Greeting Everyone ! Hope Everything is going good Today we are going to discuss on Security Issues On api . Before Going to API Testing, let’s first understand what is api , Common thread On api .
What is api Application Programming Interface?
API Application Programming Interface, which is software intermediary that allows two applications to communication to each other.
Let’s see an example : supposed We are going to book online airlines ticket by some travel service provider(Booking) platform whenever we trying to access that The travel service, in this case, interacts with the airline’s API. Is simple easy because api interact and that we can access information about airline seat, baggage options, etc from airline database.
Why We need api Security ?
Now a days data breach is a major threat . By exposing sensitive , financial, and personal data publicly leads to data breach. Not all data are the same it can not be protected in the same way. How you approach API security it depends on how you managing data is being transferred. Now a days API is hugely being used By business organization to make intercommunication which could lead different types of attack Scenario.
According to OWASP 2019 top 10 Common Thread in api?
Broken Object Level Authorization
It expose Sometimes it configured vulnerable end point Which critically expose sensitive data object level authorization could verify considering as user input to access & object identifiers.
Broken User Authentication
sometimes it is vulnerable if Authentication schema is not configured properly a bad threat actor can compromise authentication tokens or to exploit any user by compromising api gateway .
Excessive Data Exposure
Data expose Through source code often developer mistake sometime and forget to remove some critical data which actually access by anyone now a days is common threats that applications are facing.
Lack of Resources & Rate Limiting
Sometimes APIs do not impose any restrictions on the size or number of resources that can be requested by the user Which leads DOS that mean it easy to brute force that feature.
Broken Function Level Authorization
Functional level authorization flow whenever application is not maintaining applications group, user administrator by this a bad actor could access other user group resources .
Mass Assignment
Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment
Security Misconfiguration
Its based On Misconfigurations of common headers weak policy is application not maintain Cross-Origin resource sharing such type of issue include In Security Misconfigurations
Injection
Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query.
Improper Assets Management
APIs tend to expose more endpoints which sometimes not configured properly as risk factor That expose deprecated API versions and exposed debug endpoints.
Insufficient Logging & Monitoring
Insufficient logging and monitoring vulnerability occurs when the security-critical events aren’t logged properly, and the system is not monitoring the current happenings. Undeniably.
Types Of API Testing?
Unit Testing:
In case Of unit testing This testing basically Run by command line using terminal Or by Using tool SOAPUI & based On peace of source code. As we Are going to took single endpoint as single response
Integration Testing
Integration testing define as it most often used for API testing, as APIs are at the center of most integrations between internal or third-party services communication between other platform . In phase of integration testing modules are combined and tested as a group.
End-to-End Testing
End-to-End testing can help us validate the flow of data and information different API connection which interconnect here we can verify threads of API Flow.
Performance Testing
In performance we are verifying response How perform there is some tool set we can use performance testing LoadUI Pro is a performance testing tool for RESTful, SOAP, and other web services that enables nearly any team member to embed performance tests into their CI/CD pipeline.
Conclusion: As We discuss What is api Common threads On api based On attack api contain different sensitive information if API is not secured properly it may cause huge impact not only the API application but also in the calling application. So Make Your product Secure . Hope You Enjoyed !
Read Our Other Blogs: https://securiumsolutions.com/
References :
https://www.guru99.com/api-testing.html
https://www.mulesoft.com/resources/api/what-is-an-api
https://owasp.org/www-project-api-security/
Author : Pallab Jyoti Borah (VAPT Analyst)
