API Security Testing - Notes

Download as pdf or txt
Download as pdf or txt
You are on page 1of 23

An Introduction to APIs for the Security Testin

● What An API Is and Why It's Valuabl

API stands for Application Programming Interface

APIs are way to programmatically connect with a Separate


Software (Web Applications, Mobile Applications, Thick Client
Applications, etc.

An application programming interface (API) is a computing interface


which de nes interactions between multiple software
intermediaries.

It de nes the kinds of calls or requests that can be made, how to


make them, the data formats that should be used, the conventions
to follow, etc.

It can also provide extension mechanisms so that users can extend


existing functionality in various ways and to varying degrees.

An API can be entirely custom, speci c to a component, or it can be


designed based on an industry-standard to ensure interoperability.
Through information hiding, APIs enable modular programming,
which allows users to use the interface independently of the
implementation.
fi
fi

fi
g

API Integratio
Allowing to write code that interacts with other vendors’ code online
is known as API Integration.

Public APIs

• When APIs were invented, APIs were only used connect different
software components running in same Device.
• With increasing age of Internet more Public APIs/Open APIs are
available.
• Public APIs are outward facing and accessible over the Internet.

Real World Example

• If you are searching ights online. You get lters choose like
departure city and date, etc. In order to book your ight, you
interact with the airline’s website to access their database and see
if any seats are available on those dates and what the costs might
be.
• However, what if you are not using the airline’s website.
• The travel service, in this case, interacts with the Airline’s API.
• The API is the interface that, can be asked by that online travel
service to get information from the airline’s database to book
seats, baggage options, etc. The API then takes the airline’s
response to your request and delivers it right back to the online
travel service, which then shows you the most updated, relevant
information.

fl
:

fi
fl

Types of API

REST API (Representational State Transfer Protocol

Representational state transfer (REST) is a software architectural


style that de nes a set of constraints to be used for creating Web
services. Web services that conform to the REST architectural style,
called RESTful Web services, provide interoperability between
computer systems on the internet. RESTful Web services allow the
requesting systems to access and manipulate textual
representations of Web resources by using a uniform and
prede ned set of stateless operations. Other kinds of Web services,
such as SOAP Web services, expose their own arbitrary sets of
operations.

fi

fi
:

Common REST API

SOAP API (Standard Object Access Protocol

SOAP is a lightweight protocol for exchanging structured


information in a decentralised, distributed environment.
SOAP transmits XML format messaging between systems through
HTTP.

● Advantages to Developer

• API saves time and mone


• API simpli es how developers integrate new application
components into an existing architecture

fi
y

● Different Approach of API Security Testin

● White Box Penetration Testin


White box penetration testing, sometimes referred to as crystal or
oblique box pen testing, involves sharing full API information with
the Penetration tester, including credentials. This helps to save time
and reduce the overall cost of an engagement. A white box
penetration test is useful for simulating a targeted attack on a
speci c system utilising as many attack vectors as possible

● Black Box Penetration Testin

In a black box penetration test, no information is provided to the


Penetration tester at all. The pen tester in this instance follows the
approach of an unprivileged attacker, from initial access and
execution through to exploitation. This scenario can be seen as the
most authentic, demonstrating how an adversary with no inside
knowledge would target and compromise an organisation. However,
this typically makes it the costliest option too

● Grey box penetration testin

In a grey box penetration test, also known as a translucent box test,


only limited information is shared with the tester. Usually this takes
the form of login credentials. Grey box testing is useful to help
understand the level of access a privileged user could gain and the
potential damage they could cause. Grey box tests strike a balance
between depth and ef ciency and can be used to simulate either an
insider threat or an attack that has breached the Application
In most real-world attacks, a persistent adversary will conduct
reconnaissance on the target environment, giving them similar
knowledge to an insider. Grey box testing is often favoured by
customers as the best balance between ef ciency and authenticity,
stripping out potentially time-consuming reconnaissance.
fi
fi
g

fi
g

● Real-time Challenges of API Security Testin

● API does not have GUI. API will only have Request and
Response.
● Con guration of API Calls will be complex for Penetration Tester
● Scope of API Penetration Testing will be less compared to Web
Application Penetration Testing and Mobile Application
Penetration Testing
● Server will only process request when all headers and
parameters are in place. Otherwise Application will receive 500
Server Error.
fi

● Tools and Frameworks for API Security Testin


● POSTMAN (https://www.postman.com/downloads/

Postman is a popular API client that makes it easy for


Penetration Tester to import, share, test and documented APIs.
This is done by allowing users to create and save simple and
complex HTTP/s requests, as well as read their responses.
The result - more ef cient and less tedious work. We will
con gure Burp-suite tool to share API Call Request from POST
MAN Tool to proceed with Penetration Testing

● Burp-suite (https://portswigger.net/burp/communitydownload

Burp-suite is one of the most popular penetration testing and


vulnerability nder tools, and is often used for checking
application security. “Burp,” as it is commonly known, is a
proxy-based tool used to evaluate the security of applications
and do hands-on testing

● Firefox (https://www.mozilla.org/en-US/ refox/new/


● Fiddler (Optional) (https://www.telerik.com/ ddler

Fiddler is a debugging proxy server tool used to log, inspect,


and alter HTTP and HTTPS traf c between a computer and a web
server or servers

● Types of Bugs that API Security testing detect


● API can be vulnerable to all Server Side Vulnerabilities.
● API will not be vulnerable to GUI Level Vulnerabilities (XSS,
HTML Injection, Clickjacking, etc.) as Browser cannot generate
API Calls request. Hence, they cannot be exploited

● Difference between Common API testing and API Security


testing
Common API Testing will be done by Developers to verify
availability, functionality of API Applicatio
API Security Testing will be done by Penetration Testers to
verify vulnerabilities of the API Application.
fi
fi
.

fi
.

fi
fi
n

fi
.

Important Things for Intervie

Difference between REST and SOAP AP

Difference between Web Service and API

Setup of API Security Testing environment


● Installation of API Security Testing tool
● Installation of API Security Testing Framework

POSTMAN Con guratio

• Open POSTMAN Tool and Click on Preference


• Go to Proxy Ta
• Select Add Custom Proxy Con guratio
• Select HTTP and HTTP
• Add 127.0.0.1 to Proxy Server optio
• Add 8063 in Port Option in Proxy Server optio
b

fi
S

fi
n

• Go to General Ta
• Disable SSL Veri catio
fi
b

Con gure Burp-suit

• Open Burp-suite Tool and go to Proxy Ta


• Select Options and Click on Add Button under Proxy Listener
• Select Port as 8063 and click on Add butto
fi
e

● Con guration and Testing builds of Live Test Case

Types of Importing API Calls

1.) Importing Collection Files

Collection les are a group of API requests that are already saved in the
le and can be arranged into folders. Any number of folders can be
created inside a collection
Putting similar requests into folders and collections helps the client in
better organisation and documentation of their requests

All the APIs requests can be stored and saved within a collection, and
these collections can be shared amongst the team in the Postman
workspace

If your client has directly shared Collection le which will be in json or


xml extension then to import i

• Open Postman too


• Select Import Optio
• Go to File Ta
• Click on Upload le and select json or xml collection le shared by the
client
fi
fi
fi
.

fi
l

fi
fi
s

• 2.) Collection Folder


In case there are multiple collection le shared by client we can use
upload Collection Folder Option to Add API Calls to Postman at once

To use Collection Folder go to import option and Select Folder ta


Choose folder where collection les are stored. Postman will
automatically detect all API Calls in Folder and add it to My Workspace
s

fi
fi
b

3.) Importing API Calls with Web Services

What are Web Service

A web service is any piece of software that makes itself available over
the internet and uses a standardised messaging system.

Web services are not tied to any one operating system or programming
language—Java can talk with Perl; Windows applications can talk with
Unix applications

Web services are self-contained, modular, distributed, dynamic


applications that can be described, published, located, or invoked over
the network to create products, processes, and supply chains.

These applications can be local, distributed, or web-based. Web


services are built on top of open standards such as TCP/IP, HTTP, Java,
HTML, and XML

These systems can include programs, objects, messages, or


documents. A web service is a collection of open protocols and
standards used for exchanging data between applications or systems.

Software applications written in various programming languages and


running on various platforms can use web services to exchange data
over computer networks like the Internet in a manner similar to inter-
process communication on a single computer. This interoperability (e.g.,
between Java and Python, or Windows and Linux applications) is due to
the use of open standards

What are WADL Web Service

The Web Application Description Language is a machine-readable XML


description of HTTP-based web services. WADL models the resources
provided by a service and the relationships between them. WADL is
intended to simplify the reuse of web services that are based on the
existing HTTP architecture of the Web

WADL look like thi


https://service.iris.edu/fdsnws/station/1/application.wad
.

What are WSDL Web Service


The Web Services Description Language is an XML-based interface
description language that is used for describing the functionality offered
by a web service

WSDL looks like thi


https://svn.apache.org/repos/asf/airavata/sandbox/xbaya-web/test/
Calculator.wsdl
.

Importing WSDL Web Services

WSDL Web Service are often used to import SOAP API


To Import SOAP API Calls via WSDL Web Service
Go to Burp-suite and click on Extender Ta
Go to BApp Store and Search for add on named Wsdle
Click on Install button

Once Installed take request of WSDL Web service from Firefox to Burp-
suite. Right click on it and select option Parse WSDL
.

WSDLer will import API Calls from WSDL web services

Right click on request and click on send to repeate


r

Importing API Calls from WADL Web Service


WADL Web Service are often used to import REST API
Go to Postman tool and click on Import
Click on Link Tab and Paste WADL web service link

4.) Importing API Calls from Raw Text


If client is sharing API Calls via curl commands then we can import curl
commands and initiate Penetration Testing

Go to Postman tool and click on Import. Go to Raw Text and Paste Curl
Command

5.) Importing API Calls from Request and Response

If we receive Request and Response of API Calls then we can directly


paste Request API Call Request in Burp-suite Repeater Tab and
Execute Request of API Call

You might also like