API Penetration Testing for AWS Start Ups

Developer and third party APIs are the messengers responsible for transferring information between systems, both internally and externally. Poorly secured APIs allow attackers to exploit not only the API itself, but any and every application associated with it.

API penetration testing is an ethical hacking process to assess the security of the API design. Our goal is to find gaps before an internal or external hacker does in your cloud based system, and report them to strengthen the API and prevent unauthorized access or data breaches across your systems and applications.

API Penetration Testing Phases

1. Planning and Preparation: Before starting a Web API Security Assessment, a review of the API documentation is performed. The tester meets directly with the client and discusses any specific areas of concern. Rhymetec typically tests against two API keys during an assessment, this provides a balance between coverage and time required to test the API.

2. Discovery: Discovery of different parameters and options available to the API Endpoints are reviewed. Additional methods are tested to verify undocumented functions exists that could bypass access controls. Brute forcing of paths is performed to find additional undocumented routes.

3. Penetration Attempt and Exploitation: Both automated and manual testing are performed to determine weakness in the API. The OWASP API Top 10 is used as a guide for the tester to discover and exploit vulnerabilities in the system. Additionally, general system weaknesses are reviewed and best practices authentication such as tokens is performed.

4. Analysis and Reporting: The tester will input findings into the internal documentation system as the test progresses. Examples of exploits and weaknesses are presented in a standardized report that include details about findings and how to remediate them. The report is created with both an executive summary for C-Level staff and detailed findings areas where developers can take action on findings.

5.Retest: Included in your Web API Security Assessment is a retesting window that allows you to work on findings you feel should be remediated soon. The tester will work with you if any questions arise regarding the original finding and retest the original findings requested. At the end of the retesting window, a new report is created with updated progress.

With Rhymetec helping your cloud-based business with API pen testing, you will receive a report outlining overall posture, and recommendations if any deficiencies are found. The assessment results include:

• Kick off call with team
• Final and Executive Summary
• Immediate notification of critical findings
• Detailed Findings and Remediation
• Executive Presentation of initial findings
• Retesting of initial findings
• A final report with updated findings