By Vinoth Venkatesan, Head, Cyber Engineering at State Street Corp.
What are API and API Security?
An Application Programming Interface (API) permits software applications to interact. It is an essential part of modern software patterns, such as microservices architectures. APIs are very commonly used and enable access to sensitive software functions and data, and they are becoming a primary target for attackers. API security is the method of protecting APIs from attacks.
API security is a critical component of modern web application security. APIs may have vulnerabilities like broken authentication & authorization, lack of rate-limiting, and code injection. OWASP has the Top 10 API security vulnerabilities list to highlight the concerns. Organizations must frequently test APIs to identify vulnerabilities and address them using security best practices. This article will discuss the several methods of API testing and leading open-source tools that can help you secure your APIs.
Methods Of API Security Testing
You can use the following methods to test your APIs for security vulnerabilities manually.
1. Parameter Tampering
In most cases, parameters sent through APIs can easily tamper. For example, by manipulating parameters, bad actors can change the ordered vs. received products or trick an API into providing sensitive data that are not authorized for that user’s account.
Parameter tampering is frequently performed using hidden form fields. The best way to test the hidden fields is using a browser element inspector. If you find a hidden field, try different values and see how your API reacts.
2. Command Injection
To test if the API call is prone to command injection attacks, try injecting a few operating system commands as API inputs. Leverage the Operating System commands that are appropriate for the API hosting server. It is recommended to test with harmless Operating System commands that you can observe on the server.
For example, if your API exhibitions content via a URL, you can add an OS command to the URL to check if the command is executed on the server, something like this – https://testserver.com/view?name=userfile.txt;restart
3. API Input Fuzzing
Fuzzing means sharing random data to the API until discovering a functional or security problem. While the random data is passed to API calls, best to look for signs of API throwing an error message, processing inputs incorrectly, or crashing unexpectedly.
For example, if your API takes numerical inputs, you can try vast numbers, negative numbers, or zeros. As part of the testing, you can try random SQL queries, system commands, or random non-text characters if it accepts strings.
4. Unhandled HTTP Methods
Web applications that transfer using APIs may use many HTTP methods. These HTTP methods are used for storing, deleting, or retrieving data. If a server doesn’t support the HTTP method, you will typically get an error. However, it’s not always the case in traditional API deployments.
It is easy to assess if HTTP methods are supported on the server-side by sending a HEAD request to an API endpoint that needs authentication. Try all the standard HTTP methods — POST, GET, PUT, PATCH, DELETE, etc. to test the results.
5. SQL Injection (SQLi)
SQLi attacks are successful when the database processes the unsanitized API input. Hence, it is crucial to validate your REST API for any SQLi bugs. Try running SQL commands in the input like:
‘or 1=1–“and 1=1–
If the API is vulnerable to SQLi, these values as the parameters may help bypass some restrictions and respond with 200 OK. i.e. – www.testserver.com/api/auth-token/user=admin’or 1=1–
Suppose the API is vulnerable to SQLi but not necessarily error-based and/or vulnerable. In that case, it may still generate a DBMS error in the message and respond with a “500 Internal” error.
In Conclusion
Considering the machine-to-machine traffic is growing exponentially, it is mandatory to have effective API testing methods in place for all organizations. Above mentioned ones are fundamental to address the critical security aspects as per the OWASP TOP 10. The forthcoming article will explore the leading open-source tools to protect the API echo system.
About the Author
Vinoth Venkatesan – Cybersecurity professional by heart with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cyber happenings and blockchain-related articles.