Issue 43: REST API Security Testing

This week, we have a conference talk recording demonstrating API pentesting;ย  see how the w3af web scanner can be used for APIs; look at SAP’s API security best practices; watch Cisco pay $8.6 million for not fixing vulnerabilities quickly.

Conference talks

The OWASP Global AppSec Tel Aviv conference has published a video recording of the “Testing and Hacking APIs” talk by Inon Shkedy.

Shkedy demonstrates approaches to API penetration testing, including:

  • Analyzing payloads and authentication
  • Broken object-level access control (aka IDOR)
  • Mass assignment
  • Improper data filtering
  • Expanding attack surface

Tools: w3af

Artem Smotrakov explains how the w3af web scanner can be used for REST API security testing. His article includes:

  • API discovery
  • Authentication
  • Disabling validation
  • Sample configuration
  • Context-specific parameters
  • Result analysis

Best practices

SAP has published their API Security Best Practices in a blog series. The posts naturally promote SAP’s own tooling but the detailed practices can be useful regardless of which technology you use.

The discussed best practices include:

  • IP whitelisting
  • Rate limiting
  • Data masking
  • JSON/XML/SQL injection attacks
  • Logging
  • Alerting

Price of vulnerability

Cisco got fined $8.6 million for knowingly selling their Video Surveillance Manager (VSM) product that included API vulnerabilities to US federal and state agencies. The actual API flaws included lack of user input validation and insufficient authentication. The basis for the fines is for ignoring the security issues for a long time while still continuing to sell the solution.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy