Pentesting a payment API is typically assignment for our team, because the founder of binsec GmbH have a strong working background in the payment area. Checking for typical OWASP Top 10 vulnerabilities is the basis of the penetration test, but in this case, we also check for some sort of logical errors that may result in security issues. A good example is checking if it is possible to transfer negative amounts using a normal auth or settle transaction type. Issues like this one happen, because when one thinks about amount limits, sometimes it is only to limit the maximum amount.
In comparison to normal website penetration test, testing a payment API requires a higher manual effort. It involves getting familiar with the API documentation and writing tests for the specific use cases, since many available tools might not work in this case. Nevertheless, having a broad range of experience in this field allows us to still analyse APIs in an adequate time frame.back to projects