Beyond Security Blog
Application Development Screens on Purple Background Isometric Vector Concept

Defuzzing API Testing: The Search for Vulnerabilities

What kind of cyberthreats target APIs? Can you depend on API-enabled platforms and services to protect your customer and corporate data? Our quick guide will explain.

REST APIs have allowed us to create modern web and mobile applications; By using the power of an API, we can open up the world of services – pulling in data and sharing information and oiling the wheels of the internet. 

But building an API-enabled service also means that you potentially open up your web or mobile application to cybercriminals.

In the first nine months of 2019, 7.9 billion data records were breached; many of these breaches originated at the API layer.

API-enabled systems and services come with an Achilles heel in the form of security vulnerabilities. As APIs have blossomed, data breaches have followed. Here, we take a deep dive into API attack vectors and how using API fuzz testing can help find them. 

[ Learn about black box testing for software and hardware. | Want to see how it works or try 30-day free trial? Request a demo  today. ]

Top ways API breaches happen

Before you do anything, you need to know what you are dealing with; this is also true for API security. Because web applications use APIs that share data across a very wide surface, if you don’t find a vulnerability first, someone else will.

Fortunately, there is an industry group, the Open Web Application Security Project (OWASP) that researches where APIs are most at risk. The OWASP API Security Project, outlines the ‘top ten’ list of the most at risk areas for an API. Included in this list are vulnerabilities such as:

Security misconfiguration: One of the main ways that APIs can be attacked is if they are insecurely configured. Attackers can easily look for insecure instances of API-based services – such as your API-enabled web application – using the search engine, Shodan. Attackers used Shodan to detect an instance of Elasticsearch which was insecure and open for the world to see; this resulted in personal data of over 56 million US citizens being exposed.

HTTP instead of HTTPS: HTTPS is the secure version of the internet protocol that allows data (such as HTML documents) to be transferred between web servers and clients. If an API-enabled web service uses HTTP instead of HTTPS it will be vulnerable to a cyber-attack where sensitive and personal data can be intercepted and stolen. 

Injection attacks: Attackers can use vulnerabilities in an API to introduce (inject) malicious code. This code can make the service act according to an attacker’s wishes, e.g., send the attacker the personal data of users. A cyber-attack at Heartland Payment Systems exposed 134 million credit cards when cybercriminals exploited an injection vulnerability.

Other things to consider:

Third-party integrations 

APIs, by design, often connect across many third-party services. This places API-enabled web services at a high risk of containing vulnerabilities. However, a Deloitte survey found: 

“62 percent of CEOs fail to hold their extended enterprise to the same risk standards as their own”.

Because vulnerabilities come in all forms and across the entire extended API surface, API-enabled web applications must be tested in a holistic and dynamic manner. 

Hunting for API vulnerabilities

The REST API attack surface is large and complex, often containing many third-party integrations. The very interoperability that REST APIs are designed for, makes them vulnerable. Making headway in locating vulnerabilities in APIs requires a systematic plan of action and smart tools for the job. The following steps are a guide for any API vulnerability hunter when testing their service:

Know what you are looking at: Have a blueprint of your expanded API services and all components. Plan out your approach. Make sure it covers everything. You may also need to look at specific compliance areas that impact data security in your industry. 

Know your data: What data flows through which web applications? Categorize the data into different levels of priority in-line with your business. 

Know your vulnerabilities: Determine which vulnerabilities are a priority. For example, Sucuri’s “Website Threat Report 2019” found that “Primary infection vectors include vulnerable third-party components and software defects.” Prioritization helps when you later detect vulnerabilities.

Black box and fuzz testing for vulnerability detection: To find vulnerabilities in extended cloud services you need to be able to use a tool that can look deeply into the underlying REST APIs.

  • API test tools are used to automate and standardize tests across your entire product line. 
  • Black Box testing is a way to dig deep into the potential attack surface of an API-enabled web application. 
  • Multi-protocol Fuzz testing works systematically across the entire API surface; the ‘fuzz’ is in the form of random or invalid data. 

Apply your vulnerability knowledge: The output from a black box and fuzz testing process is used as part of a risk detection and management process. This builds the information needed by your security team to make sure that no malicious entity exploits an API vulnerability.

Your web service is a valuable commodity, one which a cybercriminal will exploit if they find a way in. Attackers are always on the lookout for API vulnerabilities – so you have to do the same. Using automated tools, such as Fuzz testing, you can beat the hackers at their own game. 

Knowing what vulnerabilities exist in your web service is an essential step in the fight against API-based cybercrime. 

Concerned you might have an API vulnerability, or just want to be a step ahead of threats? Contact us to schedule a free demo of our network and application vulnerability assessment products.

Beyond Security

Beyond Security is a global leader in automated vulnerability assessment and compliance solutions – enabling businesses and governments to accurately assess and manage security weaknesses in their networks, applications, industrial systems and networked software at a fraction of the cost of human-based penetration testing.

Contact Us
Want to learn more? Fill out the form below and we'll be in touch shortly.
By clicking Submit, I agree to the use of my personal data in accordance with the Beyond Security Privacy Policy. Beyond Security will not sell, trade, lease, or rent your personal data to third parties.

Advertisement

Vector image of purple colored handshake icon

Affected by Covid-19? Get free vulnerability scanning.

Before You go

Take a second to book a demo. Learn how to secure your networks & applications.

We'll be in touch!

We now have the ability to scan at any time...like having sonar on our own network. We always know what is going on around us.”

man-img

Mike Gutknecht, Spectrum Brands