SERVICES WebService/API Penetration Testing
The use of web services and APIs has increased drastically due to increased usage of mobile applications. Web services are a prominent attack vector since the data which flows through them is of sensitive nature. Web services are also majorly used by enterprise level applications and software, and they carry large portions of sensitive data. Due to the lack of security and available resources in this area, web services are an extremely lucrative target for attackers.
Check Also: What is API Penetration Testing?
Our Web service and API Pentest Methodology
1. Scope Definition:
On project initiation, we collect the scoping/target information from your organisation. This information includes the IP addresses, URLs, definition file or documentation for all endpoint definitions, authentication credentials, and API tokens related to the target.
2. Intelligence gathering:
In this phase, we gather as much information as possible about the target using publicly available resources. We then proceed with crawling of the web service using a combination of manual and automated tools and analyse the service paths within the scope. The goal of this phase is to identify any sensitive information that can be leveraged in later phases to compromise the web service/API.
3. Vulnerability Analysis:
This phase encompasses the enumeration of the target web service and/or API on both application and network layers. We then perform active scanning and manual review of the exposed endpoints for determining their business functionality and identifying unauthenticated/authenticated endpoint attack surface. An application proxy is used to intercept normal webservice/API interactions for all in-scope endpoints. Packet-level traffic and response headers are also analysed.
4. Exploitation:
In this phase, we attempt to exploit the vulnerabilities identified in previous phases of the assessment. This step helps to determine the realistic risk level associated with the successful exploitation of the vulnerability and to validate if any mitigating controls are already in place.
5. Reporting:
After completing the assessment, SecureTriad provides an assessment report which includes executive summary and technical findings. The executive summary is written for management consumption and is a high-level overview of assessment activities, scope, most critical issues discovered, and overall risk scoring. We also include strategic recommendations to assist business leaders in making informed decisions regarding the application. The technical findings include all vulnerabilities listed individually, with details for recreating the issue with necessary screenshots, understanding of the potential risk, recommended remediation actions, and helpful reference links.
