Open in app

Sign in

Write

Sign in

What is API Validation — Why And How To Validate An API Spec file?

Ezinne Anne Emilia
6 min readNov 9, 2022
What is API validation

We use APIs (Application Programming Interfaces) to integrate complex applications that share resources. Developers use them to share resources amongst these applications. For example, Twitter has several APIs that third-party applications use for users’ registration.

While APIs are very useful in integrating functional applications. These APIs could serve as a medium for attackers to gain access to the applications they are communicating with. This brings up the need to validate APIs. In this piece of writing, I will go over API validation, why and how to validate an OPEN API specification file.

But first, what is an OPEN API Specification file(OAS)?

According to swagger.io, The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to RESTful APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. (Source: swagger.io)

This means that an OPEN API Spec file is a layout designed to describe parts of the REST API in detail. which would include the endpoints, parameters, schema, response, and all the other parts that make up an API.

But that’s not all; API Specification serves as a roadmap for developers when they are building an API. Some API developers create an API spec file initially before building an API, which serves as a blueprint.

The API specification describes the functionality of an API and the expected results.

A popular example of an API spec file is the Swagger Open API specification file.

It is essential to verify that an API follows the Open API Specification so the API can be secure, functional, and perform relatively well.

Regarding the vulnerabilities of an API, using the OAS spec file would go a long way to ensure that the APIs are secure. Developers sometimes neglect API security or cannot secure these APIs properly. These could create opportunities for attackers to gain unauthorized access and manipulate the applications.

API Validation

API validation is the process of inspecting an API for its performance, speed, security, and reliability.

It is an important part of building an API that verifies the input and output formats, patterns, and other factors.

Developers use API validation to check if an API meets the specified standards, regulations, and best practices.

Importance Of Validating An API

  • It is important to validate APIs because we need to confirm if they have a fast response, can carry out the tasks assigned to them and are secure.
  • It is also important to validate APIs to ensure that the communication endpoints are encrypted and work as expected.
  • Just as we run tests in an application to ensure that it meets users’ needs. We do the same thing with APIs to ensure that they have the expected functionality, performance, and security.

How To Validate An API

To validate an API, there are some points to consider:

According to apimike.com, they are:

What types of requests do the API support (e.g., GET, POST)?

What are the expected inputs and outputs for each request?

What are the error conditions that the API should handle gracefully?

How does the API handle pagination or rate-limiting?

Security: Is the API secure?

Are the data and communications between the API and its clients encrypted? (Source: apimike.com)

You can create an OAS Spec file to define your APIs and generate test cases for your API. There are tools you can use to validate your APIs and a good example is Cherrybomb.

Cherrybomb is an open-source CLI tool that can test your APIs for security risks, irrespective of the programming languages used in the API design.

  • Cherrybomb can read API specification files.
  • It can run tests to verify that the API follows the Open API Specification.
  • It can also give a guide on how to fix the issues in the API, should they exist.
  • It runs validations on both the schema, content-type, and http headers of the API.

The tool gives the output in table format.

For this tutorial, I will run a Swagger file on Cherrybomb to see how it goes.

To get the file, open the swagger editor. Click on File >> save as yaml

That should download the yaml file to your local device.

Then, you will need to install Cherrybomb.

You can install Cherrybomb in about four ways,

  • You can use the client URL, but it works only on Linux and macOS. However, you can install Linux on Windows using WSL and run the curl command.
  • You can install it using crates.io.
  • You can get it by running the Docker container on Docker.
  • You can install it by cloning the repo too.

Open this link for a detailed guide on how to install Cherrybomb.

I will use Curl in this case.

To install the application, enter this;

curl https://cherrybomb.blstsecurity.com/install | /bin/bash
A screenshot of the cherrybomb command I entered

After installing it, confirm it by entering this:

cherrybomb — version
A screenshot of the code I entered and the result

Run the file you saved from the swagger editor here;

cherrybomb oas — file openapi.yaml

This would show as the output example in a table format as I mentioned earlier.

A screenshot of the command I entered
A screenshot of the command I entered
A screenshot of the command I entered

The next thing would be to generate the parameter table.

With the parameter table, you can check to see if you have secured all your parameters. And if you did the correct implementation.

Add these lines of code:

cherrybomb param-table — file openapi.yaml

This will generate an output table of the API parameters. And highlight the ones that you routed successfully and the ones that you did not.

A screenshot of the command I entered
A screenshot of the command I entered

After that, you can also check for the endpoints of the API, to make sure that you connected them properly.

cherrybomb ep-table — file openapi.yaml

This will test the endpoints and give you the results. So when you check it, you will have this:

A screenshot of the command I entered and the results
A screenshot of the command I entered and the results

Benefits of validating the APIs

Some of the advantages of validating an API are as follows:

  • First, it helps ensure that the API itself meets the needs of the users.
  • Also, it points out potential security leaks in the API that we would have overlooked.
  • It improves the speed of building software products and integrating them with APIs.
  • Finally, it ensures that the API complies with the required standards and regulations.

Closing Thoughts

In this article, you looked at APIs and Open API Specifications. What is API Validation, why is it important, and how does it work? You also covered Cherrybomb, a CLI tool you used to run API validation.

With constant improvements in software production and APIs. The likely threat of unauthorized access to these applications is inevitable. Now more than ever, developers must validate their APIs. So they can prevent half-done specifications and protect their APIs.

Resources

What Is API Validation — A guide

Cherrybomb by BLST Security

API
Api Validations
Api Development
Api Gateway
Api Integration

--

--

Ezinne Anne Emilia

Written by Ezinne Anne Emilia

533 Followers

A writer, software engineer, passionate about tech and adventure. Writing is a way for me to express myself and voice my opinions on issues I relate with.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams