The primary goal of this testing APIs is to evaluate the ability for an attacker on the Internet to gain access to sensitive data or attack an organization via the APIs and other web services, and to understand the inputs into the API endpoint, as well as how it impacts data returned in subsequent calls.  Secure Ideas evaluates the security aspects of the target APIs based on various industry standards as discussed with the client during detailed scoping discussions.  

We then attempt to identify vulnerabilities in the API infrastructure, and to ascertain the capabilities of an attacker in obtaining unauthorized access to confidential information or sensitive systems.  From here, we exploit any weakness in the API infrastructure, and provide detailed remediation recommendations and security controls which will improve the security of the APIs and the associated infrastructure.

Categories and Testing Techniques

Authentication, Authorization, and Session Management Testing

Most of this category must be tested manually, as automated scanners have difficulty understanding context within the application.

  • Testing of all authentication features such as login, registration, and forgot password
  • Testing of authorization across sensitive functionality and data
  • Seek out horizontal and vertical privilege escalation opportunities
  • Validate security of session management
Encrypted Communication and Server Configuration

Scan the application for flaws related to encryption and configuration.

  • The use of components with known vulnerabilities
  • Use and configuration of SSL
  • Exploring web services for other vulnerable points such as an XML parser
Service API Input Testing

Using a combination of automated and manual techniques, test API call inputs.

  • Where appropriate, test inputs for injection flaws such as SQLi, LDAP injection, Command Injection, etc…
  • Fuzz inputs to determine if API responses can be influenced