API penetration testing

API penetration testing: What, why, how?

December 21st, 2021 Posted in Penetration Testing

An application programming interface (“API”) penetration test is a security assessment carried out by a penetration tester to validate that the APIs in scope are appropriately secured. The tester uses the same tactics, tools and techniques as would be used by a real-world attacker. The objective of the test is to discover vulnerabilities that could impact the confidentiality, integrity or availability of an enterprise’s data or infrastructure – and provide steps for them to be remediated.  

What is an API?

An application programming interface (“API”) is a software intermediary between different applications. Using a set of defined rules enables systems to communicate with each other. You can think of APIs as connective tissue or messengers that run between systems, allowing data transfer from application to application. The two most common types of APIs are Representational State Transfer (“REST”) and Simple Object Access Protocol (“SOAP”).   

Most of today’s popular web and mobile applications use APIs. They enable companies to collaborate with third-party developers, suppliers, and partners, allowing information and data transfer across systems. APIs also allow for the transfer of data within systems that consist of multiple discrete applications or software components working together. An API, therefore, enables integration, interoperability and the seamless transfer of data. They also offer an opportunity for a threat actor to gain an entry point into the systems using the API and to access data processed by the applications.  

Why Test the Security of APIs?

The prevalence of APIs means that they are a common target for threat actors. According to a report from Salt Security, 91% of organisations had an API security incident in 2020. Meanwhile, in a recent Gartner webinar on API security, the analyst firm predicted that, by 2022, API attacks will be the most frequent attack vector that causes data loss for enterprise web applications.   

As an example, consider Instagram. It used APIs to allow users to reset their passwords by sending a 6-digit code to the account owner’s mobile device. Instagram limited the number of code submissions per IP address but did not limit the number of attempts per account. This allowed a threat actor to manipulate this weakness and hijack the accounts of multiple high-profile users, as TIME reported in its coverage of the incident.  

The potential impact of a breach resulting from API vulnerabilities mandates the need for action from enterprises. They must first embed security by design into their API building processes by building security testing into the CI/CD pipeline. Measures such as Static Analysis Security Testing (“SAST”) are essential for detecting and mitigating design flaws in APIs. However, such analysis does not necessarily identify the business logic flaws that cause many API security incidents. For this reason, organisations should also look to conduct frequent API penetration testing.  

What are the most common API vulnerabilities?

Multiple vulnerabilities can impact APIs. The top 10 most common weaknesses can be found in OWASP’s Top 10 to API security, launched in 2019. This document is a slight adaptation from the web application Top 10. Rather than focusing on broad-stroke web application vulnerabilities, this guidance helps application developers and penetration testers mitigate the unique vulnerabilities and security risks of application programming interfaces.  

As you’ll see in the Top 10 list, only one entry is a traditional ”vulnerability”: number 8, which focuses on injections. Otherwise, many of the issues instead focus on logic or programming errors in the software stack, exclusive to each API. As well as this, the Top 10 highlights the significance of authorisation and authentication in API security incidents. This differs from typical web application attacks, which can often rely on vulnerabilities such as cross-site scripting. Your pen-testing partner should be familiar with the OWASP Top 10 and use it as part of their penetration testing methodology. 

How does an API pen test work?

An API penetration test occurs in five stages: preparation, reconnaissance, vulnerability analysis, exploitation and reporting. A specialist penetration tester can assess all kinds of API implementations for potential vulnerabilities. These tests are an essential way to determine the security of your APIs and are necessary to identify and manage exploitable weaknesses.

Penetration Testing Guide thumbnailFor an overview of different types of penetration tests, read our guide to penetration testing.   

At the end of the penetration test, the tester should provide you with a list of the vulnerabilities discovered, along with guidance on how to remediate them in a report. The report should be followed by a ‘wash-up call’, where you can discuss the findings, vulnerabilities and recommendations in more detail.  

A typical penetration test is structured as follows: 

  • Preparation: Firstly, the testing provider and you will agree on the scope of the test, which will include identifying your testing goals, going over the rules of engagement and confirming the project’s scope and timeline.  
  • Reconnaissance: Before beginning testing, the tester will gather as much information as possible about the target API, including details such as authentication credentials, IP addresses, URLs and example test cases.  
  • Vulnerability analysis: Armed with the information they have gathered, the tester will look to identify vulnerabilities in the target API – looking at both the application and network layers. To do this, they will log machine names, network sources and application services to gain a deeper understanding of the API and its potential weaknesses. The tester will use a mixture of automated vulnerability scanning and manual techniques here. As they go, they will note which vulnerabilities present the most risk and prioritise their testing based on these findings. 
  •  Exploitation:  During this stage, the tester will test the vulnerabilities they have already identified to confirm they are exploitable. They will determine which vulnerabilities truly pose the most risk and document their findings. This phase is necessary for deciding whether vulnerabilities are real and true positives, which may lead to further discovering vulnerabilities that are only visible post-exploitation.  
  • Reporting: Once this is complete, it’s time to report the findings to the client. This will take the form of a detailed report, often along with the option to have a debrief meeting to talk through the results and answer any questions. The testers will advise which vulnerabilities to prioritise fixing based on their risk factor.    

When should organisations conduct API pen tests?

Penetration tests should form a core part of your API security programme. The development industry is, broadly speaking, “shifting left”, meaning there is more focus on security by design before launching APIs. However, even in these instances, it’s frequently possible that errors and vulnerabilities remain. For this reason, we recommend performing an API penetration test just before launch – and then at least annually after that.  

In cases where significant changes are made to the web application relating to the API, you should also conduct a penetration test. If you’re unable to organise a penetration test prior to the API’s deployment, we advise getting one as soon as possible thereafter.   

Need Help?

If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions or remediations from our findings. Contact us for a friendly chat.  

 Contact Us

Business vector created by vectorjuice – www.freepik.com – edited by evalian
Thomas O Donnell 250 x 250

Written by Thomas O'Donnell

Thomas is one of our penetration testers, specialising in IT infrastructure and web application testing. He started his career as a creative media and software developer before moving into security consulting, centred around Cyber Essentials certification services. His qualifications include CREST Practitioner Security Analyst (CPSA) and he is working towards gaining his CREST Registered Tester (CRT) qualification.