API penetration testing

API penetration test is simulated attack against your API which aims to uncover weak points in its cyber security. Outcome of such penetration test is a comprehensive report and presentation that summarizes all security vulnerabilities found in API and outlines optimal strategy to mitigate them.

Auxilium Cyber Security has experience testing broad range of API types ranging from REST through SOAP to GraphQL API.

Objective

Main goal of penetration test is to address vulnerabilities of your API and propose adequate steps to mitigate them.

Methodology of API penetration tests

Methodology of API penetration tests

1. API1:2019 Broken Object Level Authorization
2. API2:2019 Broken User Authentication
3. API3:2019 Excessive Data Exposure
4. API4:2019 Lack of Resources & Rate Limiting
5. API5:2019 Broken Function Level Authorization
6. API6:2019 Mass Assignment
7. API7:2019 Security Misconfiguration
8. API8:2019 Injection
9. API9:2019 Improper Assets Management
10. API10:2019 Insufficient Logging & Monitoring

Our approach to API penetration testing

When testing the API, we use the revision of the standard from 2019. More information is available here: https://owasp.org/www-project-api-security/

1. Understanding our client

We start by gaining close understanding of our client’s business and technical needs as well as gathering information about API itself, mainly number of endpoints and its architecture.

2. Agreement on commercial offer

Detailed commercial offer is prepared based on our understanding of your needs and requirements. Such offer includes penetration test methodology, testing scenarios, way of reporting results and the scope of the penetration tests. Outcome of this phase formally agreed penetration testing offer.

3. Penetration testing

Penetration test itself is carried out strictly in accordance with our common agreement. During the actual penetration testing our team reveals vulnerabilities in your API and demonstrate you how they can be misused by a hacker.

4. Reporting

We deliver detailed penetration testing report to your team. Such report includes all vulnerabilities together with suggestions on how to mitigate them. If required, we can also prepare executive summary presentation for your management to help you efficiently communicate such results to company decision-makers

5. Assistance with vulnerability mitigation

If your company has limited internal capacity, we can provide a support with mitigation of identified vulnerabilities.

6. Educating your dev team

We can also prepare tailor-made secure coding guidelines and training for your dev team which would reflect results of performed penetration test. This would help your team to avoid making same security mistakes again.