Web Services can provide direct access for hackers to critical business data.
A Penetration Test hardens your API and prevents its use as an attack vector against your organisation.
Pentstage’s Approach:
1. Preparation – Pentstage verifies that it has received the following information from the customer in preparation for the penetration test.
• Web service name
• Brief description of the web service and its purpose
• Documentation for how to use the web service API
• Endpoint URL(s) for testing the web service
• Description of each web method available, with valid sample input data for each web method
• WSDL or WADL if available
• Credentials for each level of access to the web service, including client SSL certificates if required
• (optionally) Server-side source code for the web service
• Time windows for when the automated scanning portion of the penetration test can be run without risk of disrupting other users of the web service.
2. Exploration - Pentstage manually explores the web service to verify that all methods can be called successfully and to gain an understanding of the functionality and sensitivity of the web service. Baseline requests are created for each transaction.
3. Automated Vulnerability Scanning – High-quality commercial vulnerability scanning tools are used to thoroughly scan the web service. This scanning process includes an authenticated application-level scan as well as an infrastructure-level scan.
4. Manual Penetration Testing – The web service is manually tested by experienced web application security professionals. This manual testing process covers all major aspects of web application security that would apply to a web service, including:
• Authentication
• Authorization
• Session Management (if applicable)
• Input Validation / Output Encoding
• Configuration
• Sensitive Data Handing
• Logical Vulnerability Checks
5. Report Preparation – Pentstage takes the results of all scanning, manual testing and (optionally) code review and compiles a consolidated report, detailing all vulnerabilities uncovered during the testing process along with severity levels and recommendations for how to remediate each vulnerability that was identified.
6. Debriefing – Pentstage presents all findings to executives and key stakeholders, answers all questions, and provides remediation advice.