Briskinfosec - Global Cybersecurity Service Providers

Stay Connected:

Corporate Approach to Penetration Testing on Web Services and API End-Points | Briskinfosec

Corporate Approach to Penetration Testing on Web Services and API End-Points


  • Introduction to Web Services
  • What is an Application Program Interface (API)?
  • API Vs Web Services
  • Common Vulnerabilities of API and Web services
  • API Assessment Approach and Best Practices
  • Conclusion
  • How Briskinfosec can help you?
  • Curious to read our case studies?
  • Last but not the least
  • You may be interested in

Introduction to Web Services:

Web Service is a software service used to create a communication between 2 devices connected over a network through internet. In terms of applications, web services help a technology like PHP to communicate with another technology like JAVA or .NET in order to accomplish some user action like retrieving data from the server.

Web Services have some major components. They are:

  • SOAP (Simple Object Access Protocol) is a messaging protocol for exchanging structured information in the web services implementation. SOAP generally uses XML to exchange data.
  • WSDL (Web Services Description Language) is an XML based interface description language used to define the actual functionality of Web services like SOAP protocol.
  • UDDI (Universal Description, Discovery and Integration) is a web service description for distributed registry of web services. It uses WSDL to describe the interfaces to be used in web services. It communicates using SOAP protocol.
  • REST (Representational State Transfer) means that every unique URL is a representation of some object which supports common HTTP methods like GET, PUT, POST etc. REST services use JSON (JavaScript Object Notation) to exchange data.

Application Program Interface (API):

API allows both web and mobile applications to communicate with one another by using the widely used web service protocols like REST or SOAP.

API’s are used in many ways like exchanging data, fetching information from third party websites to display in our application and so on. For example, let’s consider - a popular online virus scanner application which uses around 60 to 70 different anti-virus programs to scan a file. Virus total uses API in the backend to communicate with all the anti-virus services to scan the uploaded file and display the results back in the screen.

In addition to that, virustotal also provides its own API services for end users to scan files directly using Linux CURL or python utility.

The above image of virustotal API shows the API URL endpoints are used to scan, report and rescan a file along with CURL, PHP and Python commands to run those endpoints from a local computer.

API vs Web Services:

API and web services both serve as a means of communication. The major difference between an API and web service is that, a web service allows interaction between two machines over a network to obtain platform independency whereas an API serves as an interface between two different applications so that they both communicate with each other.

Common Vulnerabilities of API and Web Services:

API and Web Services are vulnerable to various application attacks like SQL injection, XML injection and Command injection etc. Apart from the typical web/mobile application vulnerabilities, API itself has some specific vulnerabilities. They are:

  • JSON or XML based vulnerabilities
  • Vulnerabilities in API key or tokens
  • Business logic issues.

To demonstrate the vulnerabilities, a test API application called DVWS (Damn Vulnerable Web Services) is used.

SQL Injection on API Endpoint URL:

In DVWS, there is an API endpoint which displays the user information based on the user ID value. Hence, it’s possible for a Pen-Tester to test for SQL injection or Insecure Direct Object Reference (IDOR) issues in the endpoint.

In the above URL endpoint with user ID 2, I’ve tried adding a single quote to test for SQL injection possibility and found it to be vulnerable.

Then, I’ve extracted the database name and version using typical SQL injection methods.

XML External Entity Injection (XXE) in API services:

In DVWS, the application uses XML parser in the backend server to send and receive data to the server using API request and response. By capturing the request in Burp Proxy, we can see that the user input is passed on to the XML input. Therefore, a Pen-Tester can try out the XML injection or XML external entity attacks on the API endpoint.

By inserting an XML external entity, pentester can retrieve the internal configuration files of DVWS server, if the XML parser is vulnerable.

In similar ways, it is possible to test for any input validation flaws in API end points, API tokens and also in business logic vulnerabilities.

API Assessment Approach and Best Practices:

Some of the best practices that should be followed in a corporate environment while developing an application with API/Web services are included. They are:

Access Control:

Like any other application or network, Access control is one of the key security mechanisms that should be deployed properly in all the API endpoint URL, as well in the backend server.

API endpoints can be available for public and also for internal network usage. Hence depending on the business logic and usage level access control, mechanisms should be set properly.

For example, user authentication to the application should be centralized. Further, account take over attacks like Insecure Direct Object Reference (IDOR) should be restricted by using random Json Web Tokens (JWT).

JWT (JSON Web Token):

JWT’s are JSON Data structures. They contain session information as well as the information related to access control in APIs. JWT usually has the cryptographic signature (random value) to protect the integrity of the application.

In general, JWT has three parts of data in base64 encoded format. The first part is the security algorithm, the second is the actual session data, and the third is the cryptographic signature for access control purposes.

The “alg” value in the JWT token should never be the value of “none” which means the JWT is insecure. JWT tokens should not contain any sensitive information like user id and user password.

API Keys:

API keys are helpful in preventing attacks like Denial of Service (DoS), thereby increasing the rate limiting functions of the applications. API keys should be properly encrypted and stored in the server, in order to stop key leakage through some data breach. Regarding to that:

  • Require API key for every request to protect the endpoint.
  • Return “429 Too Many requests” in response code, if requests are coming in large number.

HTTP Methods and HTTPS:

API endpoints should use Transport Layer Encryption (TLS). By doing so, network layer attacks like Sniffing or Man in the Middle attacks (MITM) can be avoided. In addition to HTTPS, application should implement Strict Transport Security (HSTS) to prevent TLS or SSL downgrade attacks.

Further, API endpoints should allow only the whitelisted HTTP methods like GET, POST and PUT. Methods which aren’t whitelisted must be rejected with “405 method not allowed.”

Input Validation:

API/Web Service applications should follow strict input validation mechanisms to keep the application users and data secure. Input validation attacks are more critical and can cause reputational/financial loss to the organizations. In-order to thwart them, some practices must be followed. They are cited below:

  • Do not blindly trust the incoming input parameter without validation.
  • Validate the length and format of the user inputs.
  • Use regular expressions properly to sanitize the inputs.
  • Regular expressions shouldn’t consume a lot of CPU and time. Else, it may lead to Regular Expression DOS attacks (Re-DOS).
  • In case of some wrong inputs from the user, application shouldn’t throw any backend errors to the user’s browser like SQL errors, XML errors, etc.
  • Follow secure coding standards to develop API endpoint functions.
  • Use of sanitation or input validation libraries or frameworks specific to API language should be mandatory.

Above are some of the approaches which can be used by Pentesters and API/Web Service developers to keep the Application secure from API related threats.


Web Services and APIs have become a vital part of every application developed today because of their fast and secure communication features. Even though API has built-in security, it is still vulnerable to lot of threats which hackers can use to break application’s security.

Every company which develops API based applications like web, mobile or desktop (Thick-client), should carry out a proper API penetration testing assessment on their applications on regular basis.

How Briskinfosec can help you?

Briskinfosec has a capable team of security folks who possess vast experience in the field of API security assessment. Apropos of that, intense research is underway in both BINT (Brisk Intelligence Laboratory) lab as well in NCDRC (National Cyber Defence Research Centre) lab about how to secure API applications in a more efficient manner, thereby safeguarding the API applications from all possible threat actors. Further, we also provide you a clear practical demonstration of all possible attacks that you may encounter in order to stay resilient against them.

Curious to read our case studies?

One of the prime reasons for us to be honoured as “One among the top 20 most promising cybersecurity providers” is due to our opulent assessment strategies used to eliminate vulnerabilities. To know about them, just check out our case studies now. 

Last but not the least:

For many requirements, there’s surely more than one way to obtain it. Pertaining to cyberattacks, one way to know what’d globally occurred, the impacts caused to personnel’s and organizations, the losses faced, and much more is through Google and other websites/search engines. But in this case, the massive time and efforts that must be put in in order to get the rightful and eye-opening ones would leave you exhausted.

Another way to see all these is to through our Threatsploit Adversary report. It’s a single report that contains the monthly happenings of worldwide cyberattacks and much more. Best mitigation measures for you to stay secure against them are also mentioned by us. We’ve prepared this because we truly care for digital safety. Just a single click on it is enough. For sure, you’ll feel complacent with what you’ve got!

You may be interested in:


Dawood Ansar

Security Engineer

He is a skilled and a fully independent information security engineer with expected records of competence. He hold certifications like Certified Ethical Hacker (CEH), EC_Council Certified Security Analyst (ECSA). He is holding Hall-of-Fame in different major companies Dutch government.

Add Your Comments

Your Comments*