Get a complimentary pre-penetration test today. Check if you qualify in minutes!

API Penetration Testing


Client: Unifonic

Category: Product Security

Date: 28 June 2023

Unifonic provides companies in the Middle East with seamless, multilingual, enterprise-grade communications at reasonable prices. The business has assisted various organizations in developing efficient customer communication since its founding in 2006. Up until this point, it has served more than 160 million recipients and more than 5000 commercial accounts.

Before They Met Us

  • A multiple dashboard is used by Unifonic to manage all the services it offers to customers. The same entity is in charge of managing how its products and applications are used by its user base.
  • The client was facing numerous issues with the API it was using. These issues initially seemed to be minor. But the client was fearful of major cyber incidents taking the prevalence of online threats into account.
  • An insecure API was a constant threat to Unifonic’s operational continuity.

Our Objectives for the Project

  • The purpose was to gather security weaknesses in Unifonic's API.
  • A complete security audit to find what's lacking in the client's API security.
  • Identifying the impacts of present vulnerabilities on mission-critical applications used by the client for day-to-day business operations.

Methodologies Used

  • API Security Assessment to identify all the vulnerabilities and security weaknesses in the API.
  • Credentialed Patch Audit.
  • Thorough Penetration Testing to determine the impact of the vulnerabilities when exploited. • Simulated Privilege Escalation to check the resilience of current security policies.
  • Simulated Privilege Escalation to check the resilience of current security policies.

Tools Used

OWASP ZAP: active and passive scanning, fuzzing, and vulnerability detection

Burp Suite: for intercepting requests, manipulating parameters, and scanning for vulnerabilities.

Postman: to identify security weaknesses and validate the behavior of APIs.

Tested API was not secure. It was not aligned with the best security practices.

We highlighted multiple security weaknesses in the said API that might result in catastrophic failures if attacked.

We delivered a thorough report to the client featuring all the exploited vulnerabilities, their impacts, and how to mitigate them.

However, we suggested that analyzing the Client’s API security posture is just one assessment. They should use other elements as well to get a definitive measurement of their security policies.

We recommended a complete review of internal security controls, procedures, or internal red teaming.

Get Secured Today

Request an audit

Locate Us

Headquarter Anerley Court, Half Moon Lane, Hidenborough, Kent, TN11 9HU,
Contact: +44(0) 1732 833111
UAE Concord Tower, 6th Floor, Dubai Media City, 126732
Dubai, UAE.
Contact: +971 (0) 4 454 9844
USA 580 Fifth Avenue, Suite 820
New York, NY 10036
India Plot No.14, 5th Floor, Sector-18, Gurugram -122015 Haryana,
Contact: +91(0) 124 4201376
+44 789 707 2660

Choose Expert guidance to patch vulnerabilities.

Let's talk security today.

How can we help ?
How can we help ?

Choose hacker style methodologies over fear.

Let's talk security today.

How can we help ?
How can we help ?

We'd Love to Hear From You