Sign in
Your Saved List Become a Channel Partner Sell in AWS Marketplace Amazon Web Services Home Help


API Penetration Testing for AWS Start Ups

Developer and third party APIs are the messengers responsible for transferring information between systems, both internally and externally. Poorly secured APIs allow attackers to exploit not only the API itself, but any and every application associated with it.

API penetration testing is an ethical hacking process to assess the security of the API design. Our goal is to find gaps before an internal or external hacker does in your cloud based system, and report them to strengthen the API and prevent unauthorized access or data breaches across your systems and applications.

API Penetration Testing Phases

1. Planning and Preparation: Before starting a Web API Security Assessment, a review of the API documentation is performed. The tester meets directly with the client and discusses any specific areas of concern. Rhymetec typically tests against two API keys during an assessment, this provides a balance between coverage and time required to test the API.

2. Discovery: Discovery of different parameters and options available to the API Endpoints are reviewed. Additional methods are tested to verify undocumented functions exists that could bypass access controls. Brute forcing of paths is performed to find additional undocumented routes.

3. Penetration Attempt and Exploitation: Both automated and manual testing are performed to determine weakness in the API. The OWASP API Top 10 is used as a guide for the tester to discover and exploit vulnerabilities in the system. Additionally, general system weaknesses are reviewed and best practices authentication such as tokens is performed.

4. Analysis and Reporting: The tester will input findings into the internal documentation system as the test progresses. Examples of exploits and weaknesses are presented in a standardized report that include details about findings and how to remediate them. The report is created with both an executive summary for C-Level staff and detailed findings areas where developers can take action on findings.

5.Retest: Included in your Web API Security Assessment is a retesting window that allows you to work on findings you feel should be remediated soon. The tester will work with you if any questions arise regarding the original finding and retest the original findings requested. At the end of the retesting window, a new report is created with updated progress.

With Rhymetec helping your cloud-based business with API pen testing, you will receive a report outlining overall posture, and recommendations if any deficiencies are found. The assessment results include:

  • Kick off call with team
  • Final and Executive Summary
  • Immediate notification of critical findings
  • Detailed Findings and Remediation
  • Executive Presentation of initial findings
  • Retesting of initial findings
  • A final report with updated findings
Sold by Rhymetec
Fulfillment method Professional Services

Pricing Information

This service is priced based on the scope of your request. Please contact seller for pricing details.


Ongoing communication is our top priority. We offer a helpdesk for submitting time-sensitive tasks or security questionnaires for a faster turnaround and response times.

For more information about Rhymetec's services, simply send us a message at!