Web Service / API Test

Service Overview ⫘

Secureworks will conduct a Web Service / API Test to analyze the state of your web application programming interface(s) (APIs) and/or web service(s) to identify vulnerabilities. To conduct the test, Secureworks will use its methodology that is based on industry frameworks for application tests, which includes the Open Web Application Security Project (OWASP) Testing Guide, Open Source Security Testing Methodology Manual (OSSTMM), vendor-specific security documents, and the experience of Secureworks team members.

Service Methodology ⫘

We will help identify, discuss, and review your requirements to determine potentially exposed and at-risk web services and APIs. Examples include business-to-business communication components and back-end mobile app messaging.

Secureworks will review any findings and perform manual tests as needed. Manual tests reduce the occurrence of 'false positives' as much as possible, improving the accuracy of the overall test results.

The Web Service or API Test focuses on the following areas:

• Simple Object Access Protocol (SOAP) / Extensible Markup Language (XML) structure tests
• Representational State Transfer (REST) / JavaScript Object Notation (JSON) parameter manipulation
• Input validation attacks
• Cross-site scripting attacks
• Cookie theft
• Web server insecurity
• Authentication method attacks
• Horizontal and vertical privilege escalation
• Third-party software vulnerabilities
• Database vulnerabilities

The subsections below explain the stages within the process that Secureworks will use to test Customer's web APIs and/or web services.

Dynamic Application Security Testing

Secureworks will use Dynamic Application Security Testing ("DAST"), which helps detect security vulnerabilities in an application in Customer's operational environment. DAST is generally used to refer to the testing of web applications, but the concept applies to the security testing of software in general.

DAST involves a comprehensive review of the target application's functionality, followed by probing of specific features using carefully manipulated input to identify security vulnerabilities. The security logic of the application is tested for insecure conditions and assumptions that have been built into the application that lead to vulnerabilities.

Reconnaissance

Reconnaissance allows the tester to understand the application and its normal use. This stage does not actively exploit any issues that may be apparent in the target application. Tasks and activities can include the following:

• Spidering
• Site mapping
• API documentation review
• Web Services Description Language ("WSDL") analysis
• Swagger file analysis
• REST JavaScript API review

Automated Testing

Secureworks will use automated testing to execute multiple tests in a minimal amount of time. Automated web application scanners are limited in their scope, but are effective for identifying the most common issues while saving a significant amount of time during testing. Scanners can be configured to execute with or without valid credentials on the target API, and that choice has a major effect on the depth of testing. During automated testing, a network-level vulnerability scan of the web server will also be executed that aims to find exploitable weaknesses in the operating system of the server. Tasks and activities may include the following:

• Unauthenticated scan
• Authenticated scan
• Server vulnerability scan
• Content discovery scan

Results may include the following:

• Common vulnerabilities
• Injection points
• Misconfigurations
• Unlinked content

Manual Testing:

Secureworks will review any findings and perform manual testing as needed. Manual testing reduces the occurrence of 'false positives', improving the accuracy of testing results. Listed in the table below are tasks and activities that will be conducted as applicable.

• Verification and Automated Results: All automated scan results are manually verified to improve the accuracy of the findings.

• Server Assessment: Application security is heavily dependent on the server itself. A weakness in the web or application server hosting the web service or API can compromise an otherwise secure application. This phase performs automated and manual attempts to discover known weaknesses or configuration issues in the web or application server software.

• Injection Attacks: Injection attacks are generally regarded as the most critical of issues that web applications face and yet are very common. They include attack groups such as database ("SQL") injection, Cross-Site Scripting ("XSS"), and command injection attacks. Should any of these flaws be discovered, a process of evaluating the real technical risk that they pose to the application, data, and users will be conducted.

• Multi-stage Process Testing: Automated scanners are unsuitable for testing multi-stage processes such as account registration and payment processing. This check focuses the tester on the multi-stage processes, and aims to identify persistent XSS flaws, downstream database injection flaws, etc.

• Authentication Testing: Web APIs generally require an authentication process to separate authorized users from others. This testing process includes logon routine weaknesses, authentication token manipulation, and password attacks.

• Privilege Escalation: User separation is critical for securing the potentially sensitive data that a user can access. Escalation attacks attempt to break from one user to another of the same peer level and is referred to as horizontal escalation. Escalation also attempts to elevate privileges by breaking from a user to a higher-level account, such as an administrator account. This is referred to as vertical escalation.

• Web Services Information Gathering: This phase of testing is focused on identifying in-scope services through various methods of gathering the web service entry points and communication schemas. Web Service Discovery (DISCO) and UDDI are used to discover the WSDL descriptors and other XML documents.

• XML Structure Testing: Secureworks validates that the XML structure is well-formed to ensure proper function. Structure is tested for entity injection, XML embedded tag injection, SQL injection, cross-site scripting, and XPATH injection attacks.

• XML Content Testing: Secureworks performs testing for XML content by executing web services functions, validating web services using higher privilege (if authenticated), and executing commands on the database. Parameters are checked for invalid content including SQL constructs, XML tags, etc.

• RESTful Web Services Testing: Secureworks performs testing for RESTful web services by validating the maximum and minimum string lengths, by ensuring proper validation including payload, and by validating parameter names.

Results may include the following:

• Multi-stage vulnerabilities
• Injectable inputs
• XML parser configuration issues
• Persistent injection vulnerabilities
• Cross-Site scripting flaws

Remediation Validation:

Secureworks will conduct one remediation validation (RV) for only the high- and critical-severity findings listed in the final report. After the final report is delivered, you have 90 days in which to remediate issues, schedule the RV, and have Secureworks perform the RV. You must submit the RV request through email to the Secureworks point of contact for the Web Service Test within thirty (30) days of delivery of the final report or the RV is forfeited. Secureworks will issue a brief report summarizing the results of the RV, which will include information about whether you successfully remediated the issues.

Note: Secureworks only conducts RVs remotely, regardless of whether the Web Service Test was conducted on-site.

Outcome ⫘

Secureworks will issue a report to your organization after completing the test. The report may include the following:

• Executive summary
• Methods, detailed findings, narratives, and recommendations if any
• Attachments as needed for relevant details and supporting data

Customer shall have one (1) week from delivery of the report to provide comments to be included in the final report. If there are no comments received from Customer before expiration of the review period, the report will be deemed final.

Upon completion of the Service, the Customer-designated contact will receive a secure/encrypted email confirmation from Secureworks. Unless otherwise notified in writing to the contrary by Customer-designated contact, within five (5) business days of such email confirmation, the Service shall be deemed complete.

Scoping Information ⫘

Scope	Description
Web Service/ API Test - Small	For SOAP, up to 10 methods For REST, up to 15 methods
Web Service/ API Test - Medium	For SOAP, up to 20 methods For REST, up to 40 methods
Web Service/ API Test - Large	For SOAP, up to 30 methods For REST, up to 60 methods

Work is conducted during business hours of the Secureworks consultant. After-hours feature is available for an additional cost.

API Tests can be purchased in multiple units to accommodate higher increments of total methods.

Scoping Tips: Total number of methods must be provider for each individual API to be assessed. The total number of methods can be calculated by first calculating the total number of endpoints (ex: /accounts/{accountId}) and then totalling the number of actions (i.e. HTTP Verbs) allowed on each endpoint (ex: GET, POST, PUT, DELETE). When providing the total number of methods, additionally providing the inclusive number of GET (i.e. read-only) methods may allow Secureworks to increase the number of methods tested per Web API test since these methods typically require less effort in testing.

The complete Service Description for this service can be found here: Web API Testing