Software security

Software security compliance, sorted.

compliance, sorted.

Backed by leading investor

Backed by leading investor

No-setup OWASP Top 10 Testing

No API specifications, no intrusive set-up, no code changes - just easy visibility in one-click.

No-setup OWASP Top 10 Testing

Squash your p0s before they impact your customers. Our tool can detect a wide variety of issues like:

No-setup OWASP Top 10 Testing

Squash your p0s before they impact your customers. Our tool can detect a wide variety of issues like:

Validation missing

Validation missing

Why should you care?

Identify broken access control, insecure design, injection attacks and authentication failures in just one click. To cover: Validation/Access control, not overwhelming APIs/resource consumption, injection.

Tests resulting in issues

(12)

Tests without issues

(35)

Test ID:

#9374

Test summary:

In a NEGATIVE test we added

“transaction.amount: 0”

assuming the API should fail this transaction due to no actual amount.

In a NEGATIVE test we added “transaction.amount: 0” assuming the API should fail this transaction due to no actual amount.

Method / Endpoint:

POST

/

v1/payments_method

URL:

https://staging.example.com/api/user

Result:

Failed

Result reason:

Unexpected behaviour: 200

Response time:

1020 ms

Add issue to Gitlab

Data integrity

Data integrity

Why should you care?

Cryptographic failures, injection attacks and integrity failures can all be leveraged by attackers to compromise your system. P0 identifies these for you.

Test type

Scenario

Curl

Positive

Executed a POSITIVE test by setting

"

user.age

": "

17

"

when the minimum required age is 18, expecting a failure during registration.

Positive

Conducted a POSITIVE test by setting

"

cart.itemCount

": "

0

"

when trying to checkout, expecting a 'Cart Empty' error.

Negative

For a NEGATIVE test, we set

"

content-type

": "

text/plain

"

for a JSON API, expecting a 'Unsupported Media Type' error.

Positive

Performed a POSITIVE test by setting

"

order.deliveryDate

": "

2022-01-01

"

expecting the API to reject the request for a past date.

Negative

Executed a NEGATIVE test by sending a blank

POST

request, expecting the API to return a 'Bad Request' error.

Negative

Ran a NEGATIVE test by setting

"

user.id-type

": "

abc

"

instead of a numerical value, expecting an 'Invalid ID' error from the API

Platform crash

Platform crash

Why should you care?

Identify potential denial-of-service attack vectors and misconfigurations rapidly at each deploy.

Request body we sent:

1

2

3

4

{

"quantity": "3",

"product_id": "12345",

}

Attribute tested

Response we got:

Response code: 500

1

2

3



4

{

"code":"INTERNAL_SERVER_ERROR",

"message": "Failed to convert value of type 'java.lang.String' to required type 'java.time.LocalDateTime';……",

}

Request body we sent:

1

2

3

4

{

"quantity": "3",

Attribute tested

"product_id": "12345",

}

Response we got:

Response code: 500

1

2

3

3

3

3

4

{

"code":"INTERNAL_SERVER_ERROR",

"message": "Failed to convert value of type 'java.lang.String' to required type 'java.time.LocalDateTi……",

}

Noise alerts

Why should you care?

Identify early API endpoints which could be leaking sensitive information.

Timeout errors

Why should you care?

Identify screens which timeout to find denial-of-service vulnerabilities.

Response time

Why should you care?

Identify third-party vendors who could be impacting your service.

Surface p0s whenever. Wherever.

Choose from our fully managed p0 Cloud or Self-Hosted options.

Surface p0s whenever. Wherever.

Choose from our fully managed p0 Cloud or Self-Hosted options.

Surface p0s whenever. Wherever.

Choose from our fully managed p0 Cloud or Self-Hosted options.

cloud

Fully managed p0 platform – the easiest way to scan your endpoints and raise high priority issues

© 2024 p

0

. All rights reserved.

/

© 2024 p

0

. All rights reserved.

/

© 2024 p

0

. All rights reserved.