API Security Testing for a European Bank

Customer

The Customer is a European bank with $400+ million in assets. The company positions itself as a universal bank and provides financial services online and in more than 100 physical branches across the country.

Challenge

Realizing the key role of technological advances in maintaining a competitive edge, the Customer decided to launch an API. Through this platform, the bank’s clients would have access to web applications, including mobile banking, card-to-card transfer and a range of business applications.

Using the new API may present security problems for the bank, as the platform is a potential loophole for cyber criminals to access clients’ sensitive data and finances. So, the Customer needed to perform penetration testing of the new system to understand what API vulnerabilities need patching.

Earlier, ScienceSoft’s penetration testing team had conducted a series of penetration testing checks on the bank’s network. With this positive experience in mind, the Customer has chosen ScienceSoft again.

Solution

The project had two stages: black box and white box penetration testing. ScienceSoft’s security engineers performed both stages of the API security testing remotely as it was assumed that attackers would have access to the API via internet only.

Stage 1: Black box penetration testing

Following the black box model, our pentesters attempted to gain unauthorized access to the Customer’s API platform without any details on the security policies applied. This method ensures that a pentester has the same entry points as an actual intruder.

The OAPI penetration testing was based on OWASP TOP 10 methodology, which features an up-to-date list of the most critical types of web application vulnerabilities, as well as effective methods to eliminate these risks. Each vulnerability found within the OWASP TOP 10 vulnerability types was tagged with an appropriate risk level (low/medium/high).

ScienceSoft’s certified penetration testers manually conducted 10 types of security vulnerability assessments for SQL injections, flaws in authentication, access control and session management, as well as sensitive data exposure.

Major attention was paid to security misconfiguration and cross-site scripting (XSS) flaws, as these are the most common security issues. Our penetration testers aimed at detecting the following vulnerabilities:

• User session hijacking by XSS or cookie decoding
• Redirection to other sites
• Injection of malicious JavaScript code
• User’s query forgery for authentication
• Sensitive data transfer via unprotected HTTP channel

Stage 2 White box penetration testing

To verify that no vulnerabilities were left unattended during manual penetration testing, ScienceSoft’s security engineers conducted a source code review of the Customer’s API with IBM Application Security on Cloud, an automated application scanner.

Results

As a result of the two-week project on the open API security testing, ScienceSoft’s security engineers conducted a comprehensive check of the Customer’s API according to OWASP standards. ScienceSoft’s specialists provided a detailed report on how to improve the current API security. Our best practices in vulnerability patching will prevent severe security breaches of the Customer’s API and, ultimately, the loss of reputation and clients’ churn.

Technologies and Tools

Nessus, IBM AppScan, IBM Application Security on Cloud, Acunetix, BurpSuite Pro, Sqlmap.