API Penetration Testing

API Penetration Testing

What is API (Application Program Interface)?

An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build or use such a connection or interface is called an API specification. A computer system that meets this standard is said to implement or expose an API. The term API may refer either to the specification or to the implementation.
API is used by programmers, mobile apps, web applications, and many industries. The average person engages with API without being aware of it. API increasing growth comes with many threats, and that is where API security testing comes in.
What is API Penetration Testing?
API Penetration testing involves all processes of checking for vulnerabilities and building strong endpoints in your APIs. One of the most common web application threats is API abuse, which can cause hindrances to the smooth running of any digital industry. Issues like data leakage, unauthorized access, and parameter tampering can arise with any deployed APIs if they don’t undergo comprehensive security testing.
API Penetration Testing: Things To Be Noted
Before starting with testing, penetration testers should have a better understanding of users, roles, resources & responses of each APIs to find cool vulnerabilities.
Tools that can be used for API Security are:
  1. Burpsuite.
  2. Postman.
  3. ZAP Proxy.
Some Important Security Issues in API
Sensitive Data Exposure:
Website programmers and developers tend to expose objects without considering individual security. This results in excessive data exposure, which can lead to API abuse. This sensitive data can be expose via various techniques like from the Response and Request of the API Calls.
Security Misconfiguration:
Insecure APIs, insecure default configuration, open cloud storage, error messages showing sensitive information, incomplete ad-hoc configurations, misconfigured HTTP headers, and other security issues all result from security misconfiguration.
Some examples of security misconfigurations include insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, overly permissive Cross-Origin resource sharing (CORS), and verbose error messages.
Authentication and Authorization:
API are using different authentication methods for mobile and web API. Test both APIs differently and try to bypass the authentication method.
Example : /api/v3/login and /api/app/login
Access control policies with complicated hierarchy, groups, and unclear separation of administrative and regular roles can lead to authorization errors. Web hackers can gain access to these administrative functions and exploit their uses. Always test for IDOR, Object level authorization checks should be considered in every functions that accesses a data source using user input.
SQL injection, command injection, and NoSQL injection are all types of injection flaws that involve sending data from an unknown source to an interpreter through a query or a command. Injection flaws are very common and are often found in SQL, LDAP, or NoSQL queries, OS commands, XML parsers, and ORM. These flaws are easy to discover when reviewing the source code. Attackers can use scanners and fuzzers. This gives the attacker access to any information without authorization. You also need to know the most important OWASP Top 2019 API Security Issues

Credit :-  Saeel Relekar


AA Certification