In today's interconnected world, application programming interfaces (APIs) have rapidly become predominant tools for sharing data and providing multiple services within a single application. APIs link ecosystems of technology and are an engine of business growth. APIs rule the world or eCommerce.
Pen Testing
We see too often that while in reality, the API landscape is a high priority threat vector, it gets left to last when it comes to pen testing priorities.
Organizations must extend risk and operational controls to APIs. Most businesses must comply with security and regulatory controls. API services must conform to security and regulatory requirements by ensuring compliance with existing confidentiality, integrity, and availability models.
By nature, APIs are a gateway to application logic and sensitive data such as Personally Identifiable Information (PII), and because of this, APIs have increasingly become a target for attackers. As attackers move their focus to the APIs themselves, we must also evolve our testing. API risk is so significant that OWASP has a Top 10 flaws list specific to APIs.
What is an API?
Humans generally do not interact with APIs directly. APIs are for sharing data between networked computing systems. A typical example, a web application like your favorite hotel reservation site, that runs background services that call APIs to receive and transmit data.
APIs facilitate data sharing between software components in building the customer experience. Nearly all modern web-based products offer APIs for service integration directly into any project.
Common types of web service APIs:
- SOAP
- XML-RPC
- JSON-RPC
- REST
- Websockets
APIs are a critical part of modern web applications, from banks, retail and transportation to IoT, autonomous vehicles, and smart cities. Without secure APIs, rapid market innovation would be impossible. Experts have estimated that up to 80% of internet traffic flows through APIs.
API Security focuses on strategies and solutions to understand and mitigate their unique vulnerabilities and security risks.
Infamous API Exploits
In 2020, Google paid a $7.5M anti-trust fine over two Google+ API issues. In December 2018, Google announced a Google+ API issue that gave developers access to private profile information on 52.5 million users.
The Russian APT group Sandworms' malware Cyclops Blink exploits a Linux API function to download malicious files, execute attacks and maintain persistence on victim networks.
In 2017 attackers exploited a vulnerability in a WordPress REST API to modify content on WordPress sites. It was estimated that over 40,000 websites were defaced through this exploit.
In 2016, a vulnerability was discovered in the API of the Nissan mobile app, which allowed attackers to send commands to any vehicle if you knew its VIN. The Nissan API vulnerability exposed climate control, battery management, and the entire history of a car's trips, including routes, times, and exact GPS coordinates.
On December 24, 2019, Twitter announced that someone was using an extensive network of fake accounts to exploit their API and match usernames to phone numbers. They discovered accounts controlling this API endpoint from various countries, including Iran, Israel, and Malaysia. Some of these accounts may have ties to state-sponsored actors.
API Penetration Testing
As with all pen testing, you should look at your API architecture the same way as your adversaries. A competent API penetration test will involve a skilled attacker using specialist tools to explore and exploit the API.
We want to find the gaps in your APIs' security before an attacker does. Our API penetration testing begins with an assessment, where our expert penetration testers utilize multiple tools and manual testing to gain knowledge of the API attack surface and search for vulnerabilities.
After analyzing data, our experts use manual techniques, tools and intuition to attack those vulnerabilities. After completing the API penetration testing, you will receive a comprehensive report with step-by-step explanatory narratives.
An API vulnerability scan is an excellent first step, but it is not pen testing. Our penetration testers have the necessary background to provide a thorough, proper API assessment. Our team will go through the API, function by function, to discover ways that an attacker could leverage your vulnerabilities. Every API is different and requires a somewhat customized attack plan.
Things we have found in past API penetration tests include
Scenario #1
Old API versions are usually unpatched and provide an easy attack vector. It is common to find unnecessarily exposed API hosts. Attackers may gain access to sensitive data or even takeover servers through old, exposed API versions.
After updating systems, a services vendor left an old API version (api.unamedservice.com/v1) running unprotected and with access to the user database. While targeting one of the latest released applications, an attacker found the API address (api. unamedservice.com/v2). Replacing v2 with v1 in the URL gave the tester access to the old, unprotected API, exposing users' personally identifiable information (PII).
We recommended mitigation of the vulnerability by updating the asset management processes to include all API endpoint servers. The team removed older APIs from all production environments.
Scenario #2
Attackers take advantage of insufficient logging and monitoring to probe systems without being detected. Without logging and monitoring, it is almost impossible to track suspicious activities. Attackers have plenty of time to compromise systems fully.
A content-sharing platform was vulnerable to a "large-scale" credential stuffing attack. Despite unusually high numbers of failed logins, no alerts were triggered.
We recommended mitigation of the vulnerability by updating the log management system. The SIEM monitoring system was updated to continuously monitor infrastructure logs and produce priority alerts on custom dashboards. The testers worked with the security team to tune thresholds to detect low and slow recognizance attacks.
General Suggestions
API pen testing should be distinct from and in addition to your network, operating systems, and application testing. If you can only test one thing, test the APIs. Also, test in development before the APIs go live – ideally automated vulnerability testing in the build process and penetration testing in the release process.
Truvantis is a cybersecurity and privacy consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security programs. We specialize in helping our clients improve their cybersecurity and privacy posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance.
At Truvantis, we help organizations understand their API attack surface and weaknesses. Our API Pen Testing process replicates the techniques of a real-world attacker in searching for unexpected API vulnerabilities. Contact us to get started today.
Reference – OWASP API Top Ten - OWASP API Security Project