We are asked often to test clients API’s and the demand doesn’t seem to be slowing. As more and more applications need to “talk” with other applications API’s have become a major attack vector for shady characters and the need for extensive testing is paramount. Whether you’re looking at how to pentest an API, how to discover nodejs API structures, or how to pentest rest API’s, we hope that you find this information helpful.
Why Get an API Penetration Test?
You should use an expert application programming interface (API) penetration tester to help Application Security Professionals identify and prioritize cyber security threats. You can do this without stressing your budget or having to become a specialized security expert yourself.
These testers can supplement your existing security efforts, so you can determine and safely identify a quantifiable level of threat. They can help you navigate and resolve vulnerabilities and gaps, and comply with local, state, and federal regulatory requirements.
Enhanced Clarity & Significantly Improved Security
All of this comes at a reasonable price that allows you to leverage our best practices, technical expertise, and scalable infrastructure.
API Pentest Service Levels
APIs are generally tested in conjunction with networks, applications, IoT devices, ICS/SCADA, databases, mobile, WIFI, Web Services, and almost anything else you may need to be tested. Additionally, you can test as HEAVY or as light as you prefer. Typical testing levels can include:
Level 0: Vulnerability Scan
Level 1: Vulnerability Assessment
Level 2: Penetration Test (default)
Level 3: Expanded Pentest
API Pentest Phases API Reconnaissance Phase
Represents the information gathering and enumeration phase of an attack
Data is collected passively from applications through automated and manual means
Application functionality is determined and documented through a combination of calls submissions, sample project package (POSTMAN, SOAP, etc.) analysis, and WS/API documentation reviews
Key parameters are documented and noted for exposure / further follow on
Web service application traffic is passed through a proxy and interrogated for further detail
API Verification Phase
Represents the vulnerability identification and validation phase of an attack
Key components of the web services application are tested (including Active Fuzzing) for vulnerabilities and exposures. These include:
Authentication, Authorization & Roles (Privileges and Permissions)
Data Input Validation, Handling & Processing
Encryption & Sequencing
Business Logic, Source Code & Parameter Manipulation
Includes automated and manual identification
Culminates with validation of vulnerabilities that can or may be exploited
API Exploitation Phase
Represents the exploitation and compromising phase of an attack
Leverages vulnerabilities identified in the earlier phase(s) to successfully penetrate security controls
Includes mostly manual attacks with semi-automated support
Concludes with tester gaining access to web services application data and/or permissions (access) not previously available to the tester
In some cases, exploitation of web services may not be possible given the security controls present, the complexity of the attack (undocumented, or not enough documentation/context), and the time allotment for testing
Comprehensive API Penetration Testing (Sample)
Fuzzing
Identification, Authentication & Authorization
Encryption / SSL and data security (in-flight, at-rest)
Other communication protection mechanisms (freshness)
Web service chains
Parameter tampering
Schema validation
Content validation
Output encoding
Malicious code / Virus protection
Command / Client-side injection (XSS, CSRF, HTML, XPath, XXE, etc.) – particularly for upstream or downstream consumers
Message size
DoS protection and availability
Business logic errors
SUMMARY It’s important that you find a tester who doesn’t just use a tool. It’s easy to think that running Burpsuite or some other tool is “good enough” but if you’re looking for real security you need somebody who is certified in many areas that can test your solutions to the appropriate depth. Not all testers are created equal. For a free service consultation, contact us at: www.emagined.com or give us a call!