Overview: REST or SOAP API Penetration Testing
Raxis penetration testers are also code developers that have a strong understanding of Application Programming Interface (API) calls. REST, or Representational State Transfer, is an architectural standard used in web based APIs. We've worked extensively with REST and SOAP calls for both mobile and traditional web applications. Raxis has been successful in performing privilege escalation, information disclosure, and database compromise on multiple past projects.
Our testing will help you understand the potential security risks that you may be exposing your system to. We prefer documentation to your API to ensure that we properly test your entire environment, however we are able to discover the calls using a man-in-the-middle tool if necessary. Externally facing API calls will be tested via the internet. Any internal API calls can be accessed remotely using the Raxis Transporter solution, or we may travel to your site as needed.
Raxis API Penetration Testing exposes security risks in your code to keep your REST and SOAP calls secure. We'll find your flaws before someone else does.
Raxis API Testing will perform:
- Fuzzing against any input variable to test for proper input sanitation
- Test each method in detail to ensure proper handling
- Check for token validation and enforcement
- Ensure session management is properly handled
- Attempt to brute force any applicable user credentials
- Attempt to access data outside of the intended user role permissions
- If applicable, monitor actual API transactions to discover any potential risks
- Perform brute force attacks against API paths to discover undocumented calls
- Attempt to exfiltrate confidential data from the server or database
- If obtained, password hashes will be cracked and leveraged for additional access
Download our Penetration Testing Service Brief (PDF) for more information.
Transporter Remote Access
Raxis Transporter provides an easy to deploy "virtual wire" network connection to our manual penetration testers, vulnerability assessors, and R3 incident response team.
Onsite Penetration Testing
Sometimes it's necessary to be onsite to get access to internal networks or examine a breach first hand. No problem, our consultants will fly to you.