After the success of the first webinar on ‘How to Perform Manual Pentest on Mobile Apps’, Appknox hosted yet another exciting webinar session titled ‘All You Need To Know About API Security Testing’.
Focused on the discovery of critical API security loopholes, the webinar demonstrated how API security testing could block vulnerabilities rushing in from the server-side in order to boost the overall security of your application.
The webinar was hosted by our experienced in-house security masterminds and renowned industry experts Subho Halder (CISO, Appknox) and Nishaanth Guna.
Subho’s expertise in cybersecurity is well-known across the industry. With his extraordinary hacking skills, he has busted critical bugs in the software infrastructure of tech giants like Google and Microsoft. Nishaanth is similarly known for detecting security issues from mega-brands like Apple, LinkedIn, HP, etc.
Key Takeaways of the API Security Testing Webinar
Appknox’s webinar on API security testing mainly revolved around discussions on:
- Basics of API Testing.
- Powerful tools that enhance the security testing process and how to perform API testing.
- How to drastically reduce security testing effort by incorporating security measures in the development process.
So, let’s move ahead and start by discussing the basics of API security testing.
Basics of API Testing
APIs have become the heart and soul of software development in the recent past.
According to research, the global cloud-based API market garnered $417.3 million in 2018 and is estimated to generate $1.78 billion by 2026, witnessing a CAGR of 20.3% from 2019 to 2026.
Looking at the above statistic, it's evident that the stakes are high than ever.
Since APIs connect to our most intimate and sensitive information, testing their functionality and security becomes a very critical step in any security assessment process.
There are several aspects of API testing. However, the bottom line consists of sending inputs in the form of requests to single or multiple API endpoints and validating the response to check all the critical parameters.
There are some basic rules which lay the foundation of API testing as well:
Given any input, the API must return an expected output.
- Input values must stay within specified ranges and outliers should be rejected.
- Incorrect input types must be discarded.
- In cases when null values are unacceptable, null inputs must be rejected.
- Inputs of suspicious sizes must be rejected.
Following these basics may help you design and run automated API security tests to maintain functionality and speed. Now you will need an appropriate tool-set in order to achieve that.
Let’s move ahead and take a quick glance at the tools which were discussed during the Appknox webinar.
API Security Testing Tools Featured in the Webinar
SQLMap is one of the primary tools for the detection and exploitation of database vulnerabilities. It may also be used to automate the process of detecting and exploiting SQL injection flaws. This open-source software is run on the command line and is available for Windows, macOS and Linux distributions as well.
Burp Suite is a universally used proxy tool and is admired for its advanced features like replaying and brute-forcing. The various tools present in Burp Suite work collectively and support the entire security testing process.
In the case of API testing, Burp’s tools play an important role too. Burp Extender is typically used to extend the functionality, modify connection responses and assess proxy history. Similarly, Burp Comparer is used to compare responses on the servers, compare sitemaps or proxy history and check for SQL injection attacks.
Charles Web Debugging Proxy or Charles Proxy is a popular HTTP debugging proxy tool. It helps in viewing requests and responses over HTTP, HTTPS and TCP traffic easily. With advanced features like AJAX debugging and SSL Proxying, Charles can effectively record and display all the data related activity.
As the name suggests, Dirsearch is a basic command-line tool that is generally used to brute force files and directories. As compared to the traditional DIRB, it generally functions much faster. Dirsearch takes a URL parameter and wordlist as input and performs concurrent HEAD requests. Available for macOS, Linux as well as Windows, this tool also supports HTTP proxy and batch processing.
Shhgit & Gitrob:
Gitrob is a commonly used tool to detect sensitive files pushed on the Github network. It clones repositories belonging to users or organizations and iterates through commit history and flag files to find secretly exposed files.
On the other hand, Shhgit finds similar sensitive files on Github in real-time and informs stakeholders to prompt actions. Shhgit also accesses the public Github APIs to scan such files.
While talking about these tools, it becomes necessary to list some deployment mistakes which are generally made.
One of the common deployment mistakes is running git pull in the webroot. This might become troublesome because the .git folder may be exposed and anyone can recreate the source code which might contain sensitive information. Using tools like git-tools and dirsearch, an attacker can find hidden files/directories.
To prevent such vulnerabilities, it is recommended that in the SDLC pipeline, tools like Shhgit and Gitrob are essentially used. They could preemptively find leaked secrets or sensitive files.
For web services with a large number of hosts, Aquatone is the most suited visual testing tool. Experts highly recommend it in cases where there is a requirement of analyzing HTTP-based attacks. So, whenever it comes to performing reconnaissance on domain names, Aquatone is preferred. It may be used to find critical heartbleed vulnerabilities as well.
During the webinar, an important deployment issue prompting the use of Aquatone tools was mentioned. Attackers could claim domains pointing to non-existing CNAME and serve malicious content - a phenomenon generally known as subdomain takeover. Using adequate tools like Aquatone-discover and Aquatone-takeover might help prevent issues like this.
WPScan is a popular vulnerability scanning tool that is commonly used for the black-box testing of Wordpress based websites. Performed remotely without authentication, the tests performed via WPScan simulate real attacks and expose vulnerabilities effectively.
WPScan first connects to the target website and performs several checks to identify the status of plugins, users and themes. Later, it analyzes the HTTP headers and HTML source codes to gather all the required information in order to conduct the assessment. Thereafter, it scans for vulnerabilities and reports and documents the results as well.
S3 Bucket Finder:
It is a popular PHP tool used to find and brute force Amazon S3 buckets. This pentesting tool may efficiently track publicly accessible buckets by using wordlists or by monitoring HTTP networks. Incidents related to poor security have prevailed on Amazon servers in the past and tools like these efficiently work towards plugging such leaks.
Postman is widely recognized as one of the best tools for API testing. By sending the requests to the web servers, it helps set up all the headers and cookies to check for responses that come back. It offers a smooth interface to carry out HTML requests and saves testers from the hassle of writing redundant codes.
Considered more reliable than the traditional testing tools, Patator is a multi-threaded API testing tool to counter password guessing attacks. Written in Python, this brute-forcing tool supports tonnes of modules and features like modular design, interactive runtime, flexible user input among many others.
How to Drastically Reduce Security Testing Effort by Incorporating Simple Security Measures
During the webinar, our experts talked about various API based loopholes and suggested security measures that might help in their remediation. These security hacks may reduce your organization’s security testing efforts massively. Some of the discussed measures include:
1) Detecting and Exploiting Injection Attacks: Our experts presented how SQLMap could be utilized to detect and exploit SQL Injection in APIs. Similar injection attacks like SSTI (Server-Side Template Injection) and XSS(Cross-Site Scripting) were also demonstrated.
They discussed how to perform template injection if the application is not filtering special characters and get a command injection. They also presented how to perform blind XSS attacks using XSSHunter.
2) Using Burp to Test and Mitigate IDOR (Insecure Direct Object References): Commonly, attackers manipulate direct object references and gain access to sensitive information. This calls for a strong access control check in the system. Our experts demonstrated techniques related to utilizing Burp Suite tools to get rid of the problem.
3) Collaborating Burp and POSTMan: Collaborating Burp with POSTMan has its own benefits when it comes to effective API security testing. Our experts presented how to collaborate Burp and POSTMan using the copy as Curl feature from Burp and importing it in POSTMan for sharing the PoC with clients.
4) Performing Business Logic Test Cases: What if a hacker gains access to your website’s checkout page, injects a lower cost for some items and gets away with the transaction? Business Logic Tests call for testing such out-of-the-box scenarios and in our webinar, we discussed a similar business logic test using Burp Repeater.
API driven software architecture is slowly taking over the entire software industry. And as a result, the associated security risks are also coming to surface. Several organizations like Equifax, Amazon, and T-Mobile have already faced information breaches in the past due to insecure APIs.
A strategic approach towards API security testing may, however, change the whole picture for your business. Following the precise methods and using the appropriate tools as demonstrated in our webinar may certainly help you go a long way.