Skip to content
Applications

API Interfaces

APIs are frequently used to query sensitive data or start processes and need to be secured against attackers.

Scope of the pentest

During this assessment, our ethical hackers evaluate your API regarding vulnerabilities and misconfigurations.
The test can be conducted on premises or remotely.

Exemplary test objects:

REST

We use Postman and Swagger collections to accumulate typical API requests and subsequently test them for vulnerabilities.

SOAP

We import your WSDL data model and subsequently conduct a vulnerability assessment.

Penetration test of
API Interfaces

Our approach

Modern applications are becoming increasingly complex and enhanced by a wide variety of API interfaces to retrieve or generate data and content from anywhere at any time. As a result, APIs are a critical component of modern mobile, SaaS, and web applications and can be found in a wide variety of areas such as banking, retail, or Internet of Things (IoT). The importance of providing consistent application security is steadily increasing as APIs often become the target of hacking attacks. This involves attempts to steal sensitive data such as passwords or personal data.

By ordering an API penetration test, we subject the API interfaces defined with you in the project scope (e.g. SOAP or REST) to a comprehensive security analysis at network and application level. Using the OWASP API Security Top 10, we check your API interface for known vulnerabilities and help you protect your API from unauthorized access.

Our network-level tests include an automated vulnerability scan as well as a manual analysis of all network services provided by the API from the perspective of an external attacker (black-box). The application-level tests are performed using a semi-manual approach, with and without valid user credentials (grey-box).

API Interfaces

All API endpoints in-scope are coordinated with you beforehand. During our subsequent security assessment, we check e.g., authentication procedures, the data model or weak cryptography. In case you are interested, feel free to request further details or create a non-binding offer with our configurator.

Testing types

Black-Box

Testing as an external attacker without additional information

Grey-Box

Testing with valid credentials

White-Box

Testing with credentials and access to the source code

Standards and qualifications

We follow recognized international standards for our pentest procedure.

Our penetration testers are highly qualified and certified with several recognized hacking certificates.