Beyond Compliance: API Security Testing
According to an article written by Nordic APIs, an international community of API practitioners and enthusiasts, in 2020, 90% of developers were using APIs and 83% of all internet traffic belonged to API-based services. Application Programming Interfaces (APIs) are commonly used in web and mobile applications to enable integration with third-party services and platforms, such as social media, payment gateways, and location-based services. They are also used in enterprise systems, such as customer relationship management (CRM) and enterprise resource planning (ERP) systems, to enable data sharing and workflow automation. APIs can also be used to expose data and functionality to third-party developers, allowing them to build new applications and services on top of existing platforms.
This article’s purpose is to help developers and security testers in small organizations consider best practices when using both internal and external Application Programming Interfaces. The information covers the basics of APIs, vulnerabilities, remediations, and examples of API breaches. Our goal is to teach you the importance of securing your APIs during development and the need for continuous security testing while your environment is in production. Our goal is to keep your data and software protected from today’s threat actors. Let’s start with the basics.
In terms of how APIs are used, they can be accessed through a range of programming languages and tools, including REST (Representational State Transfer) APIs, SOAP (Simple Object Access Protocol) APIs, and GraphQL APIs. APIs can be accessed using software development kits (SDKs), web frameworks, and other development tools, making it easier for developers to integrate with external systems and services. The following list will help you identify the types of APIs you wish to use or that are being used in your environment(s).
- REST APIs: REST is a popular architectural style for building web APIs. REST APIs use standard HTTP methods (such as GET, POST, PUT, and DELETE) to manipulate resources, which are represented in a uniform format such as JSON or XML.
- SOAP APIs: SOAP is a protocol for exchanging structured information in the implementation of web services. SOAP APIs use XML as their messaging format and typically use the HTTP protocol for transport.
- GraphQL APIs: GraphQL is a query language for APIs that provides a more efficient and flexible way to retrieve data from a server. GraphQL APIs allow clients to specify the data they need, rather than retrieving a fixed set of data.
- Open APIs (also known as Public APIs): These are APIs that are publicly available and can be used by third-party developers to build applications or services. Examples of open APIs include the Twitter API and the Google Maps API.
- Internal APIs (also known as Private APIs): These are APIs that are built for internal use within an organization and are not intended for public use. They can be used to integrate different systems and services within an organization.
- Partner APIs: These are APIs that are designed for use by trusted partners or customers. They may require authentication and access controls to ensure that only authorized partners can access them.
- Composite APIs: These are APIs that are built by combining data or functionality from multiple APIs. They are used to provide a unified interface to multiple services or systems.
Application Programming Interfaces are used in a multitude of environments and are used to handle various functions in software; however, they are often forgotten about when companies perform security testing. APIs are designed to be modular and reusable, any changes made to the code can have far-reaching consequences. Testing the security of APIs must be done during the development process and periodically to identify potential issues before they become major problems.
The most important thing to consider is who owns the API and the owner’s security posture. Introducing 3rd party APIs into your environment may provide a path to other assets in your infrastructure. All APIs structures should have detailed documentation. Generally, to use an API a developer will need to obtain an access key to send and process requests. Each of these steps has great importance in development and security testing. It is important to make sure the access key and documentation are kept private. Keeping the documentation and code both version-controlled and up-to-date is often overlooked. However, it is important as multiple versions of the software are often in use. While these things may seem like a small measure, many attacks performed on APIs are related to compromised keys or forgotten endpoints and functions.
Generally, to use an API, you will need to send an HTTP request for an endpoint to receive a response from the server. The specifics of these requests will depend on the API, but typically involve specifying parameters or data in the request body. Once you have sent a request, the API will respond with data in a specific format, such as JSON or XML. You’ll need to process this data in your application to extract the information you need. This process must be secured and tested for vulnerabilities that may harm the software or your end users. The most common API vulnerabilities are injection attacks, broken authentication, insufficient logging, cross-site scripting (XXS), denial of service (DOS), broken function level authorization, and improper error handling. Each vulnerability is explained below.
- Injection Attacks: Injection attacks occur when attackers inject malicious code into API inputs, such as SQL or code injection. This can allow attackers to execute unauthorized actions or gain access to sensitive data.
- Broken Authentication and Authorization: APIs that lack strong authentication and authorization mechanisms can be vulnerable to attacks that allow attackers to gain unauthorized access to data or resources.
- Insufficient Logging and Monitoring: APIs that do not have sufficient logging and monitoring capabilities can make it difficult to detect and respond to attacks. This can lead to extended periods of unauthorized access or data breaches.
- Cross-Site Scripting (XSS): Cross-site scripting attacks involve injecting malicious code into web pages that are viewed by users of the API. This can allow attackers to steal sensitive data or take unauthorized actions on behalf of users.
- Denial-of-Service (DoS) Attacks: DoS attacks can target APIs to overload the system with excessive traffic, causing it to crash or become unavailable. This can result in extended periods of downtime and loss of business.
- Broken Function Level Authorization: APIs that allow users to perform functions without proper authorization can be vulnerable to attacks that allow unauthorized users to perform actions that they should not be able to access.
- Improper Error Handling: APIs that provide detailed error messages can be vulnerable to attacks that use this information to exploit weaknesses in the system.
To protect against these vulnerabilities, developers should follow secure coding practices and implement the most up-to-date security controls for authentication, authorization, encryption, rate limiting, and input validation. Regular testing, monitoring, and updates to APIs can also help prevent attacks and mitigate potential risks. All changes to the environment should be documented. Below are the things you must consider and test to increase the security of your environment.
- Authentication and Authorization: Implement authentication and authorization mechanisms to ensure that only authorized users or applications can access your API. Use strong authentication methods such as OAuth2 or JWT and implement role-based access control to restrict access to sensitive data.
- Rate Limiting: Limit the number of API requests per unit of time to prevent abusive behavior and avoid overloading your system. Set appropriate limits based on the usage patterns of your API.
- Encryption: Use encryption to protect data in transit and at rest. Implement HTTPS/TLS to secure the communication between clients and the API and encrypt sensitive data in your database.
- Input Validation: Validate and sanitize all input to your API to prevent injection attacks and other types of malicious input. Use input validation libraries or frameworks to make sure that user input is safe.
- API Keys: Use API keys to track and monitor API usage. This helps to identify misuse and abuse of the API and allows you to revoke access for specific users or applications if necessary.
- Error Handling: Implement proper error handling and reporting to prevent sensitive information from being leaked. Return generic error messages to clients and log errors for debugging and analysis purposes.
- Monitoring and Testing: Regularly monitor and test your API to identify vulnerabilities and weaknesses in your security controls. Conduct regular penetration testing to ensure that your API remains secure over time.
Both internal and third-party APIs are being attacked more often each year. In July 2020, Twitter disclosed that hackers had gained access to their internal systems, including the API, through a spear-phishing attack. The attackers were able to compromise high-profile accounts and post fraudulent tweets to scam users out of Bitcoin. Twitter stated that the attackers gained access to the API keys, which allowed them to bypass two-factor authentication. In 2017, Equifax, one of the largest credit reporting agencies in the US, experienced a data breach where hackers gained access to sensitive data, including names, social security numbers, and birth dates, of over 147 million people. The breach occurred due to a vulnerability in the company’s web application, which allowed attackers to access the API and extract large amounts of sensitive data. In 2016, Uber experienced a data breach where hackers gained access to the company’s API keys and were able to access the names, email addresses, and phone numbers of around 57 million riders and drivers. The breach went unreported for over a year, and Uber eventually paid a $148 million settlement for violating data breach notification laws.
These examples highlight that the size of your development and security team does not mean your APIs are operating safely. The results of a breach can be catastrophic to your customers and business’s financial state. As a developer or security tester in a small business, you must consider that you are often more likely to suffer cybersecurity breaches because you may have limited resources or a lack of expertise. Companies are required to be proactive in protecting their systems and data from cyber threats through various laws and measures of compliance. This includes implementing API testing since it is an essential part of today’s software. Proper API practices will make your environment more functional, reliable, secure, and user-friendly. Application Programming Interface security testing can save time and resources by catching issues early on in the development cycle, which will ultimately save your company money.
CompliancePoint is experienced in using various methods and techniques used to test API security. These techniques and methods include vulnerability scanning, penetration testing, fuzz testing, load testing, threat modeling, and code review. Both automated and manual testing is important for an API because they complement each other and can help to uncover different types of issues and vulnerabilities. Automated testing can quickly and accurately detect common vulnerabilities and errors in the API, such as input validation issues, authentication flaws, and injection attacks. This can help to identify potential security risks and ensure the API is functioning as intended. Manual testing, on the other hand, allows for more comprehensive and exploratory testing to be carried out, which can uncover more complex issues that may not be detected by automated tests. Additionally, manual testing allows for a deeper understanding of the API’s functionality and can help to identify potential user experience issues or edge cases that may be missed by automated testing. By using a combination of these testing methods, we identify vulnerabilities so you can mitigate potential API security risks. Our goal is to give you the tools to establish a more secure environment. If you do not have an API security expert within your organization reach out to us at connect@compliancepoint.com.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.