Applications
API Interfaces
APIs are frequently used to query sensitive data or start processes and need to be secured against attackers.
Scope of the pentest
During this assessment, our ethical hackers evaluate your API regarding vulnerabilities and misconfigurations.
The test can be conducted on premises or remotely.
Exemplary test objects:
REST
We use Postman and Swagger collections to accumulate typical API requests and subsequently test them for vulnerabilities.
SOAP
We import your WSDL data model and subsequently conduct a vulnerability assessment.
The research company Gartner estimates that until 2022 API attacks will be the most prevalent attacks. ¹
An average company administers around 360 APIs. API security is therefore an important risk factor. ²
Penetration test of
API Interfaces
Our approach
Modern applications are becoming increasingly complex and enhanced by a wide variety of API interfaces to retrieve or generate data and content from anywhere at any time. As a result, APIs are a critical component of modern mobile, SaaS, and web applications and can be found in a wide variety of areas such as banking, retail, or Internet of Things (IoT). The importance of providing consistent application security is steadily increasing as APIs often become the target of hacking attacks. This involves attempts to steal sensitive data such as passwords or personal data.
By ordering an API penetration test, we subject the API interfaces defined with you in the project scope (e.g. SOAP or REST) to a comprehensive security analysis at network and application level. Using the
Our network-level tests include an automated vulnerability scan as well as a manual analysis of all network services provided by the API from the perspective of an external attacker (black-box). The application-level tests are performed using a semi-manual approach, with and without valid user credentials (grey-box).
All API endpoints in-scope are coordinated with you beforehand. During our subsequent security assessment, we check e.g., authentication procedures, the data model or weak cryptography. In case you are interested, feel free to request further details or create a non-binding offer with our configurator.
Testing types
Black-Box
Testing as an external attacker without additional information
Grey-Box
Testing with valid credentials
White-Box
Testing with credentials and access to the source code
Standards and qualifications
We follow recognized international standards for our pentest procedure.
Our penetration testers are highly qualified and certified with several recognized hacking certificates.
