Zero-setup
OWASP Top 10 Testing

Zero-setup OWASP Top 10 Testing

Test your APIs for data vulnerabilities

Backed by leading investor

Backed by leading investor

Backed by leading investor

As SEen in

As SEen in

As SEen in

No-setup OWASP Testing

No API specifications, no intrusive set-up, no code changes - just easy visibility in one-click.

No-setup OWASP Testing

Squash your p0s before they impact your customers. Our tool can detect a wide variety of issues like:

No-setup OWASP Testing

Squash your p0s before they impact your customers. Our tool can detect a wide variety of issues like:

Injection

Why should you care?

Test all of your APIs for malicious inputs such as SQL injection attacks. Ensure all APIs sanitize their inputs, even hidden ones.

Why should you care?

Test all of your APIs for malicious inputs such as SQL injection attacks. Ensure all APIs sanitize their inputs, even hidden ones.

Test type

Scenario

Curl

Negative

Executed a SQL injection attack on

"

user.age

"

to test for sanitized inp

Positive

Executed a POSITIVE test by setting

"

user.age

": "

17

"

when the minimum required age is 18, expecting a failure during registration.

Positive

Conducted a POSITIVE test by setting

"

cart.itemCount

": "

0

"

when trying to checkout, expecting a 'Cart Empty' error.

Positive

Performed a POSITIVE test by setting

"

order.deliveryDate

": "

2022-01-01

"

expecting the API to reject the request for a past date.

Negative

Executed a NEGATIVE test by sending a blank

POST

request, expecting the API to return a 'Bad Request' error.

Negative

Ran a NEGATIVE test by setting

"

user.id-type

": "

abc

"

instead of a numerical value, expecting an 'Invalid ID' error from the API

Broken Access Control

Why should you care?

Check your APIs for hidden mass assignment and excessive data exposure.

Why should you care?

Check your APIs for hidden mass assignment and excessive data exposure.

Request body we sent:

1

2

3

4

{

"isAdmin": "true",

"product_id": "12345",

}

Attribute tested

Response we got:

Response code: 500

1

2

3



4

{

"code":"SUCCESS",

"message": "Logged in as administrator: super user privileges given,

}

Request body we sent:

1

2

3

4

{

"quantity": "3",

Attribute tested

"product_id": "12345",

}

Response we got:

Response code: 500

1

2

3

3

3

3

4

{

"code":"INTERNAL_SERVER_ERROR",

"message": "Failed to convert value of type 'java.lang.String' to required type 'java.time.LocalDateTi……",

}

Unrestricted Resource Consumption

Why should you care?

Ensure malicious users cannot spam your third party APIs, costing you real dollars.

Why should you care?

Ensure malicious users cannot spam your third party APIs, costing you real dollars.

Tests resulting in issues

(12)

Tests without issues

(35)

Test ID:

#9374

#9374

Test summary:

You are vulnerable to unrestricted twilio API calls

In a NEGATIVE test we added “transaction.amount: 0” assuming the API should fail this transaction due to no actual amount.

Method / Endpoint:

POST

/

v1/payments_method

URL:

https://staging.example.com/api/user

https://staging.example.com/api/user

Result:

Failed

Response time:

1020 ms

Add issue to Gitlab

DDOS Attacks

Why should you care?

Prevent your service from going down because of denial of service attacks

Why should you care?

Prevent your service from going down because of denial of service attacks

Response time

Why should you care?

Identify screens which timeout to find denial-of-service vulnerabilities.

Why should you care?

Identify screens which timeout to find denial-of-service vulnerabilities.

Noise alerts

Why should you care?

Identify third-party vendors who could be impacting your service.

Why should you care?

Identify third-party vendors who could be impacting your service.

built by people who have worked at:

built by people who have worked at:

built by people who have worked at:

Surface p0s today.

Raise high priority issues with our fully managed p0 Cloud platform.

Surface p0s today.

Raise high priority issues with our fully managed p0 Cloud platform.

Surface p0s today.

Raise high priority issues with our fully managed p0 Cloud platform.

Cloud

Fully managed p0 platform – the easiest way to scan your endpoints and raise high priority issues

Cloud

Fully managed p0 platform – the easiest way to scan your endpoints and raise high priority issues

Cloud

Fully managed p0 platform – the easiest way to scan your endpoints and raise high priority issues

© 2024 p

0

. All rights reserved.

/

© 2024 p

0

. All rights reserved.

/

© 2024 p

0

. All rights reserved.