As our first webinar on API security, ‘All You Need To Know About API Security Testing’, was an instant hit, we thought why not come up with something even more interesting. So, last week we hosted yet another webinar titled ‘API Security Reloaded’ and moved forward with our journey on API security testing.
The webinar was hosted by Mr. Harshit Agarwal (CEO, Appknox) and Mr. Subho Halder (CISO, Appknox) whose extraordinary mobile application security expertise is well-known across the security industry.
Attended by security professionals and enthusiasts from several industry verticals, the webinar focused on server-side API testing vulnerabilities, along with a detailed demo on detecting critical security loopholes in an insecure API using the best open-source tools available in the industry.
Key Takeaways from the API Security Webinar
Our ‘API Security Reloaded’ webinar extended the knowledge of our audience in terms of API security and further covered the intricate details about API vulnerabilities and their potential mitigation techniques. This was followed by a Q&A session where the doubts of the attendees were also addressed. The key points of discussion during the webinar included:
● Importance of API Security
● OWASP API Security Top 10 (2019)
● Demo on how to detect critical security loopholes in an insecure API using tools like BURP and FIDDLER.
You can access the speaker’s deck of the webinar here.
Importance of API Security in Today's Landscape
Without a doubt, APIs can be considered as the critical backbone when it comes to server-client interaction in most of the software and apps these days. They simplify and accelerate the development, design, and deployment of any application and as a result, API development has soared astronomically in the past few years.
This tremendous growth and the exposure of these APIs over public networks is making APIs an attractive target for threat actors. They are constantly trying ways to discover potential entry points and infiltrate and reverse-engineer vulnerable APIs. That is why API security has become so important these days.
In a report on API security, Gartner has predicted that by 2022, API vulnerabilities will be the most frequent attack vector in case of web applications and would result in most of the major data breaches.
The importance of API security needs to be understood and a comprehensive approach of designing security into the APIs needs to be adopted.
Now that we understand why API security is so important, let’s move on to see how APIs have evolved over the years and what are some of the commonly used APIs.
Evolution of Web-Based APIs
The beginning of SaaS can be marked back to 1999 when a web-based sales automation tool was launched by Salesforce, which also explains the alluring history of the Web-based APIs. After the advent of first-generation computers, the world of APIs made a progressive entry into the world of computing, which kept getting polished over and over again as coding moved to high-level languages.
In order to achieve working levels of proficiency, programmers have to learn core concepts of programming which are also called APIs. Since APIs have reached an extremely high level of sophistication, a refined understanding of APIs needs to be taken into consideration. Let’s scan through the categories in which Web-based APIs have been classified.
1. Rest-Based APIs: Representational State Transfer or REST can be considered to be a more data-driven architectural style of API development. REST APIs are based on URIs or Uniform Resource Identifiers and HTTP protocol, along with browser-compatible JSON as their data format. As compared to other types of APIs, the REST APIs are extremely simple to build and scale. Client-server communications are also facilitated with ease when REST APIs are put to action.
2. SOAP-Based APIs: Simple Object Access Protocol or SOAP-based APIs are considered to be quite complex as compared to their peers. These types of APIs enable the use of their own communication protocol, known as Simple Object Access Protocol, which ultimately makes them more accurate as compared to the REST-based APIs in terms of providing levels of security and the way in which messages are sent.
3. GraphQL-Based APIs: An open-source data query and manipulation language for APIs, GraphQL makes a definite pathway for the runtime to fulfill queries with the existing data. Although the same set of APIs is used both by GraphQL and REST APIs, the difference between both is that a single interface-id is used by GraphQL for organising data into a graph format.
5. Web Sockets: Web sockets are an organized set of APIs in which a two-way interactive communication session can be established between a server and the user’s browser. With the help of these types of APIs, you can easily manage to send messages to a server, along with receiving event-driven responses from the server without having to poll the server for receiving a reply.
Related topic- Complete Guide on API Security for Mobile Apps
OWASP API Security Top 10
The broadening threat landscape and the expanding usage of APIs led the security community to initiate what we know today as the OWASP API Security Top 10. This project has always assisted businesses, developers and security enthusiasts in becoming more agile when it comes to API security issues.
Our webinar focused on all the API security risks mentioned in the OWASP security document ranging from broken object-level authorization and injection attacks to mass assignment and excessive data exposure. With the help of trusted API security tools, we showcased how these risks can be identified and mitigated with ease.
Do check out our Previous webinar on"All You Need To Know About API Security Testing"
API Servers We Used During the Webinar
An API server is generally used to create APIs from any existing database you have like an SQL, NoSQL or GraphQL database. During the webinar, we used the following API servers:
1. GraphQL Server: The GraphQL server used during our webinar is generally used to expose data as a GraphQL API which can be queried for data. The GraphQL server uses a single endpoint and is served over HTTP to best suit the capabilities of the service.
2. DVWS: DVWS or Damn Vulnerable Web Services is an open-source insecure web app with several vulnerable web service components like the REST API SQL Injection. This is considered by many as one of the best platforms and API servers to learn API testing.
Understanding JWT Tokens
JWTs or JSON Web Tokens are data structures based on JSON. A JWT defines a specific and standard way of transferring information between two streams as a JSON object. And since the information is digitally signed, it can be verified and trusted easily. From an API point of view, JWTs are important as they contain the session as well as the access control elements of APIs. JWTs consist of 3 parts:
1. Header Section: The JWT header consists of the metadata information about the token itself and is transmitted along with the JWT payload as a separate JSON object. It contains information like the type of token used and the algorithms used to sign it.
3. Signature Section: The JWT signature is a type of Message Authentication Code, or MAC, and is used for authentication purposes. To create the JWT signature, you must have the Base64Url encoded header and payload and the specified algorithm.
What Tools Were Used During the Webinar?
Here are some of the tools we used during the webinar to showcase the importance of API security and how the safety of APIs can be ensured:
1. GraphQL Visualizer: It is a visualization tool developed by Nathan R Smith to gain a detailed understanding of the data in your API and derive useful insights. This web app generates an ERD (Entity Relationship Diagram) like the result of any GraphQL API endpoint once a user inputs the introspection query.
2. Burp Suite: It is a go-to tool used by many experts for pen-testing web apps. But did you know that Portswigger’s Burp can also be used to test REST API endpoints? For this, the user has to proxy the client’s traffic through Burp and later perform tests on it.
3. Fiddler: This free debugging proxy tool can be used to configure and send HTTP requests to web-based APIs and check the HTTP response. Available for Windows, macOS, and Linux, this tool can be used to diagnose most of the APIs exposed over HTTP(S). Fiddler also has features to automate the entire API testing process.
APIs have always been an attractive target for threat actors. But given the current scenario, they are soon going to become the most sought after attack vector. Moreover, their critical role in the digital transformation landscape is undeniable. They have access to some of the most critical databases and systems anyone can imagine and that is why they require a continuous approach to security.
Through our ‘API Security Reloaded’ webinar, we have tried to continue our journey on spreading awareness about API security. Undoubtedly, our dialogue on the importance of API security and the detailed threat mitigation demo can help businesses and security personnel to counter some of the most vicious security threats.