API Pentest Methodologies

Our pentesters start by collecting the information that they need about your API. This information includes:

• API URLs
• API documentation
• The target environment
• Your business logic
• Critical workflows
• Roles and permissions available within your app

Our pentesters also confirm that they can access and run documented commands on your API. If you require access tokens or API keys to use your API, our pentesters may need accounts on your system, with instructions, to set that up.

Our pentesters may use scanning tools, including:

• Burp Suite Community/Professional Edition
• testssl.sh
• Dirble
• OWASP Zed Attack Proxy (ZAP)

Our pentesters manually examine the target application to map its:

• Business functions
• Workflows
• The underlying processes

Our pentesters also build a matrix of access controls within the app based on:

• A list of available roles
• The actions supported for each role

Our pentesters use this matrix to create additional security tests to:

• Determine how well these controls are enforced
• Identify if someone can bypass these controls

Our pentesters may use scanning tools, including:

• Burp Suite Community/Professional Edition
• OWASP Zed Attack Proxy (ZAP)

Our pentesters may use commercial and open source security tools to assess your API. They ensure that appropriate tools cover the whole scope of the app. They also make sure to cover every segment for security issues.

They may have to manually tweak their tools to ensure optimized performance.

In addition, our pentesters perform automated crawls to identify:

• Pages available to unauthenticated users
• The directory tree of your website

Our pentesters may use scanning tools, including:

• Burp Suite Community/Professional Edition
• testssl.sh
• Dirble
• OWASP Zed Attack Proxy (ZAP)

Our pentesters run several tests in this area, including:

• Automated crawling tests, followed by manual verification
• Additional manual crawling tests for better coverage:
  • Includes application areas protected by authentication
  • Where applicable, our pentesters run automated scans with the authenticated session

Our pentesters use extreme caution to minimize impact on the targeted system.

Our pentesters may use scanning tools, including:

• Burp Suite Community/Professional Edition

• OWASP Zed Attack Proxy (ZAP)

• Nikto

• Nessus

Cobalt pentesters use manual testing tools to identify and analyze the following aspects of the API asset:

• Functionality
• Workflows
• Business logic
• Vulnerabilities in deployment and implementation

The assessment identifies known vulnerabilities, including those listed in the:

• OWASP API Top 10
• CVE

Our pentesters also:

• Run injection attacks that probe the robustness of server-validation routines
• Look for session management flaws that may allow user impersonation
• Investigate flaws in access control that expose data or enable users to gain elevated privileges

Beyond these tests, our pentesters also:

• Test how well the design and implementation protects data against unauthorized access or disclosure
• Review how the endpoints validate input
• Review how the API handles access tokens
• Review how the API responds to error conditions or invalid states
• Consider how resistant the API is to accidental misuse or unintended mistakes by a user that would lead to security issues

For microservices, our pentesters focus on the interactions between different systems. Specifically, we examine:

• Access control management
• Cross-Origin Resource Sharing (CORS) implementation
• Vulnerabilities outlined in the OWASP API Security Project

Our pentesters identify the risk associated with each finding, based on:

• A demonstration of the exploit
• An evaluation of the impact on the asset, with respect to:
  • Business functionality
  • Data
  • Users

When our pentesters “exploit” a finding, they demonstrate the presence of the vulnerability while minimizing potential adverse impact to the application, its data, and underlying systems.

Our pentesters may use scanning tools, including:

• Burp Suite Community/Professional Edition

• OWASP Zed Attack Proxy (ZAP)

• sqlmap

• Postman

Our pentesters report their findings, in real time, through the Cobalt platform. They also:

• Assess all risks
• Recommend steps for remediation

You’re welcome to communicate with our pentesters for each of their findings.

Cobalt pentesters report and triage all vulnerabilities during the assessment. You can review details of all findings, in real time, through the Cobalt platform. In these findings, as well as in any report, our pentesters include detailed information on how you can:

• Remediate each finding
• Improve your overall security posture

You can remediate findings during and after the pentest. Then you can submit findings for retest. Our pentesters test the updated components and retest issues to ensure that there are no security-related residual risks.