Overview
What is API penetration testing?
API penetration testing is a type of test designed to challenge an API's security controls, helping organizations discover, identify and mitigate risks in their APIs.
It predominantly includes testing the API's input validation, error handling, encryption capabilities, injection attacks, authentication and access control bypassing, rate limit testing, mass assignment issues, and other controls. The main objective is to identify vulnerabilities and recommend improvements to the security of the API, ensuring at minimum it is protected against common attack vectors listed on OWASP API Top 10.
API penetration testing services
Penetration testing for REST APIs, GraphQL, SOAP and other stacks. Evaluate the security readiness of your AWS-hosted APIs and microservices.
Blaze's API application penetration testing assessments are suitable for microservices and API backends hosted in AWS and beyond. The service is performed by our penetration testers in a manual fashion, augmented by automated scanners and custom tools. We go beyond common issues listed in OWASP API Top 10, and cover business logic issues tailored to your system. Our team follow industry standards such as PTES, OSSTMM and OWASP ASVS practices to ensure ample coverage in the assessments we perform.
The API penetration test assessment enables you to identify security vulnerabilities in your APIs and their associated web applications, with the necessary recommendations to remediate and fix the issues to improve your overall resilience against cyberattacks.
Our pen test offer include the following services, which can be hired individually or separately:
- REST API penetration testing
- GraphQL penetration testing
- SOAP and webservices penetration testing
- Microservices penetration testing
- Pentest for open banking and PSD2 APIs
The average duration for this service is between 5 to 15 person-days, depending on the complexity of the scope of work.
The API penetration testing service has the following minimum coverage, based on OWASP Top 10:
- Broken Object Level Authorization (IDORs and access control issues)
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources & Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfiguration
- Injection (SQL injection, HTML injection, template injection, and more)
- Improper Assets Management
- Insufficient Logging & Monitoring
- Business logic issues
Deliverables
Blaze will provide your organization with a detailed report listing all the vulnerabilities and weaknesses in your application, from the perspective of a motivated and capable adversary.
The report includes the following:
- Executive summary where the issues, attack scenarios and business impact are explained in a non-technical language
- A detailed description of the vulnerabilities, demonstration of attack scenarios and suggestions for fixing the issues
- A remediation prioritization matrix, helping your team to prioritize fixes and decrease risks to the environment
Reports are delivered within 5 business days from the completion of the security assessment. Fix validation is free if performed within 90 days from the delivery of the final report.
The reports can be used for vendor risk assessments and compliance audits that frequently require penetration testing, such as SOC 2, CCPA, GDPR, PCI DSS, HIPAA, ISO 27001 and others.
Contact us
Contact us for a standard quote for your API security requirements. Prices starting at $6,000. We offer special discounts for early-stage startups and small businesses.
Request a pentest today: https://www.blazeinfosec.com/lp/penetration-test-quote-form/
Email: sales@blazeinfosec.com
Phone: +1 347 892 4783 (US/Canada)
Phone: +351 222 081 647 (Europe/international)
Our services are insured worldwide by Hiscox with a professional liability (E&O) cover of 5,000,000 USD. Blaze is a CREST-accredited, ISO 27001 and ISO 9001 certified company.
Sold by | Blaze Information Security |
Categories | |
Fulfillment method | Professional Services |
Pricing Information
This service is priced based on the scope of your request. Please contact seller for pricing details.
Support
Contact us: https://www.blazeinfosec.com/contact-us
Email: sales@blazeinfosec.com
Website: https://www.blazeinfosec.com
Phone: +1 347 892 4783 (US/Canada)
Phone: +351 222 081 647 (Europe/international)
Services insured worldwide with a professional liability (E&O) cover of 5,000,000 USD. Blaze is a CREST-accredited, ISO 27001 and ISO 9001 certified company.
Support and project management are provided based on the statement of work agreed.