API Penetration Testing

APIs Hold the Keys to Your Most Valuable Information

Hackers Often Find APIS as Easy Targets

How Raxis Conducts API Penetration Tests

Unauthenticated User

We hunt for flaws in the login process as well as authentication bypass techniques such as SQL injection (SQLi) and session fixation. Anything from user enumeration and brute-force attacks to insecure direct object references (IDOR) are considered in-scope.

High-Privilage User

Once authenticated, Raxis looks for technical vulnerabilities as well as business logic gaps and flaws. Configuration issues, data sanitization flaws, and session issues are just a few of the areas our engineers will test.

Cross-Customer Users

Software as a Service (SaaS) customers often require testing to validate that the customers who use the API are not able to access other customers’ data. Raxis pentesters look for vulnerabilities that could allow these flaws and work to exploit them.

Low-Privilage User

When setting the scope, you choose how many roles Raxis will test. Testing as a user with limited permissions makes it possible for our engineers to attempt actions, such as accessing data that should only be available to higher-privileged users.

We Speak All API

GraphQL

Originally developed by Facebook, GraphQL started development in 2012 and released to open source in 2015. Many public APIs are now using GraphQL and it’s becoming more popular each day.

REST

Representational State Transfer, or REST, has been in use since around 2000 and is one of the most used APIs among developers. REST is estimated to comprise about 90% of the APIs in use today.

SOAP

Simple Object Access Protocol, known as SOAP, is a highly structured method of implementing application communication endpoints using XML. SOAP was originally made available for use in 1999.

Learn More About API Penetration Testing

Request a demo to witness Raxis One’s Effective penetration testing and internet asset management capablilites.