API & GraphQL Application Pentest
Phases of API & GraphQL Penetration Testing
The approach to testing APIs is based primarily on the OWASP Application Security Verification Standard (ASVS), which outlines important technical controls related to securing APIs.
Pentesters evaluate the target app against these controls to identify gaps and vulnerabilities, such as those cataloged in the OWASP Top 10 and OWASP API Security Project.
Our methodology involves the following 7 key penetration testing stages:
Based on the Pentest Brief prepared by the client, pen-testers search for necessary information about the targets and investigate the scope.
Information gathered during this stage includes API Endpoints, GraphQL queries & mutations, understanding of application logic, and assigned business criticalities.
Pentesters then confirm that the targets can be reached and scanned and that they function properly.
During this phase, pen-testers manually examine the target applications to map business functions, workflows, and underlying processes.
They also build a matrix of the access controls within the app based on the types of roles and actions the apps support for each.
Testers then use this matrix to plan further security testing that determines how well
these controls are enforced, or in what ways testers can bypass them.
BitCore’s pen-testers use both commercial and freeware security tools to assess the targeted application.
During this phase, we ensure that scanning covers the whole scope of the application and that every segment is assessed for security issues.
This means that testers will make manual changes as necessary to ensure optimized scanner performance.
Additionally, testers perform automated crawls to determine which pages are available to unauthenticated users, and to determine the full site tree.
Pentesters perform automated web application crawling and then manually verify the results.
Testers also conduct additional manual crawling to ensure better coverage, including
authentication to protected application areas.
Using automated scanning, testers assess the application using the authenticated sessions where applicable.
Pentesters perform this testing with extreme caution to ensure minimum impact on the targeted system.
BitCore pen-testers then use tool-assisted manual testing to identify and analyze the target’s functionality, business logic, and deployment for vulnerabilities.
The assessment identifies published vulnerabilities, such as those cataloged in the OWASP Top 10 or racked by CVE entries . These tests also take the target’s workflows and business logic into consideration to identify vulnerabilities within the implementation.
This approach to security testing includes injection attacks that probe the robustness of server-validation routines, session management flaws that may allow user impersonation, and flaws in access control that expose data or enable users to gain elevated privileges.
In addition to specific flaws in technical controls, pen-testers test how well the design and implementation protect data against unauthorized access or disclosure. For APIs, this includes reviewing areas, such as how well the endpoints validate input, how they handle access tokens, and how they respond to error conditions or invalid states. The review will also consider how resistant the API is to accidental misuse or unintended mistakes by a user that would lead to security exposures.
If microservices are in use, testers place a specific focus on the interactions between different systems. We thoroughly examine the access control management and the Cross-Origin Resource Sharing (CORS) implementation, in addition to the vulnerabilities outlined in the OWASP API Security Project .
For each finding, pen-testers determine the issue’s risk based on demonstrating how it would be exploited and evaluating its impact within the context of the target’s business function, data, and users. Exploitation is done in a manner that demonstrates the presence of the vulnerability while minimizing potential adverse impacts on the application, its data, and underlying systems.
Pentesters can report all findings in real-time through preferred communication channels such as Slack, assess its risks accordingly, and recommend remediation steps. Each pentester assists and elaborates where necessary regarding their findings.
Pentesters report and triage all vulnerabilities during the assessment itself. We provide details on all of the findings discovered by our pen-testers through the preferred communication channel. Clients have full visibility over discoveries in real time.
In the findings and final report, pen-testers provide detailed remediation steps and advice on further improvements of the security posture.
The client can perform remediation efforts on critical discoveries during and after the testing timeframe and pen-testers can test the updated components and re-test the discovered issues to confirm that there is no residual risk for the client from a security perspective.