Despite numerous cyber attacks taking place across the world, Application Programming Interfaces (API) security testing is still not a priority for many businesses that run publicly accessible web services. While web services are designed carefully to prevent many cyber threats from exploiting the web services, conducting a proper API security testing can help mitigate various cyber security risks that could otherwise leave your company’s data vulnerable to cybercriminals and attackers.
What is API Security Testing?
API security testing helps in safeguarding the integrity of APIs- both the ones you use and the ones you own. It helps ensure that the APIs in place are secure, without security errors or weaknesses that could lead to security breaches.
It involves assessing the web service methods, checking authentication, authorization, validation, backend calls, and endpoints (along with many other tests) to ensure they are functioning as intended and giving the appropriate error codes in case of incorrect or unauthorized activity.
Most Commonly Executed Cyber-Attacks
Here are some of the most commonly executed cyber-attacks:
-
Attacks on Authentication
Attacks on poorly implemented authentication can allow attackers to take control of accounts or potentially allow an attacker to perform attacks on all API endpoints.
The goal of such attacks is to usually take over several accounts or an administrator account to gain unauthorized access and get equal privileges as the victim user. Furthermore, authentication attacks also involve password cracking.
A common attack on authentication is password spraying where the attacker attempts to access a large number of accounts by using a few commonly used passwords. During this attack, the attacker attempts a single commonly used password such as “Password123” against many different accounts before moving on to the next commonly used password.
Another popular password cracking method is a dictionary attack where the attacker attempts to log in using every word in a dictionary as the password. This method is more efficient than brute-force attacks and removes some of the randomnesses, thereby reducing the time needed to attain the password.
The best way to prevent attacks on authentication is by establishing strong password policies, implementing least privilege access to ensure only authorized personnel can access APIs they require, and avoid sending credentials over networks that are not encrypted so that they don’t reveal the session ID in the web URL.
-
Authorization Attacks
Security breaches related to authorization usually entail unauthorized user access control attacks such as:
Vertical authorization attack: If a user attempts to access a functionality, a system or network they are not authorized, such as a user invoking admin access, then it is a vertical authorization attack.
Horizontal authorization attack: A horizontal authorization attack occurs when a user tries to access another user’s information. For instance, an employee should only be able to access information related to their personal data and payrolls, however, if they are able to access another user’s sensitive information, then it is a horizontal authorization attack.
To mitigate the risk of authorization attacks, applications should perform server-side checks to ensure that the user has appropriate access to the method (vertical) and the data (horizontal) prior to granting access or performing an action.
In addition to this, implement strong audit logging and monitor for any suspicious or unusual activity indicating an authorization attack.
-
Session hijacking and Man-in-the-middle Attack
Session hijacking is a cybersecurity attack that contains the exploitation of the web session control mechanism, which is usually managed for a session token. Such attacks compromise the session token by predicting or stealing a valid session token to gain unauthorized access to the web server.
One of the most common ways of session hijacking involves man-in-the-middle attacks in which an intruder positions himself/herself between the user and an application, to either eavesdrop or to impersonate either of them and attempts to gain access to information that they were sharing.
The goal of such an attack is to take over the user’s session so that they can impersonate them and perform any action as the user would normally do. For instance, in banking applications, a session hijacking attack could include transferring money, pay bills, etc.
To prevent such types of attacks, ensure that you only use safe HTTPS protocol through SSL/TLS certificates. This allows a secure, encrypted connection between your clients’ computers and your server, protecting all your information from middlemen.
-
SQL Injection
SQL Injection is a common security attack that uses malicious SQL code to manipulate the backend database to access sensitive or restricted information. This information may contain personal details, bank account info, sensitive company data, private customer details or user lists.
The impact of an SQL injection on a business can be far-reaching. A successful SQL injection may result in the deletion of entire tables, unauthorized viewing of user lists, and in some cases, the attacker might gain administrative rights to modify the database, all of which can lead to severe damage to a business.
To protect your application from SQL Injections, ensure that you use parameterized queries. This basically treats all input coming from the client-side as untrusted so they cannot affect the call to the backend database.
Additionally, use web application firewalls (WAF) that filter out SQL Injection as well as other cybersecurity threats.
-
XML Injection
XML Injection is a type of cybersecurity attack used to compromise or manipulate the logic of a service or an application. During an XML Injection attack, an attacker tries to inject a variety of XML values and/or content into an XML message to alter the intended logic of the application.
Depending on the executed XML content various security policies and objectives might get violated. For instance, an XML injection attack targeted to modify payment data could have a severe impact on your company’s integrity affecting your customer relationships.
Another frequent target of XML Injection attacks is a denial of service. In such cases, the attacker inserts malicious statements in the application that leads to denial of service of the application making it unresponsive to all the valid users.
The best defense against XML Injection is encoding all untrusted input going into the XML. Further, adding input validation also helps protect the application against potential XML Injection attacks.
Here are some useful guidelines that will help you create an effective input validation policy:
- Validate input: length/format/type and range
- Constrain string inputs with regex
- Achieve an implicit input parameters validation by using strong types such as dates, times, numbers, booleans or fixed data ranges in API parameters
- Define an ideal request size limit and reject multiple requests that exceed the pre-defined limit
- XML encode all untrusted input
-
Replay attacks
During a replay attack, a cybercriminal eavesdrops on secure network communication, intercepts it, and then delays or redirects the user into doing what the hacker wants. These kinds of attacks are more dangerous as the hacker doesn’t need to gain access to the decryption keys. They can simply target an encrypted communication channel without actually having to use decryption keys.
All they have to do is eavesdrop on a network and understand what functions are being performed by a specific set of network packets. Once they have a basic idea, they can resend those network packets or requests, and cause damaging effects.
For instance, consider an employee asking for a financial transfer by sending an encrypted message to the financial administrator of the organization. Now an attacker eavesdrops on his message intercepts it, and can now resend it. Since it is an authentic message that has been resent, the message already looks legitimate and is correctly encrypted. In such a scenario, the financial administrator can simply go ahead and make the transaction unless he or she has detected something suspicious.
One way of preventing a replay attack is by using the right method of encryption. Both the sender and the receiver should establish a random session key, which is a one-time valid only code for one transaction and can’t be used again.
Further, one more way to prevent replay attacks is to have a password for each transaction that’s used only once and then discarded. This will ensure that even if the attacker has resent the message, the encryption code is no longer valid and has expired.
Importance of API Security Testing
An exploit of a web service can be detrimental to a small project owner or a business that is releasing their work into the public. More and more APIs are being targeted by hackers to access sensitive data. Here are a few popular examples of API cyber attacks:
- Instagram’s use of HTTP instead of HTTPS
It is widely known today that HTTPS helps prevent hackers from tampering with the communications between your user’s browsers and your websites. Instagram did not follow this rule of thumb and was vulnerable to account takeovers by intercepting unencrypted HTTP traffic.
- TalkTalk’s customer data was stolen
Back in October 2015, TalkTalk announced that their customer’s personal information such as names, addresses, and other details was stolen in a data breach. This breach was caused due to SQL injection from the TalkTalk website.
An organization’s data is undoubtedly its most valuable asset and threats to that data have to be detected, and hopefully, eliminated before they put the organization at risk. Targeting APIs is one of the easiest ways for attackers to perform malicious activities or gain access to data.
This is why conducting an API security testing is critical to ensure that the API is secure and performing as expected. If an API’s security is compromised, it impacts every application that relies on that API. In a nutshell, a single error in an API can lead to significant problems across your organization, as well as impact any external organizations that use your API.
Methods Of API Security Testing
-
Secure Code Review
One of the best methods of API security testing is a secure code review. It aims at identifying security vulnerabilities in the application related to its authorization, authentication, error handling, data validation, encryption, session management, security configuration, and logging along with many other issues.
A secure code review is basically the process of auditing the source code of an application to ensure that the proper security and business controls are in place, that they work as intended, and have been invoked in the right places.
A secure code review should be performed in both manual and automated ways to ensure comprehensive and thorough security testing. Before you begin with choosing the tools and checklist to conduct a secure code review, you might want to consider these questions:
- Which tools are best suited for your application?
- Which method is better for your application – manual, automated, or both?
- Ultimately, which method and tools will generate the best results?
Potential vulnerabilities arising due to insecure code often have catastrophic repercussions and this has proven to be a challenge to cybersecurity professionals. By conducting secure code reviews, you can detect security weaknesses in your application and take necessary actions to mitigate these risks.
-
Fuzz Testing
Fuzz testing is one of the most common and simple ways to detect vulnerabilities in web services. Basically, it is a black box software testing technique that consists of detecting implementation issues by injecting malformed data in an automated manner. Fuzz testing is a quite simple yet efficient method of API security testing that can be easily conducted using command-line tools such as curl.
In a nutshell, all you have to do in fuzz testing is send malformed or unexpected input data and check if the API breaks. For instance, if an API requires numbers as input parameters, try sending negative values, large numbers or values like 0. A poorly coded application might allow such numbers and help you in detecting errors.
-
Parameter Tampering
Another method of conducting an API security testing is parameter tampering. It looks to exploit backend validation errors by manipulating parameters sent in an API request.
Here’s how you can check for parameter tampering:
Modify input fields in a web form: Many web apps use input fields that are labeled hidden and can only be read by the backend. Make sure to test your backend and check if it is correctly validating the data in the “hidden” input fields. This can be usually done by opening the dev tools console, finding the input elements, changing the value, and then submitting the form. Not only should hidden variables be checked, but all variables should be checked
Modify query parameters in API requests: Test various combinations of incorrect or invalid query parameters and check if the API returns the proper error code. This test is especially important for destructive endpoints such as DELETE.
-
(Un)authorized Methods and Endpoints
One of the most effective ways to ensure that your APIs are secure is by setting up automated security tests for a few scenarios:
Test user privileges: Most web services have different levels of users, like admins, members and customers. Set up security tests to ensure that users with lower privileges are not able to access higher privileges.
Test with unauthorized/invalid authentication: Try to access authorized endpoints with incorrect credentials or tokens. This will help you ensure that the web service is responding with a proper status code and message.
Takeaways
These are just a few ways you can prevent cyber attacks through API security testing. Whether it is checking authorization or conducting tests to ensure all endpoints are secure, API security testing can help you mitigate various security risks that could impact your business. After all, it’s better to discover and fix an issue before the attacker gets to it.
