Penetration Testing

APIs have led to digital transformation within the cloud, IoT, and mobile and web applications.Ourpenetration testing methodology is based on OWASP and OSSTMM standard. The penetration testing is performed using a checklist-based approach in a controlled manner without impacting the availability of the API endpoints.

Security Simplified consultants start the assessment by understanding the API functionality and their workflows. We have extensive experience in testing all API forms i.e. REST or SOAP. Authentication and authorization mechanisms are closely reviewed and probed to identify implementation or logical flaws. Each API functionality is reviewed by interception and manipulation of parameters to exploit security weaknesses such as IDOR, data exposures and leakage, privilege escalation, security misconfigurations.

Our methodology is derived from the below standards:

  • Open Web Application Security Project (OWASP)
  • OWASP API Security
  • Open Source Security Testing Methodology Manual (OSSTMM)

Our Methodology

API Documentation Review

API Walkthrough & identification of Endpoints

Anlyse & Test Run API

API Authentication & Misconfigurations

Object Level & Function Level Authorization

Data Exposure & Rate Limiting

OWASP Top 10 & Advanced API Testing

Checklist Based Approach

Evidence Collection

Executive Summary

Finding, Risk Rating, Recommendation

Ongoing Support to Developer

Sample List of Checks

  • Authentication & Authorization Checks
  • Excessive Data Exposure & Rate Limiting
  • Mass Assignment
  • Access Control & IDOR Testing
  • Error Handling & Logging
  • Security Misconfiguration


  • Executive summary for the management
  • Vulnerability dashboard for the project team
  • Technical report for the development team
  • Vulnerability description, root cause, impact and remediation steps
  • Reporting and risk rating matrix based on OWASP standards

Want to work with us?

Do you need help finding information or want to know more about what Security Simplified services can do for you?


Copyright @2022 Security Simplified Limited