In today’s global scenario, the most important asset every company owns is data, its availability, and being entrusted with it to provide personalized services. Therefore, data should be rightfully given its place of importance in terms of protection and security testing.
Especially when it comes to applications, the application programming interfaces (APIs) provides multiple vulnerable points of access to sensitive data. Our goal should be ensuring the protection of APIs during all stages of production.
What is an API?
APIs are usually used to transfer information between two systems and it functions at either the code or network level. This depends on if both the systems are working on the same machine. An important detail to note is that modern APIs take the form of representational State Transfer (REST). It provides an easy function of designing a specific API call for calling all the information required for changing or accessing a web service. Another interesting benefit is that it provides a clear layer of separation between front-end (presentation details) and back-end (data accessing mechanism).
Principles of Successful API Security Testing
There are majorly 2 Principles of Successful API Security Testing
The API should reject any input of incorrect types (such as null or empty) or incorrect sizes. The latter has some difficulty in defining a range of inputs that are acceptable, since the REST API should predict the customer’s approach.
Every input has an expected output – and nothing else should be accepted. For a defined input and output range, this is an easy task, unlike a situation where the user submits their own content (like chat platforms).
Those inputs outside expected domains shouldn’t be accepted.
Provide data on a need-to-know basis
Once permissions are defined, users should be provided access to data only as per their requirements. Even though it seems simple once the permissions and the associated access to resources is implemented, there are too many variables that can change.
These are a couple of parameters that every API should be tested for to avoid data breaches and other compromising situations. A properly designed and tested API should be able to set up an initial layer of defense, which is what should be approved by security testing protocol.
Different types of API Security Testing
- Security auditing process – An ideal security auditing process takes into account the following factors as basic security barriers:
- The conditions and permissions users require to access to specific levels of data
- Authentication levels required by the user to use the API and manner of identification
- Encryption rules for stored data and instances of decryption
- Penetration testing – This stage involves simulating attacks to test the API for vulnerabilities, faulty coding, or other security risks. It helps in external security hardening and resolving development errors from the initial phases. With a mix of automated (Metasploit, Acunetix, etc) and manual tools, API testing can be done in a controlled environment.
- Proceed with a list of known vulnerabilities within the API
- Set a ranking according to the risk each issues presents (the OWASP website provides a good understanding of the risk factors associated)
- Send requests and design attacks keeping these security risks in mind, from both inside and outside the network
- Keep your eyes open for other issues that may pop up during the testing process
- Note down all vulnerabilities, discuss remediation measures, implement them, and retest.
- Fuzz Testing – After designing a basic security checklist and designing hacking attempts, it’s time to push the API to the extreme and evaluate the results. This could be done through a large volume of requests sent at the same time (DDoS attacks), quick changes in the type of data received, etc. This will showcase a different set of vulnerabilities when the system’s under pressure and is equally important to resolve.
Basic steps to performing API security testing
API security testing usually involves sending requests via client software (like Insomnia) to the application endpoint, which is then evaluated. Remember to use automated software for a portion of the testing as it speeds up the purpose (security auditing or fuzz test could be done).
- What are your system’s security requirements?
- Need for a TLS/SSL certificate and accessible over HTTPS
- Number of permission levels for accessing different resources
- Flow of authentication and the requirement for an external provider
- API aspects that could be attacked and points of weakness
- Setting the testing environment and checking if everything’s good to go
Depending on small or large applications, a staging environment for testing should be designed. The larger ones function better in a separate environment with a mock-up of the resources. Check if the API is functioning properly with a few test requests.
- Provide an input domain
Before stepping into individualized testing, you’ll need to define what each parameter signifies and its different combinations allowed. This will ensure that you properly define those values that aren’t allowed and those that are vulnerable to attacks like SQL injection or brute force.
- Develop and execute
All that’s left is to conduct the tests and check if the received output is the same as expected. Check in with a couple of questions such as;
- If there’s an option for file upload, what to do if a malicious file is brought up?
- In the space that asks for information from the user, what happens if a HTML/JS input is given?
- Accessing resources beyond your permission level (and if they can be accessed via HTTP and HTTPS)
There are other parameters in the API security testing that you might need to be aware about with your specific application. With Astra Security, there’s no need to worry about missing the little things anymore!