API Security Testing

The modern concept of APIs was born in 2000, when Salesforce launched its web-based sales automation API in an “internet as a service” model. Since then, APIs have exploded in popularity and prevalence.

Today, APIs continue to grow in number, serving as a fundamental part of modern software development across industries. In 2020, 61% of developers reported using more APIs than in the previous year. And 71% anticipate using even more APIs in coming years.

This increase in API usage is due in part to the standards that organizations have developed to encourage API adoption. Specifications like OpenAPI and AsyncAPI help define the files required to describe APIs. These files then help organizations identify the necessary documentation, integrations, and testing tools to effectively manage their APIs.

Security testing helps ensure that basic security requirements have been met, including the conditions of user access, encryption, and authentication concerns. The idea behind API scanning is to craft inputs to coax bugs and undefined behavior out of an API, essentially mimicking the actions and attack vectors of would-be hackers.

API security testing begins by defining the API to be tested. Testers provide information on inputs and outputs of the API, using a variety of specification formats including OpenAPI v2 / v3, Postman Collections, and HAR files. API security tests use this information to construct fuzzed input tailored to the input the API expects. 

The output of API security testing is a report of any vulnerabilities or bugs found while fuzzing the API. This could include findings such as SQL and OS command injections, authorization/authentication bypasses, path traversal issues, and OWASP Top 10 API vulnerabilities including broken auth, security misconfiguration, and data exposure. 

APIs are the heart of many applications, providing developers with powerful interfaces to the services an organization has to offer. Ensuring that APIs are conformant to published specifications and resilient to bad and potentially malicious input is critical to an organization’s overall security. 

Traditional DAST scanners cannot cover APIs completely; they cover only a small portion of them. If an organization’s front end does not interact with all API endpoints, traditional DAST scanners will miss them. It is therefore essential to adopt a comprehensive API testing strategy that targets issues in all of an API’s endpoints.

At the most basic level, API security testing helps identify and prevent vulnerabilities and their associated potential organizational risk. 

Specifically, API security testing is fine-tuned to both the API being tested and an organization’s overall strategy and best practices. API scanners work at a deeper level, examining the APIs that power single-page web apps, IoT devices, or mobile apps. By understanding what an API expects as input, API scanners can intelligently fuzz data to uncover hidden bugs.

API security testing tools also help enforce the correctness of an API, scanning the business logic of an API rather than just the input validation provided by the front end.

API security testing can also help identify where an API diverges from published API specifications. For example, if a specific endpoint should respond with a particular HTTP status but another is detected during a scan, the testers will alert the appropriate stakeholder. This helps ensure that the developers who leverage the APIs have an experience consistent with published specifications.

Synopsys offers Tinfoil™ API Scanner, a powerful, automated RESTful and GraphQL API security scanner that can test for the correctness of responses from an API and scan for common security vulnerabilities.

Tinfoil API Scanner is also available as a standalone on-premises appliance, so it scan internal APIs. Tinfoil API Scanner is language-agnostic—it can scan anything that provides a RESTful or GraphQL interface. No matter how an application is implemented, Tinfoil can scan it.

The challenges that Tinfoil can help solve include:

• Large and complex APIs are difficult to test by hand; Tinfoil API Scanner can help automate the entire process.
• Undocumented APIs have their initial OpenAPI 3 document generated using Postman or HAR file ingestion features. Tinfoil API Scanner automatically picks up on changes in GraphQL APIs using the built-in introspection ability. Few other products can perform GraphQL DAST scanning.
• Organizations face the challenge of scanning internal APIs. Synopsys offers a standalone on-premises solution.
• Some APIs require authentication to be properly tested. Tinfoil can follow all API authentication requirements so it can fully scan all endpoints. It can also identify authorization/authentication bypass issues in APIs.
• Tinfoil is an intelligent fuzzer, so it can use what it knows about an API’s accepted parameters to identify less-obvious bugs.