Web Interfaces, Web APIs and Web Interfaces (Web APIs)
Web interfaces (Web APIs) play a central role in almost all modern IT systems. Since backend systems usually communicate with a large number of different clients, Web APIs are used as interfaces between the backend and the various clients. Since these interfaces are often exposed on the Internet and must be compatible with a wide variety of technologies, they are also popular targets for attackers and usually have a broad attack surface. Web APIs are used, for example, by web applications such as single page applications, by mobile applications, or by IOT devices and are located at the interface to cloud-based backend systems or even internal company networks. So if an attacker succeeds in compromising a web API, they are very likely to gain access to other important systems. To prevent such attack paths to your company, security should play a central role in the operation of web interfaces. To keep your security at a high level, we recommend subjecting web APIs to regular penetration tests. We are happy to support you in this process. To efficiently and effectively examine your interfaces for security vulnerabilities, we have developed our own test catalog based on the OWASP API Top 10.
We cover the following test contents:
- Verification of authentication/authorization (e.g., unauthorized access to blocked functionality)
- Code injection attacks on database or web server (SQL injection, remote code execution etc.)
- Unauthorized access to sensitive data
- Attacks using manipulated input data (e.g., by adding certain JSON key value pairs)
- Checking the web server for configuration errors and compliance with best practices
- Typical vulnerabilities of the respective technology (e.g., SOAP API or REST API)
- Additional tests such as the testing of rate limiting, access to debug functionality, or logging/monitoring issues
We rely on a combination of automated and manual tests. This approach has proven successful because some vulnerability types can only be effectively identified by manual testing (e.g., vulnerabilities in authentication or authorization), while other vulnerabilities can only be identified through automated or semi-automated testing with full test coverage. Our analysts have years of experience using a wide range of technologies in the area of web APIs, both with the corresponding backend systems and with client architectures such as web applications, mobile apps, and IOT devices. All tests are performed according to your requirements. For example, in a production system, we take the utmost care in testing so you do not have to deal with production downtime. Depending on your requirements, we conduct whitebox, greybox or blackbox tests, i.e., you decide how much information to provide (e.g., user accounts for your API, documentation or source code) or whether we perform the test without any prior knowledge of your system. In any case, we guarantee you meaningful and well-founded test results.
As a result of our security audits, we provide a comprehensive report that includes a list of all identified vulnerabilities as well as specific, prioritized recommendations on how to improve security. This also includes a comprehensive log of our testing activities so you can understand individual results in detail, as well as a brief management-level summary.
We recommend that you have all of your company’s web APIs tested on a regular basis (or at least after major new developments) in order to systematically monitor the security status and actively counter attacks. As well as testing the APIs, the security of the corresponding clients should also be regularly checked. We’re also happy to test your mobile applications or your IOT devices.