WEB SERVICE AND API PENETRATION TESTING
Web Services can provide direct access for hackers to critical business data. A Penetration Test hardens your API, and prevents its use as an attack vector against your organisation.
A Web Service Penetration Test is an authorised hacking attempt aimed at identifying and exploiting vulnerabilities in the architecture and configuration of a web service. The purpose of this test is to demonstrate the ways attackers can compromise a web service and gain access to an organisation’s virtual assets.
Benefits to your Business
- Gain competitive advantage – Web Services such as APIs provide your applications with avenues for growth through integration with mainstream products.
- Good security measures are key in supporting such initiatives
- Protect data transmitted between users and web services from being intercepted by a malicious attacker
- Get independent verification of the security measures around your web service
- Reduce risks, legal costs and ramifications due to a data breach
- Get actionable recommendations that developers can follow during development, or when implementing upgrades
- Ensure compliance with PCI DSS and other security standards
- Verify alignment with OWASP and ensure that the most common exploitation mechanisms are addressed
- Provide management with a proof of exploit, which outlines the assets that an attack can compromise
Reconnaissance and Analysis
Mapping the web service:
- This stage consist of manual and automatic crawling of a web service to visit and analyse the functionality of all service paths within scope.
- We then test to identify content that may not be used by the service clients but might still be available. We also subject the site to abnormal HTTP, SOAP, and XML requests to determine the various different responses provided by the server, including examining responses for debug behaviour.
Analysis of the results:
- We then analyse mapping results to determine: functionality, potential entry points and technology used and how they can be used to compromise the application.
Testing and Exploitation
Using the information identified in the initial phase we test the application for potential vulnerabilities. We then attempt to exploit found vulnerabilities to take maximum advantage of the application. This will provide your organisation with the ability to produce an accurate threat and risk assessment.
On successful completion of the testing and exploitation phase, any changes to the wireless service will be restored to the state prior to the commencement of the penetration test. This will provide a known security baseline for your organisation.
Our methodologies are planned and scheduled to be non-disruptive to business and we work around ensuring uptime throughout our testing.
After completion of the testing phase, a thorough report will be written which will list the vulnerabilities and exploits categorised according to risk level. Alongside this will be recommendations for mitigation strategies based on Shearwater’s key insights into web applications threat landscape.
Shearwater Ethical Hacking can also conduct debriefing sessions targeting two separate audiences; One aimed at developers, while the other is tailored for the technology management group.
The management session is intended to provide the information needed to determine the appropriate risk management strategy. The technical briefing is intended to provide an opportunity for knowledge transfer of lessons learnt during the penetration test, to developers.
Interested in our API Penetration Testing Service?
IT'S EASY TO LOCATE US
New Delhi - Head Office
Xiarch Solutions Private Limited
- 352, 2nd Floor, Tarun, Outer Ring Road, Pitampura, New Delhi, Delhi 110034