REST APIs have allowed us to create modern web and mobile applications; By using the power of an API, we can open up the world of services – pulling in data and sharing information and oiling the wheels of the internet.
But building an API-enabled service also means that you potentially open up your web or mobile application to cybercriminals.
In the first nine months of 2019, 7.9 billion data records were breached; many of these breaches originated at the API layer.
API-enabled systems and services come with an Achilles heel in the form of security vulnerabilities. As APIs have blossomed, data breaches have followed. Here, we take a deep dive into API attack vectors and how using API fuzz testing can help find them.
Top ways API breaches happen
Before you do anything, you need to know what you are dealing with; this is also true for API security. Because web applications use APIs that share data across a very wide surface, if you don’t find a vulnerability first, someone else will.
Fortunately, there is an industry group, the Open Web Application Security Project (OWASP) that researches where APIs are most at risk. The OWASP API Security Project, outlines the ‘top ten’ list of the most at risk areas for an API. Included in this list are vulnerabilities such as:
Security misconfiguration. One of the main ways that APIs can be attacked is if they are insecurely configured. Attackers can easily look for insecure instances of API-based services – such as your API-enabled web application – using the search engine, Shodan. Attackers used Shodan to detect an instance of Elasticsearch which was insecure and open for the world to see; this resulted in personal data of over 56 million US citizens being exposed.
HTTP instead of HTTPS. HTTPS is the secure version of the internet protocol that allows data (such as HTML documents) to be transferred between web servers and clients. If an API-enabled web service uses HTTP instead of HTTPS it will be vulnerable to a cyber-attack where sensitive and personal data can be intercepted and stolen.
Injection attacks. Attackers can use vulnerabilities in an API to introduce (inject) malicious code. This code can make the service act according to an attacker’s wishes, e.g., send the attacker the personal data of users. A cyber-attack at Heartland Payment Systems exposed 134 million credit cards when cybercriminals exploited an injection vulnerability.
Other things to consider:
APIs, by design, often connect across many third-party services. This places API-enabled web services at a high risk of containing vulnerabilities. However, a Deloitte survey found:
“62 percent of CEOs fail to hold their extended enterprise to the same risk standards as their own”.
Because vulnerabilities come in all forms and across the entire extended API surface, API-enabled web applications must be tested in a holistic and dynamic manner.
Hunting for API vulnerabilities
The REST API attack surface is large and complex, often containing many third-party integrations. The very interoperability that REST APIs are designed for, makes them vulnerable. Making headway in locating vulnerabilities in APIs requires a systematic plan of action and smart tools for the job. The following steps are a guide for any API vulnerability hunter when testing their service:
Know what you are looking at. Have a blueprint of your expanded API services and all components. Plan out your approach. Make sure it covers everything. You may also need to look at specific compliance areas that impact data security in your industry.
Know your data. What data flows through which web applications? Categorize the data into different levels of priority in-line with your business.
Know your vulnerabilities. Determine which vulnerabilities are a priority. For example, Sucuri’s “Website Threat Report 2019” found that “Primary infection vectors include vulnerable third-party components and software defects.” Prioritization helps when you later detect vulnerabilities.
Black box and fuzz testing for vulnerability detection. To find vulnerabilities in extended cloud services you need to be able to use a tool that can look deeply into the underlying REST APIs.
- API test tools are used to automate and standardize tests across your entire product line.
- Black Box testing is a way to dig deep into the potential attack surface of an API-enabled web application.
- Multi-protocol Fuzz testing works systematically across the entire API surface; the ‘fuzz’ is in the form of random or invalid data.
Apply your vulnerability knowledge. The output from a black box and fuzz testing process is used as part of a risk detection and management process. This builds the information needed by your security team to make sure that no malicious entity exploits an API vulnerability.
Your web service is a valuable commodity, one which a cybercriminal will exploit if they find a way in. Attackers are always on the lookout for API vulnerabilities – so you have to do the same. Using automated tools, such as Fuzz testing, you can beat the hackers at their own game.
Knowing what vulnerabilities exist in your web service is an essential step in the fight against API-based cybercrime.
Concerned you might have an API vulnerability, or just want to be a step ahead of threats? Contact us to schedule a free demo of our network and application vulnerability assessment products.