As we move towards more Agile shift-left software development processes like continuous integration and delivery, the need to quickly give test feedback to our developers is increasing. Web Services are an implementation of web technology used for machine to machine communication. As such they are used for Inter application communication. In practice RESTful web services utilizes HTTP requests that are similar to regular HTTP calls in contrast with other Web Services technologies such as SOAP which utilizes a complex protocol.
As Web Services are incorporated into application environments, having a good checklist while performing security assessments can help a penetration tester better identify web service related vulnerabilities and associated risk. Since, many companies still operating with their legacy systems often suffer from internal operational inefficiencies such as poor organization infrastructure, dysfunctional communication, limited reusability and complex integrations of technologies.
Our comprehensive approach of testing Web services and API undergoes following stages -
- We focus on each and every layer of the suite and based on the architecture
- Determine the attack surface
- Collecting and analzing full requests using a web proxy
- Look for abnormal HTTP headers
- Look for structured parameter values - those may be JSON, XML or a non-standard structure.
- Analyzing collected requests to optimize fuzzing
- execute authentication, encryption, and access control test scenarios
- Token validation and negative testing to ensure proper enforcement of message integrity and authentication.
- Simulated attacks based on this functionality.
- Manual security review for (but not limited to following):
- Business Logic Issues
- Insecure Fields
- HTTP Verb Tamper
- Insecure Class Modifiers
- Unused External Reference etc.
- Server Authentication
- User Authentication
- Transport Encoding
- Message Integrity
- Message Confidentiality
- Parameter fuzzing
- SQL injections
- XPath injections
- Cross-site scripting
- Malformed XML
- Output Encoding
- Identification of false positives and creating Proof-of-concept (PoC) for reporting
- False positive removal, manually verify all the dectected vulnerabilities and their impact
- Re-testing the application for confirmation of fixes, if required
Our custom developed reports provide application specific details along with step-by-step fix information.
Some unique aspects of our reports are:
- Detailed fix information and configuration details for your development language and platform
- Multiple fixes and workarounds to help you find the best possible solution
- Coordinating with developers to fix the reported findings, if required