×

API Penetration Testing

Veracity | API Penetration Testing

When it comes to access points from a hacker’s perspective, APIs are high on the list. The API framework is such that it makes a great target for hackers who want to get at application logic or other sensitive information. With Veracity API Penetration testing services, you will essentially be testing the server-side of your application for vulnerabilities residing in backend application logic and the API source code.                            

API PENETRATION  SERVICE COVERAGE

Optimising the Potential of Continuous Penetration Testing for Every Need

At Veracity, we deliver best-in-class penetration testing by maximising coverage and ensuring each and every vulnerability is identified, checked for severity, and the risk is mitigated effectively.

APIs and Web Services

The Veracity team offers penetration testing that covers web services (REST and SOAP) and APIs.

Software Composition Analysis (SCA)

Open source security will offer improved visibility into open source inventory for tens of thousands of CVE-IDs.


Network and WiFi Security

Testing for known and unknown threats as well as attack vectors to detect security gaps and find immediate remediation.


Breach and Attack Simulation

Implement robust authentication security for all business systems and staff.


Black and White Box Testing

testing the internal design and structure of the app, including 2FA, MFA, and more, to test app functionality.


Extensive Threat Reconnaissance

Identifying threats originating from public code repositories and the Dark Web to offer comprehensive security



API VULNERABILITY  COVERAGE

We are the Answer to Securing your APIs

The Veracity API penetration testing service is configured to identify a broad range of API vulnerabilities, which are discovered with the use of both automated assessment and manual penetration testing. Our API penetration covers all vulnerabilities that are part of the OWASP's top-ten list:

✓ Broken Object-Level Authorization

✓ Broken User Authentication

✓ Excessive Data Exposure

✓ Lack of resources and rate-limiting

✓ Broken Function Level Authorization

✓ Mass Assignment

✓ Security Misconfiguration

✓ Injection

✓ Improper Asset Management

✓ Insufficient logging and monitoring

SECURITY THREATS FOR  WEB SERVICE APIS:

APIs often self-document information regarding their implementation and internal structure, which is widely used as intelligence for cyberattacks. Additionally, vulnerabilities such as weak authentication, a lack of encryption, flaws in the business logic, and insecure endpoints make APIs vulnerable to the attacks mentioned below.

  • Injection Attacks

    In an injection attack, a dangerous code is embedded into an unsecured software programme to stage an attack. Particularly, SQL injection and cross-site scripting are widely used to manipulate data or transfer untrusted data into the API as part of a query or command. As a result, the attacker gains unauthorised access to information and may cause further damage.

  • DoS Attack

    In a Denial of Service (DoS) attack, the attacker, in most cases, floods the web service with ICMP or SYN packets. When the system gets overwhelmed by the large amount of traffic that the server is unable to handle, it eventually stops or crashes.

  • Broken Authentication

    Broken authentication or weak authentication empowers the attacker to either bypass or take control of the authentication methods that are being used by the web service. This may lead to an attack whereby JSON web tokens, API keys, passwords, etc. can be compromised. The aim of such attacks is usually to take charge of several accounts while also getting the same privileges as the attacked user.

  • Sensitive Data Exposure

    Sensitive data exposure happens whenever an application is unable to properly secure sensitive data, possibly due to a lack of encryption in transit or at rest. Information ranging from private health information to credit card information, session tokens, passwords, keys, and a lot more tends to be vulnerable to this attack.

  • Broken Access Control:

    The functions and contents of a web service are accessible to only certain users. Access control is used to grant access to specific users while denying access to others. Missing, broken, or inadequate access control can permit the attacker to gain control of other users' accounts, alter access privileges, and modify data.

  • Parameter Tampering:

    This attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Generally, such information is stored in cookies, hidden form fields, or URL query strings and is used to increase application functionality and control.

  • Man-In-The-Middle Attack (MITM):

    In this attack, the attacker is secretly listening to the data transfer taking place between two systems. Confidential and important data that is being transferred may be modified or intercepted without the knowledge of either system.

WEB SERVICES API - VAPT

  • Fuzz Testing:

    Delicacies in a web service can be tested using a simple test such as fuzz testing, which is essentially a black box software testing technique primarily consisting of finding bugs using malformed data injection.


  • Command Injection

    An injection flaw occurs with respect to web services and APIs when the web application passes information from an HTTP request through other commands such as a database command, a system call, or a request to an external service.


  • SQL Injection

    SQL injections are attacks where a malicious user injects code to break the defined SQL query to fetch data from the database. In REST services, SQL injection is one of the most important test cases that is performed on user-controlled variables or entry points. Blind SQL injection confirms this type of vulnerability.


  • Cross-Site Scripting (XSS):

    A cross-site scripting vulnerability arises when an attacker injects and runs a malicious script into a legitimate web page, and its rendering is seen in the immediate response. Using this vulnerability, an attacker can do virtual defacement or cookie stealing on the application, which can further lead to session hijacking.

  • Cross-Site Request Forgery (CSRF):

    Cross-site request forgery is an attack where the attacker sends a request to the server, pretending to be a user, to perform operations in the application. This attack occurs when the application solely depends on cookies to validate the user on the server side. In JSON services, we can perform this attack by using the request.


  • Username Enumeration:

    In a REST service-based application, an attacker can have the opportunity to enumerate usernames. Forgot Password or User Login functionalities are the suitable entry points to execute this type of attack since most of the applications use default usernames for operations like admin, customer care, etc.


  • XML External Entity Injection:

    An XML External Entity Injection attack arises when an application processes user-entered XML data in the request without disabling reference to external resources. Applications rarely require references to external resources; by default, the XML parser is enabled to support external references in the application. These entities can refer to the file system or other sensitive information in the application.


  • Brute Force:

    Brute force is also one of the attack types that can be executed on vulnerable APIs. Many times, the login page in the application is vulnerable to this type of attack, and the attack involves guessing usernames and passwords using wordlists.

WHY  VERACITY SECURITY? 

  • Our testing methodology starts with understanding the flow of the application, its functionalities, and critical components, and then mapping what an attacker in the application can exploit.
  • We carry out the testing manually using some of our custom-developed scripts.
  • We perform in-depth analysis of "data at rest" as well as "data in transit". 
  • Each application is vetted by our senior resource before we share it with our client.
  • Once our testing is completed, we provide a report that indicates vulnerabilities, an associated risk rating, and a solution to fix the vulnerability along with the evidence.
  • We share the report only after testing the entire application, as the vulnerabilities are interdependent.
  • We avoid using tools because we think a tool is a machine and a hacker is a human brain.

App security isn't a feature or a benefit; it is a bare necessity. One breach could cost your company not just millions of dollars but also a lifetime of trust. That is why security should be a priority from the moment you start writing the first line of code.

Have Query ?

×

Notice!!

The cyber security attack that started last Friday has dominated the headlines around the world. This reflects the power and reach of the latest mutation of malware spread around a connected world. Unfortunately, the recent ransomware outbreak may be the first of a new strain that we will see terrorising any computer connected to the internet.