Knowledge Base

API Security Testing: Importance, Rules & Checklist

Updated on: August 28, 2020

API Security Testing: Importance, Rules & Checklist

Article Summary

API stands for – Application programming interface. It is a means for communication between your application and other applications based on a set of rules. In layman’s terms, it is a language used among various applications. For example, you are able to put a twitter handle on the sidebar of your WordPress blog because WordPress uses the Twitter API.

API stands for – Application programming interface. It is a means of communication between your application and other applications based on a set of rules.

In layman’s terms, it is a language used among various applications. For example, you are able to put a twitter handle on the sidebar of your WordPress blog because WordPress uses the Twitter API.

API security is nothing but securing the API endpoints from attackers. A vulnerable API could lead to:

  • Unauthorized Access
  • Data leakage
  • Sanctioning Fuzzy input
  • Injection Vulnerabilities
  • Parameter Tampering, etc.

Not sure if you have vulnerable API rules on your website? Just stick around till the end.

The API security testing methods depicted in this blog are all you need to know & protect your API better. All that in a minute.

But first, let’s take a quick look into – why exactly do you need to secure your API.

Security IssuesTools to test
Injection Flaw
Burp Suite, Proxy, SQLmap
Broken AuthenticationBurp Suite, Manual Testing
Data ExposureAcunetix, DirBuster
XSSBurp Suite, Manual Testing

Why Do You Need API Security Testing?

As we said, API allows data exchange between applications. If a hacker breaches API security, he/she can access sensitive data stored on your website.

Other bitter consequences of an API security breach could be:

  • Data leaks of customers. This data is then sold in the black market.
  • Defacement to your website & business. It can severely affect your & your brand’s reputation in the market.
  • Plunge in users and revenue.
  • Lawsuits (if there is negligence on your behalf).

The following API security breaches in popular companies will paint a more realistic picture before you:

  • Airtel API was found leaking the information of their customers by just using their numbers. According to an estimate, there are around 325 million active users of Airtel. Not to say, the result could have been disastrous!
  • In 2019, a bug CVE-2019-5786 was found in the File Reader API. This led to a vulnerability in almost all major browsers. Hackers exploited it wildly to target Chrome users!
  • Hostinger, a famous hosting service provider, said one of its servers was hacked; using which the attackers were able to access its internal API. Details of around 14 million clients were stolen!
  • JustDial, the largest local search engine platform in India, was accused in 2019 of leaking its entire database of customer data of over 100 million users that included information of users such as their names, emails, mobile phone numbers, date of birth, gender, occupation, photos, and more. Essentially, any piece of data provided through the use of its website, its app, its customer support system, everything, was leaked.

What is the REST API?

REST is basically an API designing style. It stands for “Representational State Transfer“. By designing style we mean – it is a set of rules that API designers follow while creating an API.

Almost all popular companies like Facebook, YouTube, etc. use REST API (internally or externally). REST API is used in almost all popular open-source CMSes like WordPress, Magento, etc.

Remember that REST API is a designing style of an API and therefore is platform-independent. This is to say, Rest API can be implemented in any language (PHP, Python, etc.). Generally, the data is exchanged in XML or JSON. Although it’s not specified.

Moving on.

REST API is not free from vulnerabilities. You need to look-out for the common vulnerabilities if you never want to become prey to these. The following API Security testing methods shall help you pin-point vulnerabilities in your API rules.

Experience Astra’s Protection Yourself With Our 7-Day Free Trial!

Astra stops 7 million+ nasty attacks every month! Secure your site with Astra before it’s too late.

API Security Testing. (Steps Included)

1. Test for API Input Fuzzing

Fuzzing simply means providing random data to the API until it spills something out. Some info, some error message or anything to imply that random data has been processed by the API.

For numerical inputs, you can try 0 or negative numbers or very large numbers. For string inputs to the API, you can try SQL queries or system commands or random characters like “, ‘, //, etc. But if you wish to automate the whole process, there is an open-source fuzzing tool called Fuzzapi.

To use Fuzzapi follow these steps:

Step 1: Download and install Fuzzapi. Read this to know how to do that.

Step 2: Now, once Fuzzapi is installed, open your browser and navigate to localhost:3000. You will see something like the image given below.

REST API security fuzzing

Step 3: In the URL field, add the URL you want to test. Select the method of your choice. In the Raw Headers and Parameters field, add the info if needed otherwise leave them blank. Finally, click the Scan button.

Step 4: Wait while the test goes on. Once finished, if the API is vulnerable final results will be shown like the image given below.

REST API security fuzzing

2. Test for API Injection Attacks

a) SQL Injection

SQLi attacks are successful when the unsanitized API input is processed by the database. Hence, it is important to test your REST API for any SQLi bugs. Try providing SQL commands in the input like:

'or 1=1--
"and 1=1--

If the API is vulnerable to SQLi (error-based and/or SQLi), these values into the parameters may help bypass some restrictions and respond with 200 OK. i.e.'or 1=1--

If the API is vulnerable to SQLi but not necessarily error-based and/or vulnerable, it may still generate a DBMS error in the message and respond with 500 Internal error. Like the one shown in the image.

API SQL injection

Moreover, if you wish to automate the process, try using Sqlmap.

b) Command Injection

The API inputs can also be injected by various OS commands. These commands then get executed on the server. However, for different Operating systems(Windows, Linux, etc), the commands would be different. For instance, for a Linux system, the command “rm /” can remove the entire root directory. When URL encoded, this command would look something like rm%20/.

So for instance, an API is being used to view the contents of a site, then malicious code can be executed in the following manner.;rm%20/

The semi-colon after the file.txt ends the input parameter and executes the OS command. However, be careful with this command as it can delete the entire directory. Try something a little less harmful like:;reboot

However, if you wish to automate the process, try using Commix.

3. Test for Parameter Tampering

Often, parameters sent through an API request may be vulnerable to tampering. By tampering them, an attacker can change the values of a product and therefore purchase it almost free.

For instance, if there is a hidden field in the form submitted by the user like this:

<input type="hidden" name="price" value="100.00" />

The attacker can change the value from 100.00 to 1 and buy the product almost free. This can be done using the element inspector in any browser. So make sure to test such hidden fields sending requests to your API endpoint.

4. Test for Unhandled HTTP Methods

Web applications communicating using API often use various HTTP methods. These HTTP methods are used for saving, removing or getting the data. So if a server does not support an HTTP method, typically it should show an error. But this is not the case always, especially for vulnerable APIs.

To test for such vulnerability, make a HEAD request to your API endpoint which requires authentication. There are several ways to send HEAD requests. To accomplish this using python, add the following code to a python script and run it:

import requests                                                                 x = requests.head('API-URL') 

Replace API-URL with the URL you wish to test.

  • If you get a 405 method not allowed or 501, everything is fine.
  • In case you get a 200 OK without authentication, it may be a vulnerability.

API Security Best Practices

  • Implement access token. Access tokens are available to users while signing up to maintain a level an authorization. Validate Access tokens every time a user requests the API. Also, add an option to revoke or reset the token.
  • Use SSL to encrypt HTTP messages to and from your API.
  • Always sanitize the input parameters sent to API. This should include the access token field.
  • Limit the number of requests to your API per minute by any user.
  • Use a security solution to scan every request being made to the API.

How the Astra Firewall Works?
How the Astra Firewall Works?
  • WordPress users can use our plugin – WP Hardening to disable WP-JSON-API with a click.

How to use the WP-Hardening plugin?
How to use the WP-Hardening plugin?

In Conclusion

The foremost important thing is to follow the API security practices mentioned above. As they can provide a sufficient layer of security to the API endpoint.

However still if your website’s API has been compromised. Get immediate professional help.

An average user may find it cumbersome to find and patch the vulnerability. In such an event, you can always go for automated security solutions such as Astra to test and secure your API.

Don’t take our words for it. See it for yourself!

Peek inside Astra

If you have any other questions about API or Astra, comment below. We promise to get back soon 🙂

Was this post helpful?

Vikas Kundu

Vikas is a computer science graduate with a keen interest in cybersecurity. Besides programming cool software, he also shares his knowledge on website security on niche blogs. He has written over 150 technical write-ups to date and is still actively writing. In his free time, he can be found playing football.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany