Penetration Test Types for (REST) API Security Tests

Black Box, Grey Box, and White Box Pen Tests

In my last article, we discussed Penetration tests, or pen tests, the importance of pen tests, and how it helps to find the REST API vulnerabilities. 

This article gives a brief overview of one of the pen tests type called white box pen tests. There are two more types called black box and grey box testing. However, black box and grey box penetration tests assume the tester has only limited knowledge about the target system, and this article focus is on API pen tests also discussed a few details on why it is a preferred test type of API penetration tests and summarized with a few tools that enable the pen tests for our APIs.

White Box Penetration Testing

White box testing is also known as structure, open box, clear box, and glass box testing. The white box pen test is a comprehensive testing methodology, as one gets a whole range of information about schema, source code, models and so on before starting the testing. White box tests intended to scrutinize the code and catch any design and development errors. It is a simulation of an internal security attack.

You may also enjoy: Software Testing Tutorial: How to Perform Testing

The API pen tests rely on white box testing because

• The tests run on all independent paths of a module.

• The tests confirm and verify that all logical decisions (true/false) inside the code.

• The tests execute syntax checking, and so fihe typographical errors which are critical to finding code injections and SQL injections attack.

• The tests find the design errors caused by a mismatch of the logical flow of the program and the actual execution. (Design for intent)

There are plenty of tools available as open source and commercial versions that can scan code, check for malicious codes, finds security loopholes by data encryption techniques, even find hardcoded username and passwords.

Few of the tools are listed down in the following table (both commercial and open source versions) with the intention of readers to aware of various tools that give out-of-box pen tests capabilities.  

It's important that one aware of REST API vulnerabilities and common causes of those vulnerabilities then aware of how we can find those vulnerabilities as part of the testing cycle.