment Report, which describes the web service’s security posture and lists all vulnerabilities identified. For each vulnerability, we provide a custom risk rating and remediation advice that is tailored to your specific business and technical situation.
- Expert consultation throughout the remediation phase.
- We often conduct two rounds of remediation testing within 6 months of the initial security assessment. This ensures that all issues are effectively remediated.