Web Service and API Penetration Testing

Web Services can provide direct access for hackers to critical business data.
A Penetration Test hardens your API, and prevents its use
as an attack vector against your organisation.

FREE CONSULTATION & QUOTE

What is a Web Service Penetration Test?

A Web Service Penetration Test is an authorised hacking attempt aimed at identifying and exploiting vulnerabilities in the architecture and configuration of a web service. The purpose of this test is to demonstrate the ways attackers can compromise a web service and gain access to an organisation’s virtual assets.

Benefits to your business

Gain competitive advantage – Web Services such as APIs provide your applications with avenues for growth through integration with mainstream products.
Good security measures are key in supporting such initiatives
Protect data transmitted between users and web services from being intercepted by a malicious attacker
Get independent verification of the security measures around your web service
Reduce risks, legal costs and ramifications due to a data breach
Get actionable recommendations that developers can follow during development, or when implementing upgrades
Ensure compliance with PCI DSS and other security standards
Verify alignment with OWASP and ensure that the most common exploitation mechanisms are addressed
Provide management with a proof of exploit, which outlines the assets that an attack can compromise

Shearwater’s Web Service Penetration Testing Methodology

Reconnaissance and Analysis

This stage includes:

1- Mapping the web service:

This stage consist of manual and automatic crawling of a web service to visit and analyse the functionality of all service paths within scope.

We then test to identify content that may not be used by the service clients but might still be available. We also subject the site to abnormal HTTP, SOAP, and XML requests to determine the various different responses provided by the server, including examining responses for debug behaviour.

2- Analysis of the results:

We then analyse mapping results to determine: functionality, potential entry points and technology used and how they can be used to compromise the application.

Testing and Exploitation

Using the information identified in the initial phase we test the application for potential vulnerabilities. We then attempt to exploit found vulnerabilities to take maximum advantage of the application. This will provide your organisation with the ability to produce an accurate threat and risk assessment.

Post Exploitation

On successful completion of the testing and exploitation phase, any changes to the wireless service will be restored to the state prior to the commencement of the penetration test. This will provide a known security baseline for your organisation.

Our methodologies are planned and scheduled to be non-disruptive to business and we work around ensuring uptime throughout our testing.

Reporting

After completion of the testing phase, a thorough report will be written which will list the vulnerabilities and exploits categorised according to risk level. Alongside this will be recommendations for mitigation strategies based on Shearwater’s key insights into web applications threat landscape.

Shearwater Ethical Hacking can also conduct debriefing sessions targeting two separate audiences; One aimed at developers, while the other is tailored for the technology management group.

The management session is intended to provide the information needed to determine the appropriate risk management strategy. The technical briefing is intended to provide an opportunity for knowledge transfer of lessons learnt during the penetration test, to developers.

Shearwater: The Gold Standard in Penetration Testing

Here is how we raise the bar:

Penetration_Testing_Comprehensive_Reporting

Comprehensive Reporting
Shearwater offers in-depth executive level reporting which serves as a risk minimisation tool for management, and a technical document – listing vulnerabilities prioritised according to risk level – for the internal security team. The report also provides access to mitigation strategies based on Shearwater’s key insights into the cyber-threat landscape.

Penetration_Testing_Post_Engagement_Followup

Post Engagement Follow Up
Our post engagement follow-up is an additional benefit that allows clients to engage us with questions, or seek guidance on issues referred to in our report.

Testing Standards
The Open Web Application Security Project (OWASP)
The National Institute of Standards and Technology (NIST)
Source Security Testing Methodology Manual (OSSTMM)
Penetration Testing and Execution Standard (PTES)
Penetration Testing Framework
Australian Government Security Policies and Guidelines

Customer Centricity
We listen to our clients to understand their goals. Our team also alerts security staff – in real time – to critical vulnerabilities and threats discovered.

Our Certifications

Request a FREE Consultation

Call us on 1300 228 872 or submit the form below

[Webinar]

[i]

[Webinar]

[i]

[Webinar]

Web Service and API Penetration Testing

What is a Web Service Penetration Test?

Benefits to your business

Here is how we raise the bar:

Our Certifications

Consulting & Compliance

Penetration Testing

Managed Services

Training & Education

Subscribe to Our Security Updates