Securing Your API

API (Application Programming Interface) testing is a common companion to web and mobile application testing, as APIs often connect the applications to the databases and data that feed them.

APIs come in many flavors but often are plagued by similar vulnerabilities. Using blended attack techniques, Raxis scrutinizes each API endpoint and parameter for anomalies. We do this through direct interaction and by manipulating application data in flight manually with advanced testing tools. We test and verify potential insertion points with a focus on session management, data integrity, and parameter fuzzing - varying inputs to see if we get unexpected results.

How Raxis conducts API penetration testing

Like all of our assessments, API pentests can be tailored to your specific needs. Every API test performed by Raxis is a true manual breach attempt. While we use tools to help us identify key areas, the majority of testing is performed manually. Our engineers test the business logic of the API in an effort to escalate privilege, force data leaks, expose sensitive information, and in extreme cases make the leap from the application into other environments.

We approach these tests from different perspectives:

• Unauthenticated User: We hunt for flaws in the login process as well as authentication bypass techniques such as SQL injection (SQLi) and session fixation. Anything from user enumeration and brute-force attacks to insecure direct object references (IDOR) are considered in-scope.
• High-Privilege User: Once authenticated, Raxis looks for technical vulnerabilities as well as business logic gaps and flaws. Configuration issues, data sanitization flaws, and session issues are just a few of the areas our engineers will test.
• Low-Privilege User: When setting the scope, you choose how many roles Raxis will test. Testing as a user with limited permissions makes it possible for our engineers to attempt actions, such as accessing data that should only be available to higher-privileged users.
• Cross-Customer Users: Software as a Service (SaaS) customers often require testing to validate that the customers who use the API are not able to access other customers’ data. Raxis pentesters look for vulnerabilities that could allow these flaws and work to exploit them.

A Raxis API test thoroughly examines your application for flaws from without and within.

Does my company need an API penetration test?

Yes, these tests are important tools for your development team. APIs often power organizations' web and mobile applications. Many organizations also release external APIs so that their customers can access and modify the data from within their own applications. All of these APIs benefit from penetration testing, and, in many cases, our customers’ clients request proof of pentest remediations before agreeing to use an API within their own applications.

Raxis pentesters have the experience to thoroughly test your API as a malicious actor would:

• GraphQL
• REST (Representational State Transfer) infrastructure
• SOAP (Simple Object Access Protocol) infrastructure

Our engineers jump in during the testing phase of your dev team's secure software development lifecycle (SDLC). Instead of looking at your API as a credible user would, they take a hacker's point of view, attempting to exploit business logic vulnerabilities as well as code and configuration issues. Raxis gives your development team useful, actionable feedback to give them to tools they need to secure your application.

Should API testing be a part of our Software Development Lifecycle (SDLC)?

We highly recommend that it is. Raxis customers approach this with:

• Static testing for new APIs
• Ongoing testing for APIs in continuous development
• Periodic testing for APIs with scheduled updates

Does Raxis use the OWASP Top Ten as a guideline for my API test?

In 2019 OWASP created a separate Top Ten list for APIs. While it’s related to the OWASP Top Ten, the OWASP API Top Ten focuses on different areas, and Raxis uses it as a guideline for our API tests.

The 2019 OWASP API Top Ten

• API1:2019 Broken Object Level Authorization
• API2:2019 Broken User Authentication
• API3:2019 Excessive Data Exposure
• API4:2019 Lack of Resources & Rate Limiting
• API5:2019 Broken Function Level Authorization
• API6:2019 Mass Assignment
• API7:2019 Security Misconfiguration
• API8:2019 Injection
• API9:2019 Improper Assets Management
• API10:2019 Insufficient Logging & Monitoring

If I’ve already had a web app test, is an API test needed? Could the tests be performed together?

We recommend an API test in addition to a web application test, especially if your API is used by multiple applications, whether internal or external. Depending on your scope and budget, a combined test may be a good option.

APIs focus on functionality to provide data and data updates to applications, but they open organizations to a different area of attack. Raxis API pentests look at your API as a hacker would, focusing not on application needs but instead on unintentional openings within the API.