Penetration Test Types for (REST) API Security Tests
Penetration testing for REST API security provides a comprehensive testing method and is supported by a number of open source and proprietary tools.
Join the DZone community and get the full member experience.
Join For FreeBlack Box, Grey Box, and White Box Pen Tests
In my last article, we discussed Penetration tests, or pen tests, the importance of pen tests, and how it helps to find the REST API vulnerabilities.
This article gives a brief overview of one of the pen tests type called white box pen tests. There are two more types called black box and grey box testing. However, black box and grey box penetration tests assume the tester has only limited knowledge about the target system, and this article focus is on API pen tests also discussed a few details on why it is a preferred test type of API penetration tests and summarized with a few tools that enable the pen tests for our APIs.
White Box Penetration Testing
White box testing is also known as structure, open box, clear box, and glass box testing. The white box pen test is a comprehensive testing methodology, as one gets a whole range of information about schema, source code, models and so on before starting the testing. White box tests intended to scrutinize the code and catch any design and development errors. It is a simulation of an internal security attack.
You may also enjoy: Software Testing Tutorial: How to Perform Testing
The API pen tests rely on white box testing because
The tests run on all independent paths of a module.
The tests confirm and verify that all logical decisions (true/false) inside the code.
The tests execute syntax checking, and so fihe typographical errors which are critical to finding code injections and SQL injections attack.
The tests find the design errors caused by a mismatch of the logical flow of the program and the actual execution. (Design for intent)
There are plenty of tools available as open source and commercial versions that can scan code, check for malicious codes, finds security loopholes by data encryption techniques, even find hardcoded username and passwords.
Few of the tools are listed down in the following table (both commercial and open source versions) with the intention of readers to aware of various tools that give out-of-box pen tests capabilities.
Nmap |
OpenSSL |
Pure Hacking |
Nessus |
Cain & Abel |
Torrid Networks |
Metasploit |
THC Hydra |
SecPoint |
Wireshark |
w3af |
Veracode |
It's important that one aware of REST API vulnerabilities and common causes of those vulnerabilities then aware of how we can find those vulnerabilities as part of the testing cycle.
Opinions expressed by DZone contributors are their own.
Comments