Service #5


API Security Testing

API security testing is the process of checking for vulnerabilities in your APIs, ultimately surfacing any potential security gaps for the engineering team to fix. API security testing entails testing the endpoints of an application program interface (API) for security, correctness, and reliability, to ensure it complies with an security best practices. In short, API security testing is an essential part of the application development process today. Given the number and type of recent security breaches, you can expect the public to take a dim view of anything less than your best.




Who is it for?

API security service is offered to any orginisation running REST, GraphQL, and SOAP. We offer API security assesment service to companies with their API integrated their web application as well as to the companies who have an Seperate API as an service to their customers




Our Methodology?

There are various forms of API security testing. Static analysis and Dynamic analysis, search for patterns and libraries used in your code-base that represent potential vulnerabilities, surfacing the vulnerable endpoint and their data-entry points(parameters).

Majority of the time is spent on dynamic API security tsting in which an tester sends active requests to the application, surfacing potential vulnerabilities based on the response received from the API.

As an example, a dynamic testing tool may send a request to the REST API endpoint that includes SQL Injection. If a response is received from the API that indicates that the database is vulnerable to an attack, this would be surfaced in the testing tool.




What we test?



Input Fuzzing: Fuzzing simply means providing random data to the API until it spills something out – some info, some error message or anything to imply that random data has been processed by the API. The error messeges are later on analysed by the security team member to check if that can be escalated to an valid security issues.

OWASP TOP 10: OWASP API Security Top 10 Vulnerabilities 2019


  • API1:2019 — Broken object level authorization
  • API2:2019 — Broken authentication
  • API3:2019 — Excessive data exposure
  • API4:2019 — Lack of resources and rate limiting
  • API5:2019 — Broken function level authorization
  • API6:2019 — Mass assignment
  • API7:2019 — Security misconfiguration
  • API8:2019 — Injection
  • API9:2019 — Improper assets management
  • API10:2019 — Insufficient logging and monitoring


  • API Logic Testing: Business logic vulnerabilities are flaws in the design and implimentation of an application that allow an attacker to elicit unintended behaviour.This enables the attackers to manipulate legitimate functionality to acheive a malicious goals, Our team members will spent large amount of time understanding and attacking the logical aspect of your API and the information which is being served over it.

    Excessive Role Based Testing: We at snapsec have accepted a challenge and we have come up with an proper methodology to test access control model in a modern way, our methodology covers all scenarios that can lead privilege escalation within the target system and provides us with the full coverage of the target model, To do that we designed different techniques for each kind of privilege escation scenario that can arise within the system.




    Benefits?

    - Identify missing API service method configurations.
    - Security compliance and reporting analytics that give real-time awareness of threats associated with your APIs.
    - Proactively identify and detect software security issues in APIs before they are deployed to production environments.
    - OWASP 10 Covers majority of the modern day web API vulnerbilities.
    - Identify and fix Authorization and authentication vulnerabilities.

    Contact

    Call:

    [!] Please leave an Email

    Instagram:

    Text us throug instagram at : snap.sec

    Twitter:

    Text us throug twitter at : snap_sec

    Linkedin:

    Text us throug Linkedin at : Snapsec

    Loading
    Your message has been sent. Thank you!