API stands for – Application programming interface. It is a means for communication between your application and other applications based on a set of rules. In layman’s terms, it is a language used among various applications. For example, you are able to put a twitter handle on the sidebar of your WordPress blog because WordPress uses the Twitter API.
API stands for – Application programming interface. It is a means of communication between your application and other applications based on a set of rules.
In layman’s terms, it is a language used among various applications. For example, you are able to put a twitter handle on the sidebar of your WordPress blog because WordPress uses the Twitter API. APIs have been in use by developers, programmers, and their clients for a few decades now and are set to stay.
API security is nothing but securing the API endpoints from attackers. A vulnerable API could lead to:
- Unauthorized Access
- Data leakage
- Sanctioning Fuzzy input
- Injection Vulnerabilities
- Parameter Tampering, etc.
Not sure if you have vulnerable API rules on your website? Just stick around till the end. The API security testing methods depicted in this blog are all you need to know & protect your API better. All that in a minute.
But first, let’s take a quick look into – why exactly do you need to secure your API.
|Security Issues||Tools to test|
(SQLi, LDAP, CRLF)
|Burp Suite, Proxy, SQLmap|
|Broken Authentication||Burp Suite, Manual Testing|
|Data Exposure||Acunetix, DirBuster|
|XSS||Burp Suite, Manual Testing|
Why Do You Need API Security Testing?
As we said, API allows data exchange between applications. If a hacker breaches API security, he/she can access sensitive data stored on your website.
Other bitter consequences of an API security breach could be:
- Data leaks of customers. This data is then sold in the black market.
- Defacement to your website & business. It can severely affect your & your brand’s reputation in the market.
- Plunge in users and revenue.
- Lawsuits (if there is negligence on your behalf).
The following API security breaches in popular companies will paint a more realistic picture before you:
- Airtel API was found leaking the information of their customers by just using their numbers. According to an estimate, there are around 325 million active users of Airtel. Not to say, the result could have been disastrous!
- In 2019, a bug CVE-2019-5786 was found in the File Reader API. This led to a vulnerability in almost all major browsers. Hackers exploited it wildly to target Chrome users!
- Hostinger, a famous hosting service provider, said one of its servers was hacked; using which the attackers were able to access its internal API. Details of around 14 million clients were stolen!
- JustDial, the largest local search engine platform in India, was accused in 2019 of leaking its entire database of customer data of over 100 million users that included information of users such as their names, emails, mobile phone numbers, date of birth, gender, occupation, photos, and more. Essentially, any piece of data provided through the use of its website, its app, its customer support system, everything, was leaked.
What is the REST API?
REST is basically an API designing style. It stands for “Representational State Transfer“. By designing style we mean – it is a set of rules that API designers follow while creating an API.
Remember that REST API is a designing style of an API and therefore is platform-independent. This is to say, Rest API can be implemented in any language (PHP, Python, etc.). Generally, the data is exchanged in XML or JSON. Although it’s not specified.
REST API is not free from vulnerabilities. You need to look-out for the common vulnerabilities if you never want to become prey to these. The following API Security testing methods shall help you pin-point vulnerabilities in your API rules.
Common Myths About API Security
1. API security is integral to API
Quite often consumers view API security as a feature of API. It’s not a feature. It’s a different technology. Understand that securing your API requires looking elsewhere, beyond your API itself. API security is a mindset and not a feature.
2. Using software to secure your API is enough
Software-based API security is an option available to you as you look to manage your API. It’s pretty convenient and if you don’t have a ton of understanding about how it all works anyway, you might think that it’s all fine. Unfortunately, you’d be wrong, and there’s history to show why. All the infamous API security breaches have been connected to software: running alien code on your site is going to leave a whole host of vulnerabilities. So, go for a more concrete option such as API security testing.
3. It’s simple
As a concept API itself can be summed up with a good degree of simplicity, yes: two programs being connected through an API, and that’s it. However, API security is not that simple. And this might be one reason for you to think about investing in some outside advice from an expert in the area. The ironic part is that the simpler your actual API connection is, the less simple securing it is going to be. In the modern era, sharing data but at the same time securing it is what makes API security a necessarily complicated task.
4. API gateway is the same as API security gateway
API security gateways ought to be used all the time as a solution to the ongoing API security problems. Security gateways are able to limit the flow of data to precisely what it is that you need transferred and to stop you from hemorrhaging data that doesn’t necessarily need to be out there. A normal API gateway might be useful for your connection but it will never compare to a secure API gateway.
5. APIs automatically means better security
Many companies talk about their products being safe because they have features of API security, and they believe that API security ultimately means the best security. However, this is not true. Just having features from API security doesn’t mean that your product is secure or more secure than others.
While APIs can enhance your security and protection, and they can amp up the protection that your security system gives, they will not keep you safe enough on their own. This is what you need to know because it’s very common for people to believe that API identity security can keep you safe enough.
API Security Testing (Steps Included)
1. Test for API Input Fuzzing
Fuzzing simply means providing random data to the API until it spills something out. Some info, some error message or anything to imply that random data has been processed by the API.
For numerical inputs, you can try 0 or negative numbers or very large numbers. For string inputs to the API, you can try SQL queries or system commands or random characters like “, ‘, //, etc. But if you wish to automate the whole process, there is an open-source fuzzing tool called Fuzzapi.
To use Fuzzapi follow these steps:
Step 1: Download and install Fuzzapi. Read this to know how to do that.
Step 2: Now, once Fuzzapi is installed, open your browser and navigate to localhost:3000. You will see something like the image given below.
Step 3: In the URL field, add the URL you want to test. Select the method of your choice. In the Raw Headers and Parameters field, add the info if needed otherwise leave them blank. Finally, click the Scan button.
Step 4: Wait while the test goes on. Once finished, if the API is vulnerable final results will be shown like the image given below.
2. Test for API Injection Attacks
a) SQL Injection
SQLi attacks are successful when the unsanitized API input is processed by the database. Hence, it is important to test your REST API for any SQLi bugs. Try providing SQL commands in the input like:
If the API is vulnerable to SQLi (error-based and/or SQLi), these values into the parameters may help bypass some restrictions and respond with 200 OK. i.e.
If the API is vulnerable to SQLi but not necessarily error-based and/or vulnerable, it may still generate a DBMS error in the message and respond with 500 Internal error. Like the one shown in the image.
Moreover, if you wish to automate the process, try using Sqlmap.
b) Command Injection
The API inputs can also be injected by various OS commands. These commands then get executed on the server. However, for different Operating systems(Windows, Linux, etc), the commands would be different. For instance, for a Linux system, the command “rm /” can remove the entire root directory. When URL encoded, this command would look something like rm%20/.
So for instance, an API is being used to view the contents of a site, then malicious code can be executed in the following manner.
The semi-colon after the file.txt ends the input parameter and executes the OS command. However, be careful with this command as it can delete the entire directory. Try something a little less harmful like:
However, if you wish to automate the process, try using Commix.
3. Test for Parameter Tampering
Often, parameters sent through an API request may be vulnerable to tampering. By tampering them, an attacker can change the values of a product and therefore purchase it almost free.
For instance, if there is a hidden field in the form submitted by the user like this:
<input type="hidden" name="price" value="100.00" />
The attacker can change the value from 100.00 to 1 and buy the product almost free. This can be done using the element inspector in any browser. So make sure to test such hidden fields sending requests to your API endpoint.
4. Test for Unhandled HTTP Methods
Web applications communicating using API often use various HTTP methods. These HTTP methods are used for saving, removing or getting the data. So if a server does not support an HTTP method, typically it should show an error. But this is not the case always, especially for vulnerable APIs.
To test for such vulnerability, make a HEAD request to your API endpoint which requires authentication. There are several ways to send HEAD requests. To accomplish this using python, add the following code to a python script and run it:
import requests x = requests.head('API-URL') print(x.headers)
Replace API-URL with the URL you wish to test.
- If you get a 405 method not allowed or 501, everything is fine.
- In case you get a 200 OK without authentication, it may be a vulnerability.
API Security Best Practices
- Implement access token. Access tokens are available to users while signing up to maintain a level an authorization. Validate Access tokens every time a user requests the API. Also, add an option to revoke or reset the token.
- Use SSL to encrypt HTTP messages to and from your API.
- Always sanitize the input parameters sent to API. This should include the access token field.
- Limit the number of requests to your API per minute by any user.
- Use a security solution to scan every request being made to the API.
- WordPress users can use our plugin – WP Hardening to disable WP-JSON-API with a click.
The foremost important thing is to follow the API security practices mentioned above. As they can provide a sufficient layer of security to the API endpoint.
However still if your website’s API has been compromised. Get immediate professional help.
An average user may find it cumbersome to find and patch the vulnerability. In such an event, you can always go for automated security solutions such as Astra to test and secure your API.
If you have any other questions about API or Astra, comment below. We promise to get back soon 🙂