REST Web Services API Vulnerability Testing

What is a Web service API?

An API (Application Programming Interface) is an interface that allows you to build on the data and functionalities of another application while providing tools, routines and protocols for developers building software applications and also enabling the user to extract and share data in an accessible manner. While the API provides you with an interface where you can enhance the functionalities of another application, it is the web service which is a network-based resource that actually fulfils the task. Hence an API can either be online or offline. However, the APIs that use web services as a resource to fulfil a specific task, are termed as Web service APIs.

A web service is a software system which has been designed to support interoperable machine-to-machine interaction over a network. It provides an interface described in machine-processable format such as WSDL (Web Services Description Language) so that other systems interact with the web service in a manner prescribed by its description using SOAP messages typically conveyed using HTTP with an XML serialization in conjunction with other web related standards. Simplifying, we can say that the Web APIs send data back and forth using HTTP requests which are often returned with textual data in form of JSON or XML response. Since web services APIs expose the application’s data and functionalities over the internet, it is essential to review their security.


SOAP (Simple Object Access Protocol) and REST (Representational State Transfer) are two popular approaches for implementing APIs.

SOAP has built-in WS-Security standard which uses XML Encryption, XML Signature and SAML tokens to deal with transactional messaging security considerations. SOAP also supports OASIS and W3C recommendations. It’s built-in standards and envelope-style of payload transport requires more overhead compared to other API implementations, such as REST. However, organizations requiring more comprehensive security and compliance may benefit from using SOAP.

REST uses HTTP to obtain data and performs operations on remote computer systems. It supports SSL authentication and HTTPS to achieve secure communication. REST uses JSON standard for consuming payloads thus simplifying data transfer over browsers. REST is stateless where each HTTP request contains all necessary information, meaning that neither the client nor the server are required to retain any data to satisfy the request. Unlike SOAP, which requires parsing and routing for each request to function on a local web service, REST leverages standard HTTP requests and does not require the repackaging of data.

JSON (JavaScript Object Notation) is a lightweight, easy and popular way to exchange data. JSON-WSP (JavaScript Object Notation Web-Service Protocol) is a web-service protocol that uses JSON for service description, requests and responses. In spite of its name, JSON is completely language-agnostic, so it can be used with any programming language, not just JavaScript.

Web Application Security Testing Providers, SQL INJECTION

Security Threats for Web Service APIs:

APIs often self-document information regarding their implementation and internal structure, which is widely used as intelligence for cyber-attacks. Additionally, vulnerabilities such as weak authentication, lack of encryption, flaws in the business logic and insecure endpoints make APIs vulnerable to the attacks mentioned below.

  • Injection Attacks

    In an injection attack, a dangerous code is embedded into an unsecured software program to stage an attack. Particularly, SQL injection and cross-site scripting are widely used to manipulate data or transferring untrusted data into the API as part of a query or command. As a result, the attacker gains unauthorized access to information and may cause further damage.
  • DoS Attack

    In a Denial of Service (DoS) attack, the attacker in most cases floods the web service with ICMP or SYN packets. When the system gets overwhelmed by the large amount of traffic which the server is unable to handle, the system eventually stops or crashes.
  • Broken Authentication

    Broken authentication or weak authentication empowers the attacker to either bypass or take control of the authentication methods that are being used by the web service. This may lead to an attack whereby JSON web tokens, API keys, passwords, etc. can be compromised. The aim of such attacks is usually to take charge of several accounts, while also getting the same privileges as the attacked user.
  • Sensitive Data Exposure

    Sensitive Data Exposure happens whenever an application is unable to properly secure sensitive data possibly due to lack of encryption in transit or at rest. The information ranging from private health information to credit card information, session tokens, passwords, keys and a lot more tends to be vulnerable to this attack.
  • Broken Access Control:

    The functions and contents of a web service are accessible to only certain users. Access Control is used to grant access to the specific users while denying access to the others. Missing, broken or inadequate access control can permit the attacker to gain control of other user’s accounts, alter access privileges as well as modify data.
  • Parameter Tampering:

    This attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Generally, such information is stored in cookies, hidden form fields, or URL query strings, and is used to increase application functionality and control.
  • Man-In-The-Middle Attack (MITM):

    In this attack, the attacker is secretly listening to the data transfer taking place between two systems. Confidential and important data that is being transferred may be modified or intercepted without the knowledge of either system.

Web Services API – VAPT

  • Fuzz Testing:

    Delicacies in a web service can be tested using a simple test such as Fuzz Testing which is essentially a black box software testing technique primarily consisting of finding bugs using malformed data injection.
  • Command Injection

    An injection flaw occurs with respect to web services and API when the web application passes information from HTTP request through other commands such as database command, system call, or request to an external service.
  • SQL Injection

    SQL Injections are the attacks where a malicious user injects a code to break the defined SQL query to fetch data from the database. In REST services, SQL Injection is one of the most important test-cases which is performed on the user-controlled variables or entry points. Blind SQL Injection confirms this type of vulnerability.
  • Cross-Site Scripting (XSS):

    Cross Site Scripting vulnerability arises when an attacker injects and runs a malicious script into a legitimate web page and its rendering is seen in the immediate response. Using this vulnerability an attacker can do virtual defacement or cookie stealing on the application which can further lead to session hijacking.
  • Cross-Site Request Forgery (CSRF):

    Cross-site request forgery is an attack where the attacker sends a request to server pretending to be a user, to perform operations in the application. This attack occurs when the application solely depends on the cookies to validate the user on the server side. In JSON services we can perform this attack by using the request.
  • Username Enumeration:

    In REST service-based application an attacker can have an opportunity to enumerate username. Forgot Password or User Login functionalities are the suitable entry points to execute this type of attack since most of the applications use default usernames for the operations like Admin, Customer care, etc.
  • XML External Entity Injection:

    XML External Entity Injection attack arises when an application processes user entered XML data in the request without disabling reference to external resources. Applications rarely require the reference to the external resources, by default the XML parser is enabled to support the external reference in the application. These entities can refer the file system or other sensitive information in the application.
  • Brute Force:

    Brute Force is also one of the attack types which can be executed on vulnerable API. Many times, Login Page in the application is vulnerable to this type of attack and the attack involves guessing of username and passwords using wordlists.

Why Valency Networks?

Top Web Application Penetration Testing (VAPT) Companies, WHY WEB APPLICATION PENTESTING (VAPT) IS ESSENTIAL
  • Our testing methodology starts with understanding the flow of the application, its functionalities, critical components and then mapping what an attacker in the application can exploit.
  • We carry out the testing manually using some of our custom developed scripts.
  • We perform in-depth analysis of ‘data at rest’ as well as ‘data in transit’.
  • Each application is vetted by our senior resource before we share it to our client.
  • Once our testing is completed, we provide a report, which indicates vulnerabilities and associated risk rating, a solution to fix the vulnerability along with the evidence.
  • We share the report only after testing the entire application, as the Vulnerabilities are interdependent.
  • We avoid using tools because we think tool is a machine and hacker is a human brain.

App security isn’t a feature or a benefit – it is a bare necessity. One breach could cost your company not just millions of dollars but a lifetime of trust. That is why security should be a priority from the moment you start writing the first line of code.

Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.