What is API Penetration Testing?

by Sarah Harvey / September 5th, 2019

APIs have led to digital transformation within the cloud, IoT, and mobile and web applications. Without knowing it, the average person engages with multiple APIs every day, especially on mobile. APIs are the connective tissue responsible for transferring information between systems, both internally and externally. All too often, though, deployed APIs do not go through comprehensive security testing, if tested for security at all. Whether SOAP or REST, a poorly secured API can open security gaps for anything that it is associated with. The security of the API is just as important as the applications that it provides functions for. What ways could an attacker abuse the APIs that your organization has built?

Why Test the Security of APIs?

According to Gartner, by 2022, exploiting APIs will be the most common attack vector for data breaches within enterprise web applications. In the last few years, we’ve already seen plenty of security incidents with unprotected APIs at the center: Venmo, celebrity websites and mobile apps, Salesforce’s Marketing Cloud, and Panera to name a few.

When there is no emphasis on API security, we see negative impact like customer accounts being taken over, exposed application logic, fraud, data breaches, performance issues, control systems being taken over, and compromised internal infrastructures.

Because of the prevalence of unprotected SOAP and REST APIs, OWASP is extending its popular “Top 10” to API security in 2019. Version one is set to release later this year, and in the meantime, we’re able to see the current draft, which lists:

  1. Missing Object Level Access Control
  2. Broken Authentication
  3. Excessive Data Exposure
  4. Lack of Resources and Rate Limiting
  5. Missing Function/Resource Level Access Control
  6. Mass Assignment
  7. Security Misconfiguration
  8. Injection
  9. Improper Assets Management
  10. Insufficient Logging and Monitoring

These risks could come from man-in-the-middle, CSRF, XSS, SQL injection, or DDoS attacks. How are you preparing your APIs to defend against internal and external attackers?

How is Penetration Testing Performed on APIs?

Primarily, during API penetration testing, we are testing an API’s functions/methods, how they could be abused, and how authorization and authentication could be bypassed. We also test to see if we can cause any form of command injection, or even XSS, if the function’s response renders data on the page. We put APIs through these types of tests in hopes of revealing any security vulnerabilities that might exist.

Many security analysts who aren’t experienced in API penetration testing will try to attack the API with a vulnerability scan, but we know it doesn’t work that way. Even with the proper tools, penetration testers who don’t have the appropriate API knowledge won’t know what to do because they can’t interpret the data they receive. Our penetration testers have the background in programming and development that’s needed provide a thorough, proper assessment for a SOAP or REST API. Our team will go through the API, function by function, to think of ways that an attacker could leverage your vulnerabilities. Every API is different, and we’re prepared to perform diligent, advanced API penetration testing to protect your organization.

We want to find the gaps in your API security before an internal or external attacker does. We offer advanced, web API security testing for both SOAP and REST APIs. If you want to avoid the consequences of a compromised API and work with an expert ethical hacker, contact us today.

More Penetration Testing Resources

OWASP’s REST Security Cheat Sheet

What are the Stages of Penetration Testing?

3 Hacks to Get the Most Out of Your Penetration Test