Client Overview
Our client is a niche software provider that develops tools for cutting optimization—specifically for rectangular and linear materials like panels, pipes, and rods. Their platform is widely used to help users minimize material waste and enhance operational efficiency. Given that the software is freely available for download and testing, securing the underlying APIs was crucial to maintain user trust and protect the integrity of the platform.
Objective
The client engaged us for an API Vulnerability Assessment and Penetration Test (VAPT) to identify security gaps and strengthen their web API before scaling further. Having previously tested their API in the staging phase, we conducted a second assessment during production to ensure robust security.
Objective
We assessed the client’s web APIs, focusing on:
- Authentication & Access Controls : OAuth-based authentication using JWT tokens.
- Security Best Practices : Proper implementation of rate limiting, CORS, and security headers.
- Resource Consumption Protections : Preventing excessive API requests that could lead to service disruption.
Challenges
- Limited Scope : Certain API endpoints were excluded from testing.
- API Maintenance : The API was under maintenance during the project, requiring adjustments in testing timelines.
Key Findings
We discovered several security risks, including:
- No Rate Limiting : APIs were vulnerable to brute-force and excessive request attacks.
- CORS Misconfigurations : Weak policies could allow unauthorized access from external domains.
- Missing Security Headers : Lack of essential headers such as CSP, X-Frame-Options, and X-XSS-Protection.
- Unrestricted Resource Consumption : API endpoints lacked controls to prevent excessive resource usage.
Tools Used
- Burp Suite – Intercepted and analysed API requests.
- Postman – Sent crafted requests to test authentication and security controls.
- OWASP ZAP – Conducted automated vulnerability scans.
- Custom Scripts – Simulated unrestricted resource consumption attacks.
- cURL – Tested API endpoints for security misconfigurations and access control flaws.
Collaboration & Reporting
We worked closely with the client’s development team, providing a detailed VAPT report with:
- Proof of Concept (PoC): Demonstrating how vulnerabilities could be exploited.
- Remediation Steps: Clear guidelines to implement rate limiting, secure CORS policies, and add necessary security headers.
- The client fixed all reported issues and scheduled a follow-up meeting to verify the rate limiting implementation.
Final Outcome & Benefits
- Stronger API Security: All vulnerabilities were addressed, securing the platform from potential attacks.
- Improved Stability: Implementing rate limiting and resource consumption controls ensured better API performance.
- Ongoing Security Assurance: Since the client took our services in both the staging and production phases, they benefited from continuous security improvements.
Conclusion
This engagement showcased the benefits of continuous API security testing across development phases. By identifying vulnerabilities in both staging and production, we helped the client establish a resilient, secure platform that supports their operational needs without compromising on user safety. Their APIs are now better equipped to handle real-world threats, giving them confidence as they scale to wider adoption.
