A vulnerability in an application programming interface (API) can be just as grave as a vulnerability found in any other system and can have the same potential, depending on the circumstances, to be company-ending. In short, API testing validates the security of your methods and corresponding data. We work to ensure the functionality of the business logic remains intact and that data is safely transferred from web applications or mobile applications to other systems or databases.

Because API is included in almost all web applications and mobile applications, it is critical that API penetration testing be included in your security testing plan. From the development lifecycle to patching known API vulnerabilities, focusing your testing on both web application security and on API security will reduce the likelihood that an attacker will exfiltrate data and compromise your application. Building regular web API updates and frequent testing into your workflow will help ensure a dependable performance and prevent the build-up of costly remediation.

APIs often come with well-documented information about their implementation and internal structure – making them ideal targets for a would-be attacker. Regardless of the approach for implementing an API (SOAP, REST) the additional variables make APIs vulnerable. Authentication, encryption, and business logic should all be tested.

The Secur API Penetration Test Solution

For each type of API endpoint, our security experts will fully review any documentation and examine all the requests, headers, and parameters. We will also consider your industry and gather additional information about infrastructure and the full software stack. While malicious actors are able to determine these details with enough time and energy, we request this level of detailed information specifics about your environment and source code because the more we know about your API methods, the better value we are able to give you on your API security testing engagement. A malicious actor will dedicate time to answering questions like, “What is the tech stack in use?” before answering questions like, “How could a failure of this system serve (my) malicious ends?”

If we are performing authenticated testing, we might ask for some of the parameter values to validate that each request returns the expected status. Once each request is returning the expected value, we consider loading it into a tool to perform limited automated tests.

As with all our penetration testing services, Secur’s approach for our API pen testing services consists of about 80% manual testing and about 20% automated testing. While automated testing enables efficiency, it is effective in providing efficiency only during the initial phases of a penetration test. At Secur, it is our belief that an effective and comprehensive penetration test can only be realized through rigorous manual testing techniques.

Using this approach, our comprehensive testing techniques cover the classes of vulnerabilities in the Open Web Application Security Project (OWASP) Top 10 2017 and beyond:

  1. Injection
  2. Broken
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring

In addition to the OWASP Top 10 recommendations, Secur penetration testers will attempt to bypass the authentication methods, which often leverage APIs and examine general API security misconfigurations and other known security vulnerabilities.

Remediation Re-testing

Secur offers free retesting for all remediated vulnerabilities for our web application testing services and API penetration testing services. Our goal is to not only identify and exploit vulnerabilities but help ensure they are fixed as well.

Deliverables

Our comprehensive API pen testing services will help you ensure that your API endpoints are designed and configured according to best practices. Our report will provide an analysis of the current functionality of your API to ensure they are safely supporting your web application or mobile application. Through this type of security testing, you will readily see how API endpoint vulnerabilities can impact your business, including specific detail on how the Confidentiality, Availability, and Integrity of your systems could be impacted. The results of our security testing will help you prioritize which vulnerabilities to consider for immediate remediation and how best to use your budget to maximize strength and resilience in your cybersecurity posture.

As always, following the delivery of the report, RedTeam is available to answer any questions you may have about how findings were exploited and options for actionable remediation strategies.