Client Overview
Our client is a fast-emerging IT services and consultancy company specializing in bundled software solutions for industries such as Banking, Financial Services, and Insurance (BFSI), Manufacturing, Retail & Consumer Packaged Goods (CPG), Life Sciences, and Logistics. With expertise spanning Microsoft technologies (.NET, SQL Server, SharePoint), Oracle, Java Enterprise Applications, Big Data & Analytics, and open-source stacks, the client develops innovative products to meet diverse customer needs. One of their key products integrates APIs to facilitate critical functionalities, making API security a top priority to protect their reputation and client trust.
Objective
The client engaged us to perform a Vulnerability Assessment and Penetration Test (VAPT) on the APIs integrated into one of their flagship products. The goal was to identify and mitigate vulnerabilities that could expose the product to external threats, ensuring a secure and reliable experience for their end users.
Scope
The VAPT targeted a set of APIs embedded within the client’s product, specifically focusing on administrative and test endpoints accessible via HTTP GET requests. The assessment covered a limited number of API functionalities critical to the product’s operation.
The endpoints were accessible via HTTP GET requests, forming the core scope of our testing efforts.
Challenges
The primary challenge was the limited scope of the assessment. Since the endpoints utilized simple GET requests, the attack surface was relatively small, restricting the depth of testing we could perform. This constraint required us to maximize our efforts within a narrow window, focusing on header analysis and basic security controls rather than complex input validation or authentication workflows.
Key Findings
- During the penetration testing phase, we identified the following vulnerability across both endpoints:
- Missing Security Headers: Neither endpoint implemented critical security headers such as Content-Security-Policy (CSP), X-Content-Type-Options, or X-Frame-Options.
- This omission left the APIs vulnerable to attacks like clickjacking, MIME-type sniffing, and content injection, potentially compromising the product’s integrity.
Tools and Methodology
We employed a combination of industry-standard tools to conduct the VAPT:
- Burp Suite: For intercepting and analysing API traffic to identify header deficiencies.
- Postman: To simulate API requests and verify responses.
- FFUF: For fuzzing and enumerating potential hidden endpoints or parameters (though limited by the GET-only scope).
- cURL: To manually test endpoint behaviour and confirm findings.
Our methodology aligned with best practices, focusing on OWASP API Security guidelines, particularly around header security and basic endpoint hardening.
Collaboration and Reporting
The engagement began with an initial walkthrough meeting where the client provided a detailed overview of the API workflow and shared the target documentation. Post-testing, we delivered a comprehensive VAPT report containing:
- Detailed descriptions of the vulnerability found.
- Proof-of-Concept (PoC) exploits with screenshots and a short video demonstrating potential risks.
- Mitigation recommendations, including specific headers to implement and their configurations.
The client promptly applied fixes based on our report and requested the Postman scripts we used for testing to validate their remediation. We conducted a reaudit, confirmed that the security headers were correctly implemented, and shared an updated reaudit report affirming the resolution of the identified vulnerability.
Deliverables
- VAPT Report: Included vulnerability details, impact analysis, PoCs (with images and video), affected URLs, and mitigation steps.
- Reaudit Report: Confirmed the successful remediation of the missing headers issue.
- Postman Scripts: Shared with the client to support their internal validation process.
Impact and Benefits
By addressing the missing security headers, the client achieved:
- Enhanced API Security: The addition of critical headers reduced the risk of common web attacks, strengthening the product’s defences.
- Client Confidence: The swift identification and resolution of vulnerabilities reinforced the client’s trust in their product’s reliability.
- Proactive Improvement: The detailed report and scripts empowered the client to maintain and monitor API security moving forward.
Timeline
The entire project spanned 5 days, including the initial walkthrough, testing, reporting, client remediation, and reaudit phases.
The concise timeline reflects the limited scope and the client’s rapid response to our findings.
Conclusion
This API VAPT engagement enabled the software development company to secure a critical component of their product, mitigating risks associated with missing security headers. Our focused testing and collaborative approach ensured a swift and effective resolution, bolstering the product’s security posture and supporting the client’s commitment to delivering reliable IT solutions across their diverse industry verticals.
