Question

A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications are based on Representational State Transfer (REST) architecture. During the scoping process,

you determine that it would be helpful if you had access to the organization’s internal documentation for these applications. Which of the following should you ask your client for?
A. Web Services Description Language (WSDL) documentation
B. Software Development Kit (SDK) documentation
C. Web Application Description Language (WADL) documentation
D. Application Programming Interface (API) documentation

Answer 1

For a white box penetration test of REST-based web applications, you should request to access the Application Programming Interface (API) documentation from the client, as it is most relevant to understanding and interacting with the RESTful services. Therefore the correct answer is Option D.

Step-by-step explanation:

When running a white box penetration test for web-based applications based on Representational State Transfer (REST) architecture, having access to the organization's internal documentation is crucial. In this case, the correct documentation to ask your client for would be D. Application Programming Interface (API) documentation. This documentation will provide detailed information about the interface and how it can be used, which is essential for understanding how to interact with the REST-based application for security testing purposes. It is more specific than general software development kits and less tied to specific protocols as compared to Web Services Description Language, making it the most appropriate choice for RESTful services. The Web Application Description Language (WADL) is another possibility, as it specifically describes RESTful web services, but it is less commonly used than direct API documentation.