Issue 202: Six top API security risks, why APIs have no clothes, and a guide on API security testing


This week, we have an article on the six top API security risks being favored by attackers, an article on why your APIs have no clothes, a guide on API security testing to improve security and data confidentiality, and finally, news of API security testing training courses being off by @theXSSRat.

Due to annual vacation, there will be no APISecurity.io newsletter for the next two weeks — the next issue will be #203 on Thursday 6th October.

Article: Six top API security risks favored by attackers

The HackerNews has featured views on the top six top API risks favored by attackers:

  • No API visibility and monitoring = risk: Without visibility to what API assets you own, it is impossible to assess the risk they present, nor are you able to adequately protect them. Make every effort to inventorize your APIs, manage their lifecycles, and ensure you are tracking and monitoring the data which the APIs handle.
  • API incompetence: Poor API design and implementation can lead to security risks.
  • Service availability threats: Bot attacks are increasingly a threat against APIs, and protection (such as rate limiting or bot defenses) should be employed to prevent denial of service (DoS) attacks.
  • Hesitating over API utilization: There is a fine line between rushing to release new business features and managing risks exposed by new APIs which may not have been adequately tested.
  • API injection: As with web applications before them, APIs are vulnerable to injection attacks, such as SQL injection, command injection, or XML injection.
  • Attacks against IoT devices through APIs: IoT devices rely on APIs for interconnection, and these APIs may be vulnerable or not actively maintained and updated.

While some of these risks are well understood, I found the topic of API utilization an interesting one — how to balance risk versus business opportunity.

Article: Your APIs have no clothes

This week, SecurityBoulevard has featured an interesting article on why APIs have no clothes — APIs being the digital equivalent of the protagonist in the Hans Christian Andersen’s folktale The Emperor’s New Clothes. In the story, the emperor was exposed, but no one told him or was willing to do anything about it. Not so different from where you might find yourself with APIs.

The first challenge to API security the author highlights is presented by the disappearing perimeter. Organizations can no longer rely on perimeter protections, such as firewalls, to protect their assets. The adoption of cloud technology and PaaS has meant that the external perimeter is largely eroded. Instead, the focus needs to move to protect the API endpoints themselves by using advanced authentication like multi-factor authentication (MFA), and monitoring multiple levels of the network to identify attacks.

As ever, the lack of cybersecurity talent and skills only exacerbates the problem, and nowhere is this more acutely felt than with APIs. Many of the lessons learned with protecting web applications no longer apply to APIs, and teams need to learn new skills or adapt their methods to protect APIs.

To remedy this and get your APIs covered, the author suggests going back to the basics in protecting APIs, namely:

  • Authentication
  • Auditing and logging
  • Encryption

Article: API security testing to improve security and data confidentiality

Next we have an article on how API security testing can improve the security of an API as well as its data confidentiality. Although hardly a comprehensive guide to the topic, the author does suggest three different approaches.

Firstly, you can utilize a pentesting company specializing in API pentesting and with the skills and experience to identify API-specific vulnerabilities. Typically, such suggested skills include detecting broken authentication and authorization, business logic testing, payment manipulation testing, security misconfiguration, and injection attacks.

Alternatively, you could turn to API-specific tooling. The author suggests two tools, both with slightly different testing approach:

  • Assertible can perform automated testing against APIs after they have been deployed, to check that they operate correctly and if they include any vulnerabilities. This testing approach focuses on the underlying API definition and its details.
  • Apache JMeter is a web application load testing framework that can be utilize to perform load and fuzz testing of APIs. The focus of the testing is more on incoming requests and traffic load as well as error handling.

Of course, going with one of these approaches does not close the door on the others. One could argue that — resources willing — the most all-round security would be achieved with the combination of the three: use tools to check the quality of your API definition and its implementation to fix the more basic issues, then take advantage of the human ingenuity and thinking outside box by the specialist pentesters to uncover potential attack vectors that mere tools might not be able to find.

Training: API security testing training courses from @theXSSrat

Finally this week, the popular pentesting trainer @theXSSrat has announced that new courses are available on Udemy, covering the following topics:

  • OWASP ZAP For Pentesting And Bug Bounties From Scratch
  • API Security Testing Guide
  • Uncle Rat’s XXE Handbook
  • Broad Scope Bug Bounties From Scratch

Udemy is currently offering some courses for free or at heavily discounted prices. “Uncle Rat” aka. Wesley has a very entertaining presentation style, and I’d highly recommend any of his training content.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy