Edgescan enumerates all the endpoints that are in scope and tests against all of the available functions in an API.
Version Number: v1.0.1
Published Date: 16 May 2024
____________________________________________________________________________
CTEM Phase 4: Validation
During the validation stage (Phase 4) of CTEM, the organization tests the effectiveness of its existing security controls against identified threats. API Security Testing as a Service is an integral part of the CTEM process as it's designed to validate the effectiveness of the security measures in place.
Edgescan performs API testing that aligns to the OWASP API Testing methodologies. We will include API specific testing, normal application security testing & normal infrastructure testing.
As traditional crawling is harder with an API as there are less linked pages, Edgescan has a heavy focus on supplementing the crawl with API manifest data such as Postman collection, Swagger files or Insomnia collections.
Further information is available here.
| Vulnerability Name | Details | OWASP 2019 |
|
Broken Object Level Authorization |
How does Edgescan perform Broken object level authorization? |
API1:2019 |
|
Broken Authentication |
API2:2019 | |
| Excessive Data Exposure |
How does Edgescan perform testing for excessive data exposure? |
API3:2019 |
| Lack of Resources & Rate Limiting |
How does Edgescan perform testing for lack of resources and rate limiting? |
API4:2019 |
| Broken Function Level Authorization |
How does Edgescan perform Broken function level authorization? |
API5:2019 |
| Mass Assignment | API6:2019 | |
| Security Misconfiguration |
How does Edgescan test APIs for a Security misconfiguration? |
API7:2019 |
| Injection | API8:2019 | |
| Improper Assets Management |
How does Edgescan test for improper assets management on an API? |
API9:2019 |
| Insufficient Logging & Monitoring |
How does Edgescan test for insufficient logging and monitoring on an API? |
API10:2019 |