Best Practices in API Testing
Modern web application development has become increasingly dependent on RESTful APIs in recent years. The RESTful approach to web API development is simpler and more scalable than legacy versions like SOAP (Simple Object Access Protocol).
Only HTTP is the only way to implement REST. This protocol powers the web. This means that vulnerable REST APIs pose similar risks to other web sites and applications. However, it is more difficult to test with automated web security scanners.
What is a REST API?
Before we get into the details about how to effectively test REST APIs for security, it’s important to clarify our intent.
An API is a way to transfer information between two computers systems. An API can either be implemented at the code or network level depending on whether the two systems are on the same machine.
An API is almost always used in a commercial context to refer to an interface on the internet, which is the most common way to connect disparate computer systems.
Modern Web APIs use REST (REpresentational state transfer) to implement them. This allows for all the information needed to access or modify the’state’ in one API call, such as updating a database or getting a record.
RESTful APIs allow for a clear separation of concerns between the front (presentation layer), and the back (data-access layer). Because a single RESTful API can be used simultaneously by mobile devices, web apps, and IoT devices, it has been recognized as an international standard. This makes RESTful the most cost-effective and flexible way to create modern applications.
Principles of RESTful API Security Testing
There are four core principles that must be followed when performing security testing on RESTful APIs. These principles are not easy to implement, as is often the case.
These simple principles can be easily implemented into a web server.
Inputs that are not of the correct type must be rejected
A. Corollary :Inputs that have null (empty) must be rejected.
Inputs with an insufficient size must be rejected
Understanding the more complex principles requires an intimate understanding of the acceptable values and users. It can be difficult to understand how REST APIs will be used without knowing these details.
The API must return the expected output for a given input value.
It is possible to test this if the input domain or the output range is simple (e.g numbers, integers). This is especially true when you create permissive RESTful APIs that allow users to submit their content (e.g. in a chat app).
Input value must not be outside of the expected domain.
This is straightforward when the domain is relatively simple (e.g input value should be integers greater than zero), but it becomes more complicated when users are able to supply content (e.g. a file upload endpoint could pose a significant security challenge).
The API should only provide data that the user is authorized to access.
This can be made easy if permissions are clearly defined and resources are stratified according to their permission level. However, authorization can be a difficult problem in practice. Okta is one example of a multi-billion-dollar company that has solved this problem.
Many APIs don’t meet these criteria because they aren’t tested properly. Breachage is a frequent occurrence. Whole industries exist to provide protection for APIs.
An API that is well-designed should provide the best defense against attacks. Therefore, effective testing should be a priority.
API Security Tests
The security auditing procedure consists of three types of testing. These are intended to protect an API from external threats.
Security testing confirms that the basic security requirements have been met. These questions include:
- How do you verify the identity of the end user to consume an API?
- Which encryption type is used for the stored data? At what points is the data encrypted for transmission?
- What conditions can users access resources?
This is the first stage of the audit and will help to prevent major vulnerabilities.
Penetration testing allows you to protect your application’s external surface from potential vulnerabilities that might have been overlooked during development.
This step involves attacking external aspects of API in a controlled environment. Automated tools like Acunetix or Netspark can be used to accomplish this.
The following steps should be followed when organizing a Penetration Test:
- Identify potential vulnerabilities for the application. For example, does it contain images that could be used to expose a directory traversal attack?
- You should order the items according to their risk. To get a better understanding about each vulnerability, you can visit the OWASP Top 10 site.
- Engineer sessions and requests that include the attacks are sent to the system, ideally both from within the network and from outside.
- Unauthorized access to the system should be reported and patched.
Fuzz testing is when an API is tested to its limits. It is the last part of a security auditing. You can do this by sending large requests at it and trying to vary the data as creatively as possible to cover potential vulnerabilities that could compromise security.
These vulnerabilities could be exploited via Denial Of Service attacks or Overflow attacks.
How to conduct a security test on an API
To test an API, you need to submit requests via client software to the endpoint of an application being evaluated. There are many options for free.
Postman and Insomnia are the most used clients. Because it’s easy to use and requires minimal configuration, Insomnia is the best option for small APIs. Postman is better if you have more complicated APIs. It stores authentication parameters and allows you to create collections. Postman can also automate testing via’monitors’ which are useful for applications that change frequently.
Automating parts or all of the Security Audit process can help speed up DevOps’ lifecycle. The Fuzz Test and Security Test are the easiest parts to automate.
Step 1: Determine the Security Requirements. To plan a security test for an API, it is important to first understand the requirements. Ask questions such as:
- Is the API required to use a TLS/SSL cert and can it be accessed via HTTPS?
- Which permission groups are available for different resources within the application?
- What is the authentication flow? What is the authentication flow?
- What is the API’s attack surface? What could be done by a malicious actor to subvert the API?
It is essential to understand the differences between pass and failure before you ask these questions.
Step 2 – Set up a testing environment. After the scope of the test is defined, it’s time to set up an environment for testing. It is reasonable to use the standard staging area for smaller applications. It is more practical to use the standard staging environment for larger applications that have a lot of internal state.
Step 3: Sanity-check your API. To ensure everything is working correctly, send a few requests to the API.
Step 4 – Define the input domain. It is crucial to know what each parameter does and what combinations each parameter can be. This allows you to identify edge-cases (values which are not valid) and the parameters that are most susceptible to injection attacks (e.g. SQL injections).
Step 5: Create and execute test cases. After you have created the test environment and understood the possible edge-cases you can then create and execute the tests. You will compare the output to the expected output. These should be grouped according to the type of test you are performing. Here are some examples:
- Are resources accessible via HTTPS and HTTP?
- Are all endpoints required to authenticate?
- What happens if you allow file upload?
- What happens if the API-consuming web-app embeds user-supplied information on the page?
- Are you able to access resources your token doesn’t allow?
These instructions will help you to have a better understanding of your application’s security and a toolkit to ensure that there are no security problems in production.