API Security Testing: Importance, Rules & Checklist
API stands for – Application programming interface. It is a means of communication between your application and other applications based on a set of rules.
In layman’s terms, it is a language used among various applications. For example, you are able to put a twitter handle on the sidebar of your WordPress blog because WordPress uses the Twitter API.
API security is nothing but securing the API endpoints from attackers. A vulnerable API could lead to:
- Unauthorized Access
- Data leakage
- Sanctioning Fuzzy input
- Injection Vulnerabilities
- Parameter Tampering, etc.
Not sure if you have vulnerable API rules on your website? Just stick around till the end.
The API security testing methods depicted in this blog are all you need to know & protect your API better. All that in a minute.
But first, let’s take a quick look into – why exactly do you need to secure your API.
Why Do You Need API Security Testing?
As we said, API allows data exchange between applications. If a hacker breaches API security, he/she can access sensitive data stored on your website.
Other bitter consequences of an API security breach could be:
- Data leaks of customers. This data is then sold in the black market.
- Defacement to your website & business. It can severely affect your & your brand’s reputation in the market.
- Plunge in users and revenue.
- Lawsuits (if there is negligence on your behalf).
The following API security breaches in popular companies will paint a more realistic picture before you:
- Airtel API was found leaking the information of their customers by just using their numbers. According to an estimate, there are around 325 million active users of Airtel. Not to say, the result could have been disastrous!
- In 2019, a bug CVE-2019-5786 was found in the File Reader API. This led to a vulnerability in almost all major browsers. Hackers exploited it wildly to target Chrome users!
- Hostinger, a famous hosting service provider, said one of its servers was hacked; using which the attackers were able to access its internal API. Details of around 14 million clients were stolen!
What is the REST API?
REST is basically an API designing style. It stands for “Representational State Transfer“. By designing style we mean – it is a set of rules that API designers follow while creating an API.
Remember that REST API is a designing style of an API and therefore is platform-independent. This is to say, Rest API can be implemented in any language (PHP, Python, etc.). Generally, the data is exchanged in XML or JSON. Although it’s not specified.
REST API is not free from vulnerabilities. You need to look-out for the common vulnerabilities if you never want to become prey to these. The following API Security testing methods shall help you pin-point vulnerabilities in your API rules.
API Security Testing. (Steps Included)
1. Test for API Input Fuzzing
Fuzzing simply means providing random data to the API until it spills something out. Some info, some error message or anything to imply that random data has been processed by the API.
For numerical inputs, you can try 0 or negative numbers or very large numbers. For string inputs to the API, you can try SQL queries or system commands or random characters like “, ‘, //, etc. But if you wish to automate the whole process, there is an open-source fuzzing tool called Fuzzapi.
To use Fuzzapi follow these steps:
Step 1: Download and install Fuzzapi. Read this to know how to do that.
Step 2: Now, once Fuzzapi is installed, open your browser and navigate to localhost:3000. You will see something like the image given below.
Step 3: In the URL field, add the URL you want to test. Select the method of your choice. In the Raw Headers and Parameters field, add the info if needed otherwise leave them blank. Finally, click the Scan button.
Step 4: Wait while the test goes on. Once finished, if the API is vulnerable final results will be shown like the image given below.
2. Test for API Injection Attacks
a) SQL Injection
SQLi attacks are successful when the unsanitized API input is processed by the database. Hence, it is important to test your REST API for any SQLi bugs. Try providing SQL commands in the input like:
If the API is vulnerable to SQLi (error-based and/or SQLi), these values into the parameters may help bypass some restrictions and respond with 200 OK. i.e.
If the API is vulnerable to SQLi but not necessarily error-based and/or vulnerable, it may still generate a DBMS error in the message and respond with 500 Internal error. Like the one shown in the image.
Moreover, if you wish to automate the process, try using Sqlmap.
b) Command Injection
The API inputs can also be injected by various OS commands. These commands then get executed on the server. However, for different Operating systems(Windows, Linux, etc), the commands would be different. For instance, for a Linux system, the command “rm /” can remove the entire root directory. When URL encoded, this command would look something like rm%20/.
So for instance, an API is being used to view the contents of a site, then malicious code can be executed in the following manner.
The semi-colon after the file.txt ends the input parameter and executes the OS command. However, be careful with this command as it can delete the entire directory. Try something a little less harmful like:
However, if you wish to automate the process, try using Commix.
3. Test for Parameter Tampering
Often, parameters sent through an API request may be vulnerable to tampering. By tampering them, an attacker can change the values of a product and therefore purchase it almost free.
For instance, if there is a hidden field in the form submitted by the user like this:
<input type="hidden" name="price" value="100.00" />
The attacker can change the value from 100.00 to 1 and buy the product almost free. This can be done using the element inspector in any browser. So make sure to test such hidden fields sending requests to your API endpoint.
4. Test for Unhandled HTTP Methods
Web applications communicating using API often use various HTTP methods. These HTTP methods are used for saving, removing or getting the data. So if a server does not support an HTTP method, typically it should show an error. But this is not the case always, especially for vulnerable APIs.
To test for such vulnerability, make a HEAD request to your API endpoint which requires authentication. There are several ways to send HEAD requests. To accomplish this using python, add the following code to a python script and run it:
import requests x = requests.head('API-URL') print(x.headers)
Replace API-URL with the URL you wish to test.
- If you get a 405 method not allowed or 501, everything is fine.
- In case you get a 200 OK without authentication, it may be a vulnerability.
API Security Best Practices
- Implement access token. Access tokens are available to users while signing up to maintain a level an authorization. Validate Access tokens every time a user requests the API. Also, add an option to revoke or reset the token.
- Use SSL to encrypt HTTP messages to and from your API.
- Always sanitize the input parameters sent to API. This should include the access token field.
- Limit the number of requests to your API per minute by any user.
- Use a security solution to scan every request being made to the API.
- WordPress users can use our plugin – WP Hardening to disable WP-JSON-API with a click.
The foremost important thing is to follow the API security practices mentioned above. As they can provide a sufficient layer of security to the API endpoint.
However still if your website’s API has been compromised. Get immediate professional help.
An average user may find it cumbersome to find and patch the vulnerability. In such an event, you can always go for automated security solutions such as Astra to test and secure your API.
Get an Astra demo from here.
If you have any other questions about API or Astra, comment below. We promise to get back soon 🙂