The same applies to APIs (Application Programming Interface). These applications allow different (software) systems to communicate with each other. API tests are similar in many ways to regular application tests, but due to the different technologies used (SOAP/REST/XML) the actual tests differ. Tests are performed both as an authenticated user, and as an unauthenticated user.
The application(s) will be studied thoroughly and tested for all kinds of design, configuration and programming errors, of course with maximum attention for security weaknesses from the OWASP Top 10 (version 2013 and 2017 combined).
Translated to concrete security issues, this yields the following tests:
- Testing the registration process and login process for possibilities of taking over someone else’s account.
- Testing whether the session mechanism has been adequately and securely structured.
- Checking whether users have unauthorised access to other user’s data (horizontal authorisation checks).
- Checking whether users can request functionality and data of users with elevated privileges (vertical authorisation checks).
- Testing resistance against ‘brute-force’ cracking of the password mechanism, including possible blocking mechanisms.
- Testing to what extent the site is sensitive to injection attacks such as ‘Cross Site Scripting’ and ‘SQL injection’.
- Bypassing and abusing the business logic within the application.
- Testing the strength of the TLS connection.
- Testing whether security mechanisms like Content Security Policy are implemented in a secure way.