Your API? It has issues
Security vendor Imperva has open-sourced an automatic API attack tool in line with this year’s Black Hat Europe security conference.
The tool can help determine if an application programming interface (API) is being implemented correctly and maintained securely.
APIs are increasingly used in mobile, IoT, and cloud environments in order to facilitate server-server and client-server communication.
They enable communication between services, which in turn allows consumers to perform everyday activities such as finding a cheap flight online, or booking a hotel room via web and mobile applications.
A lack of awareness and attention paid to implementing security policies, however, has left APIs vulnerable to a range of attacks by malicious actors.
This has prompted the Open Source Web Application Security Project (OWASP) to release its own API Security Top 10 list to help developers better protect the sensitive information that gets transferred between servers.
Customized API attacks
Security issues within APIs have arisen, in part, due to the complexity of servers, which now boast an increasing amount of endpoints that are often difficult to validate for functionality and configuration.
It’s these API vulnerabilities – bad implementations, effectively – that Boris Serebro, senior software engineer at Imperva, aims to circumvent with the automatic API attack tool.
While tools to test APIs already exist, their users are required to manually adjust each endpoint and test each case with a proper set of data, Serebro explained.
“The main thing that I had to solve was take an API specification, whatever it might be, and generate as many requests as I can to test the various endpoints with their parameters,” Serebro said.
The solution also had to support multiple API specifications, which can be very diverse, according to the OpenAPI Specification.
By parsing an API specification – and running various tests based on that specification – the tool can determine if the API is secure.
“The tool takes all the API endpoint definitions into consideration and generates random values for their parameters so that no manual work is needed,” Serebro said.
“The tool tests the API endpoints with positive values and negative values,” he added.
There were some challenges in developing the automatic API attack tool.
“Since the API specifications today are mostly generated by code, we had to overcome a few pandora boxes such generators create, like circular dependencies between parameter definitions,” Serebro said, hoping that the tool can bring some awareness to the need for securing APIs.
“Maybe with this tool people will see they have issues in their APIs that they didn’t think of,” he said.
The API attack tool is open source and available on GitHub. Serebro says the project will be continuously maintained.
YOU MIGHT ALSO LIKE OWASP reveals top 10 security threats facing API ecosystem