Real API Testing, Smart Scanning and 24x7 Monitoring
Broken Object Level Authorization
| Webtica Multi-step Testing & Scanning | Automated Code Review | Single-step Web App Scanner | |
|---|---|---|---|
| ID is unique and not used repeatedly in callback API | |||
| Verification of access token validity against expiry and potentially misused | |||
| Establish another session for maintaining the login status of the application which is different from the setup session | |||
| Invalidate the session used for Login process and to ensure this session and corresponding session data shall never be reused for subsequent business flow | |||
| Timeout a session that is left idle over a period of time | |||
| Invalidate session if API return any error in authorization code or access token | |||
| Unauthorized Read/Change resources | |||
| Cross-site scripting and injection attacks |
What is Webtica?
APITest
Positive test - validates multi-step API responses on your development machine or during continuous integration and deployment (CI/CD).
APIScan
Negative test - APIScan is tightly integrated with APITest, with security testings including parameter tampering, fuzzing, injections, etc.
WebWatch
Continuous Testing - to identify injections (scripts, URLs, images, etc), availability & performance of web sites & DNS.
We’re Better. Here’s Why …
API should be Tested, Scanned & Monitored ProperlyTest your APIs from top to bottom by setting up multiple HTTP requests. Retrieve data from each request and use it to perform tasks in other steps.
With first multi-step test case built and executed, Retrievers fetch the most relevant context given a user query for subsequent steps automatically.
Evolving your API product without affecting current users is essential, Breaking changes need to be identified during the development phase, and if they happen.
Complex data flow paths reduce the accuracy of a SAST analysis, DAST Lacks Context of APIs unless it has an awareness of the parameter value used to identify the object.
API testing is important for ensuring that your API performs as expected when faced with a wide variety of expected and unexpected requests.
With a list of different roles for your API users, after the first role of a test-case is tested of first role, tests for all other roles for this test case would be generated automatically.
Automation is Critical to Superior User Experiences
Continuous automated testing as a catalyst for innovation
Functionality Testing
Execute tests swiftly and repeatedly, without requiring manual intervention, even across multiple versions of your application.
Performance Testing
A repeatable and consistent process with minimum effort and quick turn-around time to identify and eliminate these bottlenecks.
Security Testing
Remarkably fast and scalable, scan the entire application much faster with broader coverage than a manual pen tester.
The cloud runs on APIs
APIs are in the blind spot of the regular application security testing methods-
Support HTML scanning only, do not understand RESTAPI.
-
Cannot test multi-step workflow.
-
Unable to validate Access Control Matrix.
Why Webtica?
-
On-prem - dockerized application, support offline testing.
-
SaaS - testing and monitoring internet visible APIs.
-
Multi-step - finds errors and vulnerabilities in workflow.
-
Low-code - testing team and security team friendly.
-
Automation - monitoring changes, availability and performance, 24x7.
Integrated Security Scanning, Every Step
API testing should entail scanning for API vulnerabilities. API security testing should be conducted early in development—detecting and remediating problems before they go into production.
Multi-step API Testing, Support Assertions
Various scenarios, such as complex order combinations, to detect any inconsistencies in the API responses, to promptly identify and rectify any issues, ensuring a seamless customer experience.
Continuous API Testing & Scanning
Continually Testing your API is critical to quality & secure software building. Every time there is a change, the testers run the tests automatically and report the results.
Team Work, Access Control per Test Case
QA team has to get access to the testing system, get security approvals. Also to ensure that any change in the program that creates an additional parameter for API calls reflects in the schema configuration.
How does it work
Validate API Responses & Identify Security Vulnerabilities
APITest
-
Build Test case: Import the steps by Jmeter configuration, OpenAPI Doc, or manual input, with assertions.
-
Run tests: Manual run, or tests scheduled by a powerful scheduler.
APIScan
-
Build Test Case: Integrated from APITest steps, or import OpenAPI document.
-
Run tests: Manual run, or tests scheduled by a powerful scheduler.
Serious API Security Scanning
Integrated Smart Fuzzing
Use mutation of collected data, naughty strings, detection of sensitive data, valid enough to pass program parser checks.
Deserialize Data from Data Stream
Check encoded data if use of unknown or untrusted data that may result in abuses of application logic.
Check API Security Baseline
Always use TLS encryption, don’t include sensitive information in URLs, rate limiting and safe error responses, etc.
Smart vs Dumb Fuzzing
More accurate results
-
Smart fuzzers generate randomized data valid enough to pass program parser checks, get deep into the program logic, and potentially trigger edge cases and find bugs.
-
A mutation-based fuzzer takes valid inputs and generates a collection of inputs by changing (mutating) the valid inputs.
-
A generation-based fuzzer analyses the provided valid input structure and generates entirely new data that matches the valid one from the structure perspective.
Results of little use
-
Dumb fuzzers produce completely random input without matching the shape of the expected input or generated to match a valid input.
-
Dumb fuzzers, sometimes, tests a parser than your program.
-
Dumb fuzzers won’t be able to begin the execution of the application logic and identify potential bugs in that area of the code due to the wholly randomized input that does not match the valid input.
WebWatch
ScriptWatch
-
Collects and saves known good scripts, images as baseline.
-
Check if new scripts, images, HREFs regularly.
-
If new scripts, images are good, collects and saves for next check.
Pricing - On-Prem
Dockerised Application, Simple Pricing, No Hidden Cost
Free
Personal Use
No Credit Card
APITest: Yes
APIScan: Yes
Max# User: 1
Max# API Test Cases: 5
Task Scheduler: No
Email Notification: No
Team
Most Popular
Billed as US$480 per user per year
APITest: Yes
APIScan: Yes
Min# User: 2
Max# API Test Cases: 50 * #Users
Task Scheduler: No
Email Notification: No
Enterprise | Consultant
Flexible Pricing
APITest: Yes
APIScan: Yes
Min# User: 2
Max# API Test Cases: 50 * #Users
Task Scheduler: Yes
Email Notification: Yes
Pricing - SaaS (Cloud Based)
Simple & Easy, No Installation, No Hidden Cost
Free
US$ -For personal use
APITest
APIScan
Max# user: 1
Max# API Test Cases: 5
Task Scheduler: No
Email Notification: No
WebWatch: No
Most Popular
Team
$ 48 /user /monthBilled as US$480 per user per year
APITest
APIScan
Min# User: 2
Max# API Test Cases: 50 * #Users
Task Scheduler: No
Email Notification: No
WebWatch: No
Enterprise | Consultant
CustomizableFlexible Pricing
APITest
APIScan
Min# User: 2
Max# API Test Cases: 50 * #Users
Task Scheduler: Yes
Email Notification: Yes
WebWatch: Yes
Accepted Payment Methods
Money Back Guarantee
If it’s not a perfect fit, receive a refund for un-used number of days.
SSL Encrypted Payment
Your information is protected by 256-bit SSL encryption.
The above prices do not include applicable taxes based on your billing address. The final price will be displayed on the checkout page, before the payment is completed
Got Questions? Look Here
Is usage limited by time, frequency of test?
Usage is limited by number of users, number of test cases; Features of email notification and task schedulers are enabled for enterprise version only.
What is the difference between on-prem & SaaS?
Webitca On-prem a) requires installation of dockerized application; b) able to run without connecting to internet; c) WebWatch is not enabled; d) Do not require Multi-factor authentication after 30 days upon first login.
How to install Webtica On-prem?
a) Install Docker on your system; b) download & initialize the docker (internet connection required); c) sign-up (internet connection required) and sign-in; d) create and run test cases.
Can I run Webtica (On-prem) without connecting not internet?
Webtica (On-prem) requires internet connection only for initialization of license, user account sign up, check and download update dockerized applciation, if any. You don't need internet connection for sign-in, creating & running test cases.
We are using Webtica On-prem, any of my test data would be sent to Internet?
No. You are in total control. Webtica On-prem would not send any of your test data to Internet, including our SaaS platform.
Under what situations I cannot use the UI for creating test cases?
For test cases with cross-tab workflow, application logic involving if-the-else, etc., should be created based on OpenAPI Document, or configuration files created by JMeter.
Can I change plans or cancel at any time?
Yep. When you upgrade or downgrade your account, all charges are automatically pro-rated. That means if you need to, you can cancel any time.
Can I sign in without Multi-Factor Authentication?
For SaaS version, no. All user accounts are protected by Multi-Factor Authentication (Smartphone based Authenticator) after 30 days upon first successful sign-in.
What is the difference between API Testing and UI Testing?
Unlike UI testing, which tests the look and feel of the application, API testing focuses on the business logic of the application. Also, this testing requires software to send calls to the API. The software will send requests to API, receive output, and compare the actual responses with the expected responses.