APIs, while commonly thought of as simple connections between apps, are complex systems that can and often do have vulnerabilities. In fact, API vulnerabilities can be as serious as those found in your primary application. Yet, API testing remains relatively rare. Regular API assessments check whether vulnerabilities exist, what they are, and looks at ways to fix them.
However, testing Application Programming Interfaces isn’t always as straightforward as pentesting a web application. For example, you may not be able to provide the URL and simply direct us to test everything underneath. Instead, testing your APIs involves looking at data, gaining API access, and ensuring we can see everything that might be at risk, without accessing the API through the various applications it connects to.
At Cyver, we’ve been testing APIs nearly since they were first introduced. We take a grey-hat approach, assessing SOAP, REST, and other systems, to look for vulnerabilities that could put your organization at risk. And, our pentest-as-a-service delivery means your developers receive our findings as tickets, so you can roll remediation into the next sprint, and stay secure.
Why Pentest APIs?
API pentesting is conducted for the same reasons you pentest web applications, servers, and full environments. In fact, APIs are quickly becoming the most common vector for data breaches. That’s made especially evident by high-profile API related breaches like the 2019 Venmo disclosure or the 2018 Salesforce API breach. Both of these companies are huge. Salesforce makes up 9.3% of the total Software-as-a-Service market. And hackers still used API to gain access to their enterprise platforms.
That’s crucial, considering many companies ignore or simply don’t test APIs. For example, OWASP didn’t actually extend its Top 10 to include API until 2019. Yet, APIs remain a business risk.
- APIs function as messenger applications, sending and retrieving requests from one application to another.
- APIs are complete systems of codes and commands, useable and allowed access to multiple applications and systems.
Unauthorized access to either of these functions can wreck havoc, not just in your systems, but also in whatever systems the API connects to (depending on access controls.
What is API Pentesting?
In most cases, when we test an API, we follow OWASP guidelines. This means running checks for:
- Missing Object Level Access Control
- Broken Authentication
- Excessive Data Exposure
- Lack of Resources and Rate Limiting
- Missing Function/Resource Level Access Control
- Mass Assignment
- Security Misconfiguration
- Improper Assets Management
- Insufficient Logging and Monitoring
These checks also include looking for and exploiting vulnerabilities where possible. For example, checking if the API responds to cross site scripting, whether authorization and authentication can be bypassed, if SQL injection works, etc. In most cases, this will include a thorough look at CSRF, XSS, SQL injection, and sometimes even DDoS entry points depending on your needs.
Pentesting APIs at Cyver
Once you onboard to Cyver’s Pentest-as-a-Service platform, Cyver Core, we’ll start the initial scoping and data gathering process. This means:
- IP Addresses
- Relevant URLs (e.g., https://run-api.com/v1/key)
- Endpoints (definitions, related details) e.g.;
- Access credentials
- Available documentation
- Test cases (relevant to the environment being tested. For example, if something works in Postman, it doesn’t necessarily work in UAT)
This is a lot of data, especially compared to a standard pentest. However, we need it to ensure we can access the full API, test every function, and ensure security. Plus, you can upload this data inside our secure platform, to ensure your data is safe.
Performing the API Pentest
Normally, Cyver uses OWASP 10 guidelines for our pentests. You may prefer a different security standard. However, we use API data supplied to us to thoroughly test the API on both application and network layers. That typically includes checking for usernames, machine names, network resources, and services and attempting to exploit each. We then use standardized testing methodologies like fuzz testing (malicious data injection), command injection, testing authorization, authentication tests, parameter checks, etc. The exact methodology will depend on whether you’re running SOAP, JSON, XML, etc.
Delivering the Report
Cyver delivers pentest reports in our pentest-as-a-service platform. You receive findings in the cloud, as tickets, linked to the specific assets you uploaded. Your team receives notifications as findings are available, so they can immediately get to work remediating the vulnerability. And, once you mark the problem as remediated, we reevaluate the vulnerability with a free retest.
API pentesting should be part of your normal security schedule. That’s why we offer schedulable, recurring pentests, with a credit system to put assessments in the hands of the people updating the API. And, with findings as tickets, Cyver’s pentest services are designed around remediation, so you stay secure.