What is API Security Testing & How to Perform It? A Detailed Guide

Updated: November 13th, 2024
16 mins read
API Security Testing

API security testing is a process of carefully evaluating API endpoints to identify and remediate vulnerabilities such as fuzzy input, parameter tampering, or injection attacks. Acting as the first line of defense, it meticulously examines endpoints to identify and neutralize vulnerabilities before attackers can exploit them.

API security is achieved by strengthening its three pillars: Regular Testing, API Threat Protection, and API access control, each with its own vulnerabilities and testing methods. 

Regular API security testing is crucial to protecting data from leaks, maintaining data integrity, and improving overall security posture. Before we discuss the procedure, let’s examine the specific vulnerabilities it helps you pinpoint.

Common Vulnerabilities Found in Various API Types

Common Vulnerabilities Found in Various API Types

1. REST APIs

REST APIs or RESTful APIs are stateless APIs that use simple HTTP requests to access and use data. It is one of the most used types of API due to its simplicity and flexibility of implementation in any language.

Common Vulnerabilities Found in REST APIs:

  1. Injection Attacks: Attackers insert malicious code into the requests to manipulate the APIs’ intended behavior. SQL Injection, Host-Header Injection, and Command Injection are some of the most common attacks.
  1. Session Management Issues: Inadequate Session Management issues can lead to Authorization vulnerabilities. 

For example, BIG-iP was recently affected by a session management vulnerability (CVE-2024-22389) in which deleted or updated API tokens could still be used on peer devices until they expire.

2. SOAP APIs

SOAP, or Simple Object Access Protocol, uses XML-based messaging to transfer data between the client and server. It is preferred when operations require repetitive or chained tasks as it is a stateful API that stores the information on the server.

Common Vulnerabilities Found in SOAP APIs:

  1. WSDL Exposure: If the WSDL file is exposed to the attackers, they can view detailed information about the API structure and operations, allowing them to craft more targeted attacks.
  2. Cross-Site Request Forgery: Insufficient CSRF protection can make the application vulnerable to CSRF attacks, allowing attackers to manipulate users into performing malicious actions. 

For example, 2 vulnerabilities in the API of Cisco Expressway Series devices allow unauthenticated users to perform CSRF attacks through the affected components.

3. GraphQL

GraphQL is a flexible and efficient query language for APIs. It allows the client side to request the exact amount of data required to reduce data over- and underfetching.

Common Vulnerabilities Found in GraphQL APIs:

  1. Injection Attacks: Similar to REST, GraphQL APIs are also vulnerable to injection attacks, in which attackers insert malicious code into the requests to manipulate the APIs’ intended behavior.
  2. Introspection Attack: GraphQL instances generally have the introspection system enabled by default, which allows the client to query the GraphQL schema to get information about it. 

For example, in SuiteCRM, GraphQL introspection was enabled without authentication, allowing the attackers to understand the entire attack surface, including fields like UserHash.

4. JSON-RPC and XML-RPC

JSON-RPC and XML-RPC are remote call protocols that use JSON and XML, respectively, to communicate between the client and the server. They send an HTTP request to a server that implements RPC and receives an HTTP response.

Common Vulnerabilities in JSON and XML RPC:

  1. Brute Force Attacks: These attacks involve attempting various combinations of user credentials to gain unauthorized access. XML-RPC can be easily leveraged as an entry point for attacks and can execute multiple login attempts rapidly, leading to brute-force attacks.
  2. Remote Code Execution: In this attack, attackers can execute malicious code on the server from a remote connection. 

For example, in Snapcast, attackers could gain remote code execution by leveraging Snapcast’s functionality and using the JSON-RPC API to create a new stream.

shield

Why Astra is the best in pentesting?

  • We’re the only company that combines automated & manual pentest to create a one-of-a-kind pentest platform.
  • Vetted scans ensure zero false positives.
  • Our intelligent vulnerability scanner emulates hacker behavior & evolves with every pentest.
  • Astra’s scanner helps you shift left by integrating with your CI/CD.
  • Our platform helps you uncover, manage & fix vulnerabilities in one place.
  • Trusted by the brands you trust like Agora, Spicejet, Muthoot, Dream11, etc.
cto

Why Do You Need API Security Testing?

Ensuring API security is necessary to maintain the security posture of your website and, subsequently, your organization. Here are the key reasons for maintaining API security:

Protection of Sensitive Data:

API weaknesses can expose sensitive data such as customer information, financial details, or intellectual property. Regular testing helps identify and fix these flaws, preventing data breaches and leaks. 

This protects data integrity and avoids potential reputational damage and the loss of customer trust.

Ensuring Service Availability:

Malicious actors can exploit vulnerabilities to launch Denial-of-Service (DoS) attacks, overwhelming your APIs and making them unavailable to legitimate users. 

Robust API penetration testing tools help uncover these weaknesses, allowing you to implement measures that prevent such attacks and ensure reliable service for your users.

Maintaining Compliance:

Industrial regulations, such as HIPAA, GDPR, ISO, and SOX, mandate specific security controls during data handling. Failure to comply with such regulations due to API vulnerabilities can lead to hefty fines and legal liabilities. 

Regular security testing helps you identify and address these gaps, ensuring your APIs adhere to relevant regulations and protecting your business from legal trouble.

Improving Stakeholder Trust:

Customers and partners entrust you with their data when they interact with your APIs. Regular security testing demonstrates your commitment to data protection, strengthening business relationships, and fostering customer confidence in your services.

How to Perform API Security Testing?

1. Planning and Scope Definition

The first step is identifying the APIs that need to be tested for security weaknesses. This involves defining the proper scope of testing, understanding the APIs’ functionalities and data flow, and determining the tools to use.

2. Vulnerability Assessment

In this step, we use a mix of automated and manual testing methods to identify the weaknesses and misconfigurations present in the APIs we are testing. This can be done with the help of the following methods:

a. API Input Fuzzing

Fuzzing means providing the API with random or unexpected data to the API to uncover vulnerabilities, if any. This can be done in various ways. 
For numerical inputs, we can provide the API with large numbers, negative numbers, or even 0 to try to extract any information or view the error messages. Similarly, we can try adding SQL queries, system commands, or random special characters for string inputs.

We can use tools like FuzzAPI to automate this whole process.

Step 1: Download and install Fuzzapi. Read this to know how to do that.

Step 2: Once Fuzzapi is installed, open your browser and navigate to localhost:3000. You will see something like the image below.

REST API security fuzzing

Step 3: Add the URL you want to test in the URL field. Select the method of your choice. Add the info if needed in the Raw Headers and Parameters field; otherwise, leave them blank. Finally, click the Scan button.

API Input Fuzzing

Step 4: Wait while the test continues. Once finished, if the API is vulnerable, the final results will be shown in the image below.

REST API security fuzzing

Testing for API Injection Attacks

1. SQL Injection

SQLi attacks are successful when the database processes the unsanitized API input. Hence, testing your REST API for any SQLi bugs is important. Try providing SQL commands in the input like:

'or 1=1--
"and 1=1--

If the API is vulnerable to SQLi (error-based and/or SQLi), these values in the parameters may help bypass some restrictions and respond with 200 OK. i.e.

www.xyz.com/api/auth-token/user=admin'or 1=1--

If the API is vulnerable to SQLi but not necessarily error-based and/or vulnerable, it may still generate a DBMS error in the message and respond with a 500 Internal error, like the one shown in the image.

API SQL injection

2. Command Injection

Various OS commands can also inject API inputs, which are then executed on the server. However, the commands for different Operating systems(Windows, Linux, etc.) would differ. 

For instance, the command “rm /” can remove the entire root directory on a Linux system. When the URL is encoded, this command looks like rm%20/.

So, for instance, if an API is being used to view a site’s contents, malicious code can be executed in the following manner.

https://example.com/view?name=file.txt;rm%20/

The semi-colon after the file.txt ends the input parameter and executes the OS command. However, be careful with this command, as it can delete the entire directory. Try something a little less harmful, like:

https://example.com/view?name=file.txt;reboot

However, if you wish to automate the process, try using Commix.

c. Authorization and Authentication Attacks

Broken Authentication attacks occur when weaknesses in authentication mechanisms, such as ill-configurations, weak passwords, policies, or poor session management, are used to gain unauthorized access. 

For example, attackers can perform Brute Force attacks, first identifying the login endpoint.

POST /api/login

{
	"username": "admin",
	"password": "admin123"
}

Then, tools like Burp Suite or Hydra can be used to set up and perform Brute Force attacks with a wordlist of common username and password combinations.

You can use the following command in Hydra:

hydra -l admin -P /path/to/passwords.txt [example.com](<http://example.com/>) http-post-form "/api/login:username=^USER^&password=^PASS^:F=incorrect"

If the application has any default or common credentials, you can gain unauthorized access to the application.

Broken Access Control attacks occur when the application does not enforce proper access controls, allowing users to perform actions without permission. They can result in privilege escalation or unauthorized access to sensitive resources.

Broken Access Control can lead to attacks like Insecure Direct Object References(IDOR).

First, identify endpoints like the ones below

]GET /api/user/123/profile

Use any proxy tool like Burp Suite or OWASP ZAP to capture and modify these requests.

Change the user ID from “123” to any other valid user IDs.

GET /api/user/143/profile

Observe the response of the new modified API request and check for a valid response for the user data. If it returns valid data, it is vulnerable to the IDOR attack.

d. Discovering Zombie APIs

Zombie APIs are old or unused APIs that are still active but not updated or maintained. As they are not maintained, zombie APIs can lead to security risks and can be exploited for vulnerabilities.

Firstly, to identify these Zombie APIs, you can perform an extensive scan of the API inventory to look for older and unmaintained APIs.

To convert OpenAPI or Swagger to static documentation, you can use tools like Apigee, AWS API Gateway, or open-source tools like Widdershins.

Common Tests to Assess Zombie APIs:

  • Test for data accessed by zombie APIs(user data, financial data, etc.)
  • Test for Authentication and Authorization.
  • Test for weak encryption implementation.
  • Test for known vulnerabilities or CVEs.

Tools to look for vulnerabilities in zombie APIs: Astra API Pentest, Nessus, OpenVAS, and ZAP.

e. Unhandled HTTP Methods and Parameter Tampering

Web applications communicating using API often use various HTTP methods to save, remove, or retrieve data. If a server does not support an HTTP method, it should typically show an error. 

However, this is not always the case, especially for vulnerable APIs.

To test for such vulnerability, make a HEAD request to your API endpoint, which requires authentication. To accomplish this using Python, add the following code to a Python script and run it:

import requests 

x = requests.head('API-URL')

print(x.headers)

Replace API-URL with the URL you wish to test.

  • If you get a 405 method not allowed or 501, everything is fine.
  • If you get a 200 OK response ****without authentication, it may be a vulnerability.

Parameters sent through an API request may be vulnerable to tampering. By tampering with them, an attacker can change a product’s values and purchase it almost for free.

For instance, if there is a hidden field in the form submitted by the user like this:

<input type="hidden" name="price" value="100.00" />

The attacker can change the value from 100.00 to 1 and get the product almost free of cost. This can be done using the element inspector in any browser. So make sure to test such hidden fields sending requests to your API endpoint.

f. Rate Limiting Testing

Rate Limiting is a process of limiting the number of requests that can be sent to an API within a specific time. Testing for it means verifying that all the limits are properly set and enforced on all APIs.

The first step is to review the documentation of the APIs and check whether rate-limiting policies are implemented.

Then, using tools like Postman, Apache JMeter, or simply cURL, you can send multiple requests to the API to observe the response for rate-limiting policies.

You can use cURL in the following way to send multiple requests:

for i in {1..120}; do curl -X GET "<https://example.com/api/resource>"; done

If the API responds to all the requests that were sent, then no rate-limiting mechanism has been implemented on that API.

3. Exploitation

As a critical validation point, during this stage, all the findings from the vulnerability assessment phase are meticulously leveraged and exploited to assess their potential impact, exploitability, and possible attack vectors.

Important tools used during this phase:

  • Postman
  • Burp Suite
  • ZAP

4. Reporting and Remediation

After successfully exploiting all the vulnerabilities, collect all the findings and prepare a detailed report on them, including their severity, steps to reproduce them, and, most importantly, recommendations for remediation. 

Top 3 Tools for API Security Testing

1. Astra Pentest

Astra Pentest dashboard

Features:

  • Scanner Capabilities: Automated and Manual testing of Applications, Cloud Infrastructure, API, and Networks
  • Deployment: SaaS
  • Accuracy: Zero False Positives Assured (Vetted Scans)
  • Scan Behind Logins: Yes
  • Compliance: PCI-DSS, HIPAA, SOC2, and ISO 27001
  • Integrations: Slack, Jira, GitHub, GitLab, CI Circle, and more.
  • Expert Remediation: Yes
  • Pricing: Starts at $199/month

Astra’s API Pentest integrates the powerful, AI-driven Astra vulnerability scanner with expert manual penetration testing, ensuring compliance with industry benchmarks like OWASP TOP 10 and SANS 25.

With a portfolio of 9,300+ tests, vetted scans help guarantee zero false positives. In-depth pentests and custom AI test cases help identify unique attack vectors and business logic vulnerabilities like user privilege escalation.

2. ZAP

ZAP automated API pentesting solution

Features:

  • Scanner Capabilities: Automated web application scanning
  • Deployment: Local, Docker, and Cloud
  • Accuracy: Some false positives are possible
  • Scan Behind Logins: Yes
  • Compliance: No specific compliance reports
  • Integrations: Jenkins, Jira, and other CI/CD tools
  • Expert Remediation: No
  • Pricing: Open-Source

OWASP Zed Attack Proxy (ZAP) is an open-source web application security scanner designed to find vulnerabilities in web applications.

It is a widely used tool by security professionals and can perform automated scans and manual testing, making it versatile for various use cases for your web application security needs.

As a pentester, ZAP helps you easily discover misconfigurations and vulnerable endpoints, which you can leverage to create severe vulnerabilities.

3. Postman

Postman API Security testing dashboard

Features:

  • Scanner Capabilities:  Automated and manual web app and API testing
  • Deployment: Local
  • Accuracy: Some false positives are possible
  • Scan Behind Logins: Yes
  • Compliance: No specific compliance reports
  • Integrations: Github, Slack, and other CI/CD tools
  • Expert Remediation: No
  • Pricing: Starts at $14/month along with a good Free plan

Postman is a powerful tool that simplifies creating, testing, and managing APIs. It provides the developers with features like automated testing and environment management to ensure the performance and reliability of the APIs.

As a security engineer, Postman’s user-friendly interface allows you to easily navigate through the APIs and perform accurate tests according to the data flow.

Astra Pentest is built by the team of experts that helped secure Microsoft, Adobe, Facebook, and Buffer


character

API Security Checklist

API Security Checklist

Information Gathering

  • Determine the type of API being used. (REST, SOAP, GraphQL, etc.)
  • List all API endpoints
  • Identify HTTP methods used
  • Catalog-required headers and cookies
  • Review API resources and data flows.

Misconfigurations

  • Test error handling configurations.
  • Test for default configurations.
  • Test Web Application Firewall rules.
  • Test for open ports or unused services.

Session Management

  • Test session token generation and expiration.
  • Test for cookies for proper security flags.
  • Test for session hijacking vulnerabilities.
  • Test for session fixation.

Input Validation

  • Test for Injection attacks.
  • Test for file inclusion attacks.
  • Test for output encoding in responses.
  • Test for file upload vulnerabilities.

Sensitive Data Exposure

  • Test for responses with sensitive data.
  • Test for responses with excessive data.
  • Test for data encryption in transit (HTTPS).
  • Test for strong encryption protocols.

Business Logic Testing

  • Test for logic flaws in data flow and processes.
  • Test for proper validation in processes.
  • Test for unauthorized action by modifying parameters.

API Security Best Practices

  • Implement access token. Access tokens are available to users while signing up to maintain a level of authorization. Validate Access tokens every time a user requests the API. Also, add an option to revoke or reset the token.
  • Use SSL to encrypt HTTP messages to and from your API.
  • Always sanitize the input parameters sent to API, including the access token field.
  • Limit the number of requests to your API per minute to avoid DoS attacks.
  • Use a security solution to scan every request being made to the API to block malicious packages and attacks.
API Security infographic
Image: API Security Testing Infographic

Final Thoughts

In conclusion, API security is of the utmost importance in helping you protect sensitive data and the integrity of the applications. The key to a successful penetration test is a properly guided and planned test following each step to uncover critical vulnerabilities like Zombie attacks or Broken Access Control. 

Moreover, using manual and automated tools such as Astra, ZAP, and Postman to test APIs can help make the security process more effective. Regular API security testing can help you minimize the risk of API-based vulnerabilities and meet regulatory compliance requirements.

FAQs

1. What is the timeline for API Secuity testing?

The typical timeline for an API security test is 5-7 days after onboarding. This timeline covers the actual testing and reporting phase, but it may also differ slightly depending on the scope of the test.

2. How much does API security testing cost?

API security testing costs anywhere between $349 and $1499 per scan or has different packages depending on the scope, number of assets, or number of scans required. Check out Astra’s pricing.

3. Why choose Astra for Security Testing?

1250+ tests, adherence to global security standards, an intuitive dashboard with dynamic visualization of vulnerabilities and their severity, security audit with simultaneous remediation assistance, and multiple rescans are the features that give Astra an edge over all competitors.