Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
  • Records
  • TF_Legit.Health_Plus
    • Legit.Health Plus TF index
    • Legit.Health Plus STED
    • Legit.Health Plus description and specifications
    • R-TF-001-007 Declaration of conformity
    • GSPR
    • Clinical
    • Design and development
    • Design History File (DHF)
      • Version 1.0.0.0
        • Requirements
        • Test plans
          • PLAN-001 Users submit their credentials to receive an access token
          • PLAN_002 Token expiration in user authentication process
          • PLAN_003 Account lockout for user authentication
          • PLAN_004 Enforcing HTTPS protocol for API communications
          • PLAN_005 Valid SSL/TLS certificates
          • PLAN_006 Rate limiting for anonymous users
          • PLAN_007 Rate limiting for authenticated users
          • PLAN_008 Logging and monitoring of rate limit violations
          • PLAN_009 Validation of request and response data against FHIR schemas
          • PLAN_010 Base64 encoded images are accepted
          • PLAN_011 Non-Base64 encoded images are rejected
          • PLAN_012 Diagnosis support endpoint accepts multiple images
          • PLAN_013 Improved accuracy with multiple images
          • PLAN_014: Password hashing during user registration
          • PLAN_015: Password hash comparison during login
          • PLAN_016: Registration of a new user by authorized individuals
          • PLAN_017 Specification of body zone for scoring systems requiring zone factor
          • PLAN_018 The device's API maintains an uptime of at least 99% over a one-month period
          • PLAN_019 API penetration testing with Intruder.io
        • Test runs
        • πŸ₯£ SOUPs
    • IFU and label
    • Post-Market Surveillance
    • Quality control
    • Risk Management
  • Licenses and accreditations
  • External documentation
  • Procedures
  • Records
  • TF_Legit.Health_Plus
  • Design History File (DHF)
  • Version 1.0.0.0
  • Test plans
  • PLAN_019 API penetration testing with Intruder.io

PLAN_019 API penetration testing with Intruder.io

Description​

The objective of this test is to evaluate the cybersecurity of the medical device's REST API by performing a comprehensive penetration test using the Intruder.io online tool. Our goal is to identify and analyze potential security vulnerabilities that could be exploited by malicious actors.

The penetration test will simulate real-world attack scenarios, including but not limited to:

  • SQL Injection: Checking if malicious SQL statements can be executed via the API endpoints.
  • Cross-Site Scripting (XSS): Verifying if the API is vulnerable to injection of malicious scripts.
  • Insecure Authentication: Assessing the robustness of authentication mechanisms to prevent unauthorized access.
  • Unauthorized Data Access: Ensuring that data access controls are correctly enforced and no sensitive data can be retrieved without previous authorization.
  • Port Scanning: Identifying open ports on the server hosting the API to determine potential entry points for attacks.

System requirements​

This test can be executed with standard hardware, and it is not necessary to use any specific software.

Preconditions​

  • The entire system (including the reverse proxy, REST API, and all upstream services) is deployed, operational, and accessible online.

Setup​

No setup is required for this test.

Input data​

No test data is required for any of the steps.

Steps​

  1. Log in to your Intruder.io account. If you do not have an account, create one and log in.
  2. Navigate to the "Targets" section in Intruder.io. Then, click on "Add Target" and enter the base URL of the medical device’s REST API.
  3. In Intruder.io, go to the "Launch" tab and select "Penetration Test". Under "Authentication", enter the API credentials for the /login endpoint.
  4. Review the configured settings and confirm the test scope.
  5. Click on "Start Scan" to begin the penetration test.
  6. Periodically monitor the test progress through the Intruder.io dashboard to ensure that there are no disruptions or errors during the test.
  7. Once the test is complete, navigate to the "Results" tab.
  8. Review the identified vulnerabilities, which will be categorized based on their severity (Critical, High, Medium, Low). For each identified vulnerability, review the detailed findings and recommendations provided by Intruder.io.
  9. Optionally, you can download the report generated by Intruder.io showing the results of the penetration test.

Expected outcome​

  • No high or critical severity vulnerabilities have been found that compromise the security of the REST API.
  • No medium or low severity vulnerabilities have been identified. Although these do not pose a significant security risk to the API, they could potentially lead to a security breach if they are left unresolved.

Verifies software requirements​

  • REQ_005

Risk control for​

    1. Interruption of service
    1. An organisation that is not a licensed care provider gets access to the device
    1. Users outside the inteded user definition use the medical device
    1. Data breach or unauthorized access

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Tester: JD-017, JD-009, JD-004
  • Approver: JD-005
Previous
PLAN_018 The device's API maintains an uptime of at least 99% over a one-month period
Next
Test runs
  • Description
  • System requirements
  • Preconditions
  • Setup
  • Input data
  • Steps
  • Expected outcome
  • Verifies software requirements
  • Risk control for
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI LABS GROUP S.L.)