Penetration testing – API / WS

Purpose

Increasingly, it is necessary to expose to your customers or business partners the interface (API) providing different services. Usually, it is a machine-to-machine communication.

The goal of the API penetration test is to check whether the API interface is secured against unauthorised access to sensitive data, or even a complete takeover of control over the target system by an attacker.

Types of interfaces

There are two main types of API interfaces:

  • Web Services based on protocol SOAP/HTTP

  • REST API interface

SOAP (Simple Object Access Protocol) is a protocol for exchanging XML messages over the network, mainly using HTTP. The basic description of the SOAP interface is the WSDL definition (again XML) that describes all functions that are prat of the interface.

REST (Representational State Transfer) is an interface architecture that defines access to data using 4 basic methods (CRUD – create, retrieve, update, delete), these methods are implemented by using the corresponding HTTP methods (POST, GET, PUT, DELETE). Structured data is transferred usually in JSON format (XML, ATOM, etc.).

Testing

Testing the Web Services / REST API is usually not carried out in black-box mode (with zero or very little knowledge about the target system) otherwise the testers spend more time asking “How does it work?”, than “Where is the weakness?”.

For making the testing effective it is helpful to provide a sample client implementation, a SoapUI project or a detailed documentation describing the methods and parameters used.

The key factors determining the test price are: the number of methods, parameters, test scenarios, API authentication method and the number of user roles to be tested.

During the testing we use the relevant parts of the web application testing methodology. We take into account also the OWASP recommendations intended directly for web services ans API as part of their REST Security and XML Security Cheat Sheets.

Reporting

The deliverable the penetration testing project is the final report, which contains a description of performed tests, findings, observations ans recommendations.

If required we can present the penetration testing results on a final meeting (either less technical presentation for managers or technical workshop for developers and system administrators).

Other types of pentesting

In addition to the above described testing we provide our clients also with many other types of penetration tests – see Penetration testing overview.

Any questions?

If you are interested in more details please contact us.

Ask by e-mail