Next Gen Security Testing Services

API Security

What is API?

API, short for Application Programming Interface, allows two applications to talk to each other. It is also a set of definitions and protocols for building and integrating application software.

What is API security?

API security refers to the practice of preventing or mitigating attacks on APIs. APIs work as the backend framework for mobile and web applications. Therefore, it is critical to protect the sensitive data they transfer. API security is important because businesses use APIs to connect services and to transfer data, and so a hacked API can lead to a data breach.

Protocols and architectures of API

Protocols and good architecture are required to govern API operation. There are 3 main designs when it comes to API. REST, SOAP, and RPC.

REST API

Representational state transfer architecture (REST) is the most popular approach when working with WEB APIs. REST mainly utilizes HTTP protocol but can be used over almost any protocol. REST has the ability to work with different types of data formats and can handle multiple types of calls. As for data formats REST can return JSON, YAML, XML, or other formats depending on the end user.

SOAP API

Simple object access protocol (SOAP) is a standard communication protocol that allows processes running on different operating systems to communicate via HTTP. Unlike REST, SOAP is working only with the XML data format. SOAP APIs are designed to work with objects such as creating, recovering, updating, or deleting records.

RPC API

Remote procedure call (RPC) is the earliest form of API. When compared to REST API, RPC executes code, actions or processes on the server, while REST APIs are mainly used to exchange data. RPC is utilizing two languages: XML and JSON.

Security issues concerned with API

Excessive Data Exposure — API3

Developers tend to expose all object attributes without considering their sensitivity. Most of the time they tend to rely on clients to filter data. In this case, the API would return full data objects as they are stored in the database. From the attacker’s point of view, this API could be abused in a form of a direct API call that would return full data objects that won’t be filtered out.

Security Misconfiguration — API7

Security misconfiguration is typically a result of the insecure default configuration, open cloud storage, unnecessary HTTP methods, misconfigured HTTP headers, verbose error messages containing sensitive information, or permissive Cross-Origin resource sharing. Attackers could use this misconfigured API to perform recon attack on the application. They can also pivot their attacks against APIs.

Broken function level authorization — API5

In this case, API relies on the client to use either user level or admin level API. Attackers can invoke API methods directly and access functions without authorization.

Improper assets management — API9

This security issue is in place when there are older versions of API that are not protected in the same way as the production API is. Attackers can find the older versions of API and use them to perform attacks.

Injection — API8

Injections flaws involve sending data to an interpreter via query or command. Attackers can create an API call with SQL, LDAP, NoSQL, OS, or other commands that the API blindly executes. This attack can result in data disclosure, host takeover, or denial of service.

Insufficient logging and monitoring — API10

When logs are not protected for integrity or are not properly integrated into SIEM systems or alerts have a poor design. In other words, a lack of proper logging, alerting and monitoring can allow attackers to stay under the radar when performing an attack.

Broken object level authorization — API1

In this case, the API call can have a modified ID parameter pointing to another user resource when the API call is executed, it can allow attacker to access the specified resource. This issue is due to a lack of proper authorization checks. This attack can lead to disclosure, modification, or deletion of data.

Lack of resources and rate limiting — API4

When the API is not protected against an excessive amount of traffic, calls or payload sized, the attackers can perform Denial of Service attack or brute force attacks, resulting in overloading the API.

API Security Solutions

Here at Cyber Legion, we provide Web Application and API automated and manual security testing, including SCA, SAST and DAST.

Our cyber capabilities are related to security testing techniques that create effects through cyberspace. We have the professional and technical capacity to deliver high quality testing services and to follow all the procedures from identification, reporting and remediation of identified vulnerabilities.

Using a Secure Client Portal, the latest and most advanced security tools and commitment to innovation, we ensure that our clients continually benefit from our Professional Cyber Services that helps to detect, prevent and respond to threats & cyber attacks.

API Security Testing Workflow

Security-Testing-Workflow