What is a Web Service and API Penetration Testing?
A Web Service & API Penetration Test is an authorized hacking attempt aimed at identifying and exploiting vulnerabilities in the architecture and configuration of a web service. The purpose of this test is to demonstrate the ways attackers can compromise a web service and gain access to an organization’s virtual assets.
Applicability
The purpose of Web Service Testing is to verify that all of the Application Programming Interfaces (APIs) exposed by your application operate as expected. In some ways they are similar to unit tests in that they test specific pieces of code rather than user interface objects.
Unlike simple unit tests however, web services tests will normally need to be developed for each of the supported versions of the API so that when a new version of a product comes out, you can test the latest version of the API and all previous versions. This ensures that legacy clients using the older version of the API don’t need to make any changes.
Also, unlike unit tests, web services are being called across a network using the HTTP/HTTPS protocol rather than simply calling code that is resident on the same system as the test script. In that sense, they are similar to testing web sites.
Finally, in situations where you have an AJAX web application, as well as testing the front-end user interface using the appropriate UI library, in this case CyberSRC® Web Service & API will test the web service that is providing the data to the user interface at the same time. In these situations you have a hybrid, web user interface and web service test.
Objective
- Gain competitive advantage – Web Services such as APIs provide your applications with avenues for growth through integration with mainstream products.
- Good security measures are key in supporting such initiatives
- Protect data transmitted between users and web services from being intercepted by a malicious attacker
- Get independent verification of the security measures around your web service
- Reduce risks, legal costs and ramifications due to a data breach
- Get actionable recommendations that developers can follow during development, or when implementing upgrades
- Ensure compliance with PCI DSS and other security standards
- Verify alignment with OWASP and ensure that the most common exploitation mechanisms are addressed
- Provide management with a proof of exploit, which outlines the assets that an attack can compromise
APIs often self-document information regarding their implementation and internal structure, which is widely used as intelligence for cyber-attacks. Additionally, vulnerabilities such as weak authentication, lack of encryption, flaws in the business logic and insecure endpoints make APIs vulnerable to the attacks mentioned below.
Injection Attacks
In an injection attack, a dangerous code is embedded into an unsecured software program to stage an attack. Particularly, SQL injection and cross-site scripting are widely used to manipulate data or transferring untrusted data into the API as part of a query or command. As a result, the attacker gains unauthorized access to information and may cause further damage.
DoS Attack
In a Denial of Service (DoS) attack, the attacker in most cases floods the web service with ICMP or SYN packets. When the system gets overwhelmed by the large amount of traffic which the server is unable to handle, the system eventually stops or crashes.
Broken Authentication
Broken authentication or weak authentication empowers the attacker to either bypass or take control of the authentication methods that are being used by the web service. This may lead to an attack whereby JSON web tokens, API keys, passwords, etc. can be compromised. The aim of such attacks is usually to take charge of several accounts, while also getting the same privileges as the attacked user.
Sensitive Data Exposure
Sensitive Data Exposure happens whenever an application is unable to properly secure sensitive data possibly due to lack of encryption in transit or at rest. The information ranging from private health information to credit card information, session tokens, passwords, keys and a lot more tends to be vulnerable to this attack.
Man-In-The-Middle Attack (MITM)
In this attack, the attacker is secretly listening to the data transfer taking place between two systems. Confidential and important data that is being transferred may be modified or intercepted without the knowledge of either system.
Any many more……
Approach
Reconnaissance and Analysis
Mapping the web service:
This stage consist of manual and automatic crawling of a web service to visit and analyze the functionality of all service paths within scope.
We then test to identify content that may not be used by the service clients but might still be available. We also subject the site to abnormal HTTP, SOAP, and XML requests to determine the various different responses provided by the server, including examining responses for debug behaviour.
Analysis of the results:
We then analyze mapping results to determine: functionality, potential entry points and technology used and how they can be used to compromise the application.
Testing and Exploitation
Using the information identified in the initial phase we test the application for potential vulnerabilities. We then attempt to exploit found vulnerabilities to take maximum advantage of the application. This will provide your organization with the ability to produce an accurate threat and risk assessment.
Post Exploitation
On successful completion of the testing and exploitation phase, any changes to the wireless service will be restored to the state prior to the commencement of the penetration test. This will provide a known security baseline for your organisation.
Our methodologies are planned and scheduled to be non-disruptive to business and we work around ensuring uptime throughout our testing.
Reporting
After completion of the testing phase, a thorough report will be written which will list the vulnerabilities and exploits categorized according to risk level. Alongside this will be recommendations for mitigation strategies based on Shearwater’s key insights into web applications threat landscape.
Why CyberSRC®?
Established in January 2018, CyberSRC® Consultancy offers the full machination of cyber security services ranging from threat intelligence, VMS to general advisory services in areas pertaining to Cyber security such as vulnerability attacks, compliance, and cyber security regulations, and laws. We are into system audits such as ISNP Audits, NBFC Audits, UCB Audits, PPI Audits, and SEBI Audits. We provide our solutions with better accountability. We are a certified assurance firm. We are an ISO 27001 certified organization, backed by a very diverse and dynamic team which have a combined experience.