Introduction to API Pentesting: Importance for companies and pentesters

Importance of API Cybersecurity

With the constant advancement of technology, web applications have grown in popularity and Application Programming Interfaces (APIs) have become a fundamental part of the modern technology ecosystem. More and more companies depend on APIs to integrate their systems and offer services to users, which is why there is a need to protect these interfaces to guarantee data security and user privacy. A good way to achieve this is to perform API pentesting audits, either on specific demand or included in web application pentesting.

API model.

Costs and impact of attacks on APIs

The impact that a successful attack on an API can have is huge. Recent research highlights how attackers are capitalizing on API-driven innovation. It is estimated that more than 30% of cybercriminal attacks are focused on unprotected APIs (referred to as “Shadow APIs”). The attacks and vulnerabilities in APIs do nothing but increase every year.

According to a study conducted by the Marsh McLennan Cyber Risk Analytics Center and Imperva, there has been an increase in global costs to businesses due to vulnerable or insecure APIs. Analysis of nearly 117,000 unique cybersecurity incidents estimates that API insecurity generates annual losses of between $41 billion and $75 billion, in addition to leaked confidential information that has a strong impact on the company’s brand image, as well as its sale on the darkweb.

Consequently, the security of APIs should be considered as a fundamental issue for both companies and pentesters.

What is API pentesting?

API pentesting (or API penetration testing) refers to the security evaluation of an API by performing penetration and intrusion tests with the aim of identifying and exploiting vulnerabilities in the programming interface, especially in its defined functionalities for each endpoint. For example, verify if the Login endpoint handles the user identification and login process well, if the ID tokens are strong against tampering, if the functionalities of different users with different privileges are well handled in terms of authorization, etc. others. The ultimate goal of API pentesting is to ensure that the API is secure and that user data and privacy are protected.

Why is API pentesting important for businesses?

APIs are vulnerable to a variety of attacks, many of which we can see grouped into the OWASP TOP 10 API 2019 risk categories (ref. here and here). For example, there is the injection of SQL queries to obtain data or bypass authorizations (Injection), authentication and encryption of JWT vulnerable to data manipulation and bruteforce (Broken Authentication), unauthorized access to data and functions (Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA), Mass Assigment), among others. Ethical hackers/professional pentesters use pentesting techniques to identify these vulnerabilities and protect their client’s systems before they are exploited by malicious hackers, i.e. cybercriminals.

Importance for Pentesters: How to test API correctly?

It is important for professional pentesters to know how to test APIs correctly, since inadequate testing can lead to false positives, or the most common and feared, false negatives (not detecting or reporting a vulnerability that is present).
What usually happens is that the client entrusts us with a pentest of web applications that contain one or more APIs (within the Scope) that manage their functionalities (eg login, add something to the Cart, Buy pay/transfer, access to specific data of the user, etc), and that in the audit tests and techniques specific to these APIs are not carried out.

Among the shortcomings in the pentesting methodology are usually the following:

• Lack of reconnaissance of APIs: we can end up overlooking important APIs in web applications and functionalities, which leads to an incomplete audit. The client can give us or not the APIs within the scope, and sometimes they only give us domains that in turn can involve many APIs.
• Lack of a correct enumeration of endpoints: it can fall into the practice of testing “on the fly” the api-endpoints that appear while web proxy or directory fuzzing is being used, and API reverse engineering is not performed to collect all endpoints and group them into their functionalities. This makes testing complex and messy, and can miss vulnerable features.
• Not testing specific to the OWASP TOP 10 API: Failure to test for the specific vulnerabilities and flaws grouped in the OWASP API, and using OWASP WEB instead, might still find bugs, although perhaps not all and they would not be classified correctly. For example API1 Broken Object Level Authorization (BOLA) and API5 Broken Function Level Authorization (BFLA) would both fall under A01 Broken Access Control for web, but sometimes one is given and not the other, and their impact is different, so using the OWASP WEB there would not be a specific classification. The same happens with API6 Mass Assigment that would fall under A08 Software and Data Integrity Failures or perhaps in A03 Injection, so it requires a specific mention to expose the API problem well.

It can be summarized that to test APIs correctly in a pentesting we must:

• Carry out a correct API reconnaissance: there are several ways to identify the presence of APIs:
  - Publicly available API documentation: eg. in Swagger.
  - URL name schemes: APIs communicate via HTTP protocol, so there is evidence of them in the URL; eg https://target-name.com/api/v1
  - Subdomains: eg. api.target-name.com
  - Response Headers: ex. mentions of JSON or XML, “Content-Type: application/json, application/xml”.
  - Mentions in repositories: Github, Postman, RapidAPI, etc.
• Correctly enumerate endpoints through reverse engineering: Through the Postman proxy or man-in-the-midle-proxy, all endpoints related to web application functionalities can be detected, and grouped into a collection that is used for manual testing and automated in an orderly and precise manner. For example, tests or scripts can be run on endpoints we designate, we can modify variables and tokens, and more accurately check for failures.
• Perform OWASP TOP 10 API Vulnerability Tests: The OWASP API categories have vulnerabilities with high business impact. They are closely related to each other, when one is found it is usually accompanied by several more. Special attention to the Excessive Data Exposure and Improper Assets Management vulnerabilities that are considered the basis: if we find user information exposed, we can use it to try to break authentication or view data and manipulate it through endpoints without authorization; and if the API versions have not been managed well and a previous version is still exposed, it could not have a “rate limit” and allow brute force to the credentials obtained before in the information exposure, or not have filters for SQL injection, etc.

BFLA and BOLA combined — Video deletion with DELETE and ADMIN privileges.

Example of Mass Assignment creating a product with an arbitrary negative value; is combined with BFLA when using the admin function of creating products in the store.

Successful Mass Assignment adds money to the purchased item instead of subtracting money.

In the next post we will see each of these points and their importance.
All the best!
Good Hack!