Security Test Report

API spec assessment for risks and compliance

22 Jan 2022

Prepared for: Name of the company

Prepared by: ImpACT

Uploaded file name: {{ spec_filename }}

Creation Time: Jan 22, 2022, 14:56

Table of Contents

Fuzz Tests Summary Overall Test Issues File Summary FAQ

Summary of Generated Tests

Information about data found inside the zip file

What did we find inside the uploaded zip file?

APISpec Files

{{ num_spec_files }}

APIs

{{ num_total_apis }}

Impacted APIs

{{ total_vul_apis }}

Destination Hosts

{{ num_dst_hosts }}

Attack Categories

{{ num_attack_categ }}

Total Attack Vectors Generated

{{ total_attack_vectors }}

Attack Vectors distribution by severity

Critical

{{ total_critical_av_count + total_high_av_count }}

Major

{{ total_medium_av_count }}

Minor

{{ total_low_av_count }}

Failed Tests by Severity

{{ failed_count }}

Issues distribution by severity

Critical

{{ failed_critical_count + failed_high_count }}

Major

{{ failed_medium_count }}

Minor

{{ failed_low_count }}

Most frequently occuring violation

{{ frequent_attack.get('attack') }} - across {{ frequent_attack.get('num_of_apis') }} API

{{ frequent_attack.get('failed_test') }} failed test

20%

Overall Fuzz Test Issues

Information about design issues found in the uploaded file

What are the issue categories?

API Security Test Summary

{% for spec, spec_info in spec_details.items() %} {% endfor %}
File Name APIs APIs Impacted
{{ spec }} {{ spec_info.get('all_apis_count', 0) }} {{ spec_info.get('failed_apis_count', 0) }}

What are the issue categories?

API Severity Per Attack Category

{% for category, info in attack_category.items() %} {% endfor %}
Attack Category APIs Impacted Highest Severity
{{ category }} {{ info.get('all_apis_count', 0) }} {% if info.get('priority', '') == 'Critical' or info.get('priority', '') == 'High' %}

{{ info.get('pri_count', 0) }} Critical

{% elif info.get('priority', '') == 'Medium' %}

{{ info.get('pri_count', 0) }} Major

{% elif info.get('priority', '') == 'Low' %}

{{ info.get('pri_count', 0) }} Minor

{% endif %}

Critical

Major

Minor

{% for spec, info in spec_details.items() %}

{{ spec }} summary

Information about design issues found in the uploaded file

What did we find inside the uploaded zip file?

Spec Files

1

APIs

{{ info.get('all_apis_count', 0) }}

Endpoints

1

Total Tests

{{ info.get('total_tests_count', 0) }}

Failed Tests

{{ info.get('total_failed_count', 0) }}

{{ info.get('priority_count', {}).get('p1_count', 0) + info.get('priority_count', {}).get('p2_count', 0) }}

Critical

{{ info.get('priority_count', {}).get('p3_count', 0) }}

Major

{{ info.get('priority_count', {}).get('p4_count', 0) }}

Minor

Want to know more about the severities? check our FAQ

APIs with failed tests

{% for api, api_info in info.get('api_details', {}).items() %} {% for each_record in api_info %} {% if each_record.get('pri', '-') == 1 or each_record.get('pri', '-') == 2 %} {% elif each_record.get('pri', '-') == 3 %} {% elif each_record.get('pri', '-') == 4 %} {% else %} {% endif %} {% endfor %} {% endfor %}
API Attack Category Issue Severity Failed Test Test Request/Response

{{ api }}

Affected Classification

{% for category in each_record.get('classification', '-').split() %}

{{ category.strip() }}

{% endfor %}
{{ each_record.get('attack', '-') }}

Critical

Major

Minor

-

{{ each_record.get('count', '-') }}

{{ each_record.get('testinput', '-') }}
{% endfor %}

FAQ

Here you can get answeres on the most frequesntly asked questions

What every severity means?

Critical

When an API is called with parameter value set to patterns that were associated with attacks that can cause critical/high severity damage, the API returns 200 with OK data. It appears that the application not only processes the fuzz parameter, but also is at risk of leaking data.

Major

When an API is called with parameter value set to patterns that were associated with known attacks that can cause critical/high severity damages, the API returns 200 OK with no data. Though it does not appear that the app is at risk of leaking data, the app might have processed the fuzzed input, which can cause subsequent security issues.

Minor

When an API is called with parameter value set to patterns that were associated with known attacks that can cause medium/low severity damages, the API returns 200 OK with no data. Though it does not appear that the app is at risk of leaking data, the app might have processed the fuzzed input, which can cause subsequent security issues.