API stands for Application Programming Interface. An API is a software intermediary that allows two applications to talk to each other. In other words, an API is the messenger that delivers your request to the provider that you’re requesting it from and then delivers the response back to you. A set of functions and procedures allowing the creation of applications that access the features or data of an operating system, application, or other service.

API testing can be an unnerving task if you aren’t quite sure where to start.

API Security

Identify API Vulnerabilities and Exposures

There are a number of things to consider when it comes to API security testing.

We perform API security testing by analyzing both request and response. To clarify, this is done in order to discover and fix security vulnerabilities earlier in the software development cycle.

For instance, whether you’re using REST, SOAP, or a mix of both, we’ve got your APIs covered.

Further, a detailed analysis of JSON and XML are performed as part of our API security testing process.

A Hybrid Approach

All of our API Penetration Tests go beyond national standards – such as OWASP – and your test will come with a detailed final report.

Your detailed final report will include an executive summary, a listing of findings, risk ratings and remediation recommendations.  In addition, a letter of accreditation can be provided upon your request.

During the API penetration testing process, automated, as well as comprehensive manual testing, will be used to identify existing vulnerabilities at the API/message layer of  your applications.

Systematic Protection
Our Process

Here at EHS, our API security testing process involves a comprehensive, risk-based approach to manually identify critical API vulnerabilities.

Throughout the API security process, a number of professional tools will be utilized to perform an in-depth test. Example tools may include: BurpSuite, RestClient, SOAPUIPro, and more.

Following the conclusion of the API penetration test, EHS will provide a comprehensive final report that details all findings associated with the test.

Understanding the Application

The first phase of the API penetration test is critical to the success of the test. It is very important that the team understands all of the features and functions of the application.

The team does this by browsing through the application, going through the user manuals or, if required, a walk through of the application along with the application owner or developers. We work with you to ensure we are fully aware of its aims, functions, etc

Creating the Threat Profile (Test Plan)

The threat profile comprises a list of potential threats against the application that we have identified. The threat profile is the starting point for all subsequent tests.

We map each threat in the threat profile to specific pages on your site. The test plan then identifies all the attacks we need to carry out on those pages to assess that specific threat.

Manual and Automated Testing

Once the test plan and test cases are prepared and approved by a senior member of the team, the API penetration testing begins. This will comprise a combination of manual and automated checks that adhere to the test plan.

During the course of testing the tester may identify additional tests or attacks to perform, in which case the test case will be updated and subsequent tests performed. The team takes up the threats one by one and starts performing the tests.

If a test case is successful, then it is marked as unsafe in the test plan.


At EHS, we consider the final phase of the API penetration testing process, reporting, to be the most crucial and instrumental step. Once the team is through with the API testing, the reporting process begins.

The detailed report delineates each vulnerability discovered as well as the method of discovery. Potential solutions to each finding are also included.

The report is made available, securely, to the client after it has been reviewed internally.

Ready to start talking with a professional?