API Penetration Testing

API Penetration Testing

API Pen testing is identical to web application penetration testing methodology. Where methods of these type testing remain similar to other web applications with some small changes in the attack hence, we need to look for some standard vulnerabilities that we look for the web application such as OWASP 2017 Top 10: Injection, Access Control, information disclosure, IDOR XSS, and other.

A Web Service Penetration Test is an authorised hacking attempt aimed at identifying and exploiting vulnerabilities in the architecture and configuration of a web service. The purpose of this test is to demonstrate the ways attackers can compromise a web service and gain access to an organisation’s virtual assets.

Developers who leverage Pivot Point Security’s API Penetration Testing service can efficiently and effectively demonstrate that their APIs are secure from known/common vulnerabilities, such as Cross-Site Scripting (XSS) vulnerabilities, injection flaws, authentication weaknesses, etc. This level of testing also provides valuable guidance on how to close any security gaps.

Our Methodology


Before an application assessment can take place, Armour Infosec defines a clear scope of the client. Open communication between Armour Infosec and the client organization is encouraged at this stage to establish a comfortable foundation from which to assess.


Our engineers collect as much information as they can on the target, employing a myriad of OSINT (Open Source Intelligence) tools and techniques. The assembled information will assist us with understanding the working states of the association, which permits us to evaluate the risk precisely as the engagement progresses.


At this stage, we consolidate computerized contents and instruments, among different strategies in further developed data gathering. Our experts closely inspect any conceivable assault vectors. The accumulated data from this stage will be on the basis for exploitation in the upcoming stage.


In this step, we initiate both manual & automated security scan to find all possible attack vectors & vulnerabilities. After this, we run exploits on the application to evaluate its security. We use different methods and open-source scripts and in-house tools to gain a high degree of penetration. All these are done cautiously to secure your application and its information


This is the final stage of the whole assessment process. In this stage, the Armour's analysts aggregate all obtained information and provide the client with a thorough, comprehensive detailing of our findings. Our team will discuss the report and find the appropriate solutions for the bugs located. After that, a comprehensive discussion will be carried out to fix these vulnerabilities .

1. Planning

Initiating the project, scoping/target information will be collected from the client. This process will involve a brief meeting with the client to review and acknowledge the penetration testing rules of engagement, confirm project scope and testing timeline, identify specific testing objectives, document any testing limitations or restrictions, and answer any questions related to the project

2. Execution

The goal of this phase is to identify any sensitive information that may help during the following phases of testing, which could include email addresses, usernames, technology in use, user manuals, forum posts, etc. The threat modelling phase serves to evaluate the types of threats that may affect the target APIs that are in scope. Manual review of the exposed endpoints, determining business functionality of the endpoints, and identifying unauthenticated/authenticated endpoint attack surface. Manual identification and confirmation of vulnerabilities for each tested endpoint will be conducted, including injection-style attacks (SQL, command, XPath, LDAP, XXE, XSS), error analysis, file uploads, etc. Vulnerability identification based on identified software versions will also be attempted.

3. Post-Execution & Reporting

The output provided will generally include an executive-level report and a technical findings report. The executive-level report is written for management consumption and includes a high-level overview of assessment activities, scope, most critical/thematic issues discovered, overall risk scoring, organizational security strengths, and applicable screenshots.


Get Started with Armour


Armour Infosec provided to the point and in-depth vulnerabilities details, which was greatly beneficial to us. We are an exclusive community of testers delivers the real-time insights you need to remediate risk quickly and innovate securely.

  1. Test your web, mobile, API, network, or cloud services
  2. Launch a pentest in days, not weeks
  3. Collaborate with pentesters in real time
  4. Accelerate find-to-fix cycles with tech integrations
  5. Tailor pentest reports for all of your stakeholders
  6. Retest fixes, for free
  7. Improve your security posture over time