Web Services/API security testing

Our Web Services/API Security Testing service provides comprehensive protection for web systems and APIs, using advanced pentesting methods in accordance with OWASP recommendations.

Service Description:

The service includes detailed security analysis, identification of vulnerabilities, testing of data validation effectiveness, analysis of session management and authentication mechanisms, as well as verification of access control mechanisms. The testing methods used are based on OWASP recommendations and the SIFT Web Services Security Testing Framework.
The following tasks will be performed in terms of conducting Web Services/API security testing:

Stage 1 – Gathering information

• Identify the type and version of software and libraries,
• Review the vulnerability database to verify and identify vulnerabilities to the version of software used,
• Review submitted server requests and responses to identify potential vulnerabilities,
• Obtaining information using google hacking techniques,
• Identify the type of Web services (SOAP / RESTFul) and encoding methods for the data being transmitted,
• Identification of Web Services definition files e.g. WSDL, WADL, Swagger, etc…,
• Identification of the Web Services methods used and their parameters.

Stage 2 – Security testing of the Web Service/API.

Depending on the type of service, testing may include performing the following tests:

• Analyze the logic for handling Web Services methods and the order in which actions are performed (for stateful WS),
• Testing the effectiveness of input validation and output encoding (including “SQL Injection”, “LDAP Injection”, “XML Injection”, “XPATH Injection” attacks, “directory traversal” attempts, system command invocation attempts, memory buffer overflows),
• Analysis of user session management mechanisms (including identification of the session management scheme, verification of how session IDs are transferred, manipulation, protection and duration of sessions and session IDs, verification of additional protection mechanisms defending against attacks such as “Cross-site Request Forgery”),
• Verification of authentication mechanisms (including the use of default, easy-to-guess passwords, attempts to forcibly/verbally crack passwords, attempts to circumvent the authentication scheme),
• Analysis of access control mechanisms (including identification of the access control model, analysis of the effectiveness of access control through vertical and horizontal privilege escalation attempts, i.e. direct access to WS methods and objects, attempts to list directory contents, verification that server responses do not contain redundant data),
• Verification of data processing and storage mechanisms (in the case of the use of a web browser, among other things, analysis of the operation of browser cache mechanisms and intermediary servers, verification of mechanisms for protecting locally stored data, analysis of methods of transferring data between the application and the server),
• Analysis of the correctness of cryptographic solutions,
• Denial of service attacks (including analysis of the possibility of blocking other users’ accounts, attempts to overflow the memory buffer, attempts to exceed the limits of resources available to WS users),
• Analysis of error handling mechanisms (including verification that error messages do not reveal redundant information, verification that the occurrence of an error does not allow escalation of privileges, attempts to manipulate error messages),
• Verification of the configuration of the HTTP protocol (including the use of HTTP methods, analysis of the presence of headers that regulate the operation of security-related mechanisms, such as prevention of automatic content detection, and in the case of browser applications, additionally analysis of the implementation of HSTS, CSP, CORS),
• Analysis of the implementation of SSL/TLS protocols (evaluation of the cipher suites used, analysis of the configuration of SSL/TLS connection parameters, verification of the certificates used,
• Examples of attacks carried out during the work: “Oversized XML Attack”, “Reference Redirect”, “XML Complexity Attack”, “SOAP Parameter Tampering”, “Web Serrvice Addressing Spoofing”, “XML Encryption DOS”, “XML External Entity”, “XML Entity Expansion”, “XML Entity Reference Attack”, “XML Flooding”, “XML Signature DOS”, “Web Service Men in the Middle”, “Schema Poisoning”, “XML Rewriting”, “XML Signature Exclusion”, “WSDL Disclosure”, “Chosen-Ciphertext Attacks”, “Replay Attack”.

Customer benefits:

Customers using the Web Services/API Security Testing service gain confidence that their systems are protected from advanced digital threats, resulting in enhanced data and system security.

Features and Specifications:

The service is distinguished by an individual approach to each client, the use of up-to-date testing methods and advanced security tools.
Web Services security testing methodology is based on the recommendations of the OWASP organization and other studies in this area, in particular:

• OWASP Testing Guide v4,
• OWASP Web Service Security Testing Cheat Sheet,
• OWASP REST Assessment Cheat Sheet,
• OWASP ASVS,
• SIFT Web Services Security Testing Framework.

For whom it is intended:

The service is aimed at enterprises and organizations that need to ensure the highest level of security for their web systems and APIs.

Application examples:

Organizations using the service to secure their web applications, web services and APIs from hacking attacks and other cyber threats.