Web API Pen Testing

Web API Pen Testing

The security of API services is an often-ignored aspect of application security. Since they aren’t exposed in an application’s normal user interface, developers often pay less attention to their security. But often they expose sensitive information and functionality, and are deserving of the same level of security attention as user-facing applications.

TechSaints International helps teams prevent security vulnerabilities through penetration testing, hybrid security analysis, runtime error detection, and execution of complex authentication, encryption, and access control test scenarios.

Thoroughly testing the security of web services requires a substantial amount of skill combined with a rigorous methodology.


A. Preparation – TechSaints International verifies that it has received the following information from the customer in preparation for the penetration test.

Web service name
Brief description of the web service and its purpose
Documentation for how to use the web service API
Endpoint URL(s) for testing the web service
Description of each web method available, with valid sample input data for each web method
WSDL or WADL if available
Credentials for each level of access to the web service, including client SSL certificates if required
(optionally) Server-side source code for the web service
Time windows for when the automated scanning portion of the penetration test can be run without risk of disrupting other users of the web service.

B. Exploration - TechSaints International manually explores the web service to verify that all methods can be called successfully and to gain an understanding of the functionality and sensitivity of the web service. Baseline requests are created for each transaction.

C. Automated Vulnerability Scanning – High-quality commercial vulnerability scanning tools are used to thoroughly scan the web service. This scanning process includes an authenticated application-level scan as well as an infrastructure-level scan. Custom scripts are written if needed to supplement the scan (for example, to dynamically add a digital signature to each request).

D. Manual Penetration Testing – The web service is manually tested by experienced web application security professionals using CybitRock’s systematic testing process. This manual testing process covers all major aspects of web application security that would apply to a web service, including:

Session Management (if applicable)
Input Validation / Output Encoding
Sensitive Data Handing
Logical Vulnerability Checks Parameter fuzzing
SQL injections
Username harvesting
XPath injections
Cross-site scripting
XML bombs
External entities
Schema invalid XML
Large XML document
Malformed XML

E. Report Preparation – TechSaints International takes the results of all scanning, manual testing and (optionally) code review and compiles a consolidated report, detailing all vulnerabilities uncovered during the testing process along with severity levels and recommendations for how to remediate each vulnerability that was identified.

F. Debriefing – TechSaints International presents all findings to executives and key stakeholders, answers all questions, and provides remediation advice.


1. An actionable, custom-written Web Service Security Assessment Report, which describes the web service’s security posture and lists all vulnerabilities identified. For each vulnerability, we provide a custom risk rating and remediation advice that is tailored to your specific business and technical situation.

2. Expert consultation throughout the remediation phase.

3.Two rounds of remediation testing within 6 months of the initial security assessment to ensure that all issues are effectively remediated.


TechSaints International employs a wide variety of tools and techniques to carry out penetration testing. Each and every test is carried out by skilled security testers and the results are manually verified before communicating to you. The end result is you get comprehensive and accurate understanding of your security posture and can immediately take mitigating steps for closing any identified weakness.

Every man must have a philosophy of life, for everyone must have a standard by which to measure his conduct. And philosophy is nothing but a standard by which to measure.
- B. R. Ambedkar , Indian jurist
B. R. Ambedkar