top of page
Writer's pictureChris Odom

HOW TO DO API PENETRATION TESTING

We are asked often to test clients API’s and the demand doesn’t seem to be slowing. As more and more applications need to “talk” with other applications API’s have become a major attack vector for shady characters and the need for extensive testing is paramount. Whether you’re looking at how to pentest an API, how to discover nodejs API structures, or how to pentest rest API’s, we hope that you find this information helpful.

Why Get an API Penetration Test?



hacker image

You should use an expert application programming interface (API) penetration tester to help Application Security Professionals identify and prioritize cyber security threats. You can do this without stressing your budget or having to become a specialized security expert yourself.

These testers can supplement your existing security efforts, so you can determine and safely identify a quantifiable level of threat. They can help you navigate and resolve vulnerabilities and gaps, and comply with local, state, and federal regulatory requirements.

Enhanced Clarity & Significantly Improved Security

All of this comes at a reasonable price that allows you to leverage our best practices, technical expertise, and scalable infrastructure.

API Pentest Service Levels


APIs are generally tested in conjunction with networks, applications, IoT devices, ICS/SCADA, databases, mobile, WIFI, Web Services, and almost anything else you may need to be tested. Additionally, you can test as HEAVY or as light as you prefer. Typical testing levels can include:

  • Level 0: Vulnerability Scan

  • Level 1: Vulnerability Assessment

  • Level 2: Penetration Test (default)

  • Level 3: Expanded Pentest

API Pentest Phases API Reconnaissance Phase

cyber desktop setup

  • Represents the information gathering and enumeration phase of an attack

  • Data is collected passively from applications through automated and manual means

  • Application functionality is determined and documented through a combination of calls submissions, sample project package (POSTMAN, SOAP, etc.) analysis, and WS/API documentation reviews

  • Key parameters are documented and noted for exposure / further follow on

  • Web service application traffic is passed through a proxy and interrogated for further detail

API Verification Phase

  • Represents the vulnerability identification and validation phase of an attack

  • Key components of the web services application are tested (including Active Fuzzing) for vulnerabilities and exposures. These include:

  • Authentication, Authorization & Roles (Privileges and Permissions)

  • Data Input Validation, Handling & Processing

  • Encryption & Sequencing

  • Business Logic, Source Code & Parameter Manipulation

  • Includes automated and manual identification

  • Culminates with validation of vulnerabilities that can or may be exploited

API Exploitation Phase

  • Represents the exploitation and compromising phase of an attack

  • Leverages vulnerabilities identified in the earlier phase(s) to successfully penetrate security controls

  • Includes mostly manual attacks with semi-automated support

  • Concludes with tester gaining access to web services application data and/or permissions (access) not previously available to the tester

  • In some cases, exploitation of web services may not be possible given the security controls present, the complexity of the attack (undocumented, or not enough documentation/context), and the time allotment for testing

Comprehensive API Penetration Testing (Sample)

  • Fuzzing

  • Identification, Authentication & Authorization

  • Encryption / SSL and data security (in-flight, at-rest)

  • Other communication protection mechanisms (freshness)

  • Web service chains

  • Parameter tampering

  • Schema validation

  • Content validation

  • Output encoding

  • Malicious code / Virus protection

  • Command / Client-side injection (XSS, CSRF, HTML, XPath, XXE, etc.) – particularly for upstream or downstream consumers

  • Message size

  • DoS protection and availability

  • Business logic errors

SUMMARY It’s important that you find a tester who doesn’t just use a tool. It’s easy to think that running Burpsuite or some other tool is “good enough” but if you’re looking for real security you need somebody who is certified in many areas that can test your solutions to the appropriate depth. Not all testers are created equal. For a free service consultation, contact us at: www.emagined.com or give us a call!

bottom of page