REST API penetration testing

The project goal was to found security vulnerabilities in the REST API in a web-application. The customer’s RESTful web service was used to serve a Single Page Application (SPA) front-end and iOS/Android mobile applications. The traffic from SPA/mobile frontends was captured to recover API and their parameters. The SWAGGER API document was created and confirmed with the Customer developers to ensure its completeness. The APIdoc was fed to web application scanners to automatically check every parameter. Also, after the automated scanning, the manual test was conducted.


As a result, the customer has received a detailed report with recommendations on how to mitigate vulnerabilities found. Some of them includes:

  • Cross-site scripting (XSS) in the API error message
  • Unsafe deserialization
  • XML XEE inclusion and SSRF and arbitrary file read
  • SQL injection.
This website uses cookies to give you the best experience. Terms & Conditions