VAPT Techniques for REST APIs

Every year, a hundred thousand APIs become available on the internet. API (application programming interface) is nothing but a language used among various applications. Studies show that API abuses will become the most common type of web application-related attacks, which is exactly why securing them holds the utmost importance for a business entity. API security is all about securing API endpoints from attackers. These endpoints are mainly vulnerable to unauthorized access, injection vulnerabilities, and data loss or data leakage.

What is REST?
REST or RESTful API conforms to the architectural constraints and allows for interaction with RESTful web services. REST stands for Representational State Transfer. All popular companies, generally use REST APIs. These APIs exchange data between applications which makes them more vulnerable to attacks. If a security breach takes place, a lot of sensitive data is at stake. When API security is being discussed, it is often assumed that API security is a feature of API. But it is not so. API security is a different technology.
Vulnerabilities like weak authentication, lack of encryption, and other flaws make APIs vulnerable to attacks like data exposure, broken access control, injection attacks, Dos attacks, and many more.
Organizations believe, that having features from API security will make their product and services more secure. Though this is not completely wrong and APIs enhance the security and protection of security systems, only counting on having API security features is not enough. A penetration testing of APIs is an important step toward identifying the loopholes that may lead to an attack.

Let us have a look at some of the VAPT techniques that we know to exist today for REST API security.

  1. API input fuzzing

    What do we exactly mean by fuzzing? Fuzzing is nothing but giving random data as input to the API till something is discovered. Essentially, trying to input random data till the API provides any information, is fuzzing. This random data can be a number, string, or any random character. There are many open tools available for automating the entire process. These tools have the provision to select the desired web address to carry out vulnerability testing. Once the test is finished, results are shown in pictorial or graphical representations if the API is vulnerable.

  2. Injection Attacks

    We have seen that an API is highly vulnerable to injection attacks. The OWASP Top 10 vulnerabilities for API security include Injection attacks as one of the vulnerabilities. These include SQL Injections (SQLi) or any command injections.
    SQLi attacks usually occur when any unsanitized input is processed by the database. These inputs are nothing but API inputs, which makes it important to test the REST API for any bugs. For the test, input SLQ commands like ‘or 1=1– or “and 1=1–
    If the API is vulnerable to error-based attacks or SQL injection, it will bypass some functionality of the API and respond with a specific message. SQLi may still generate a DBMS error in the message even if it is not error-based.
    An API can also be injected by various OS commands. So, if an API is being used to view the contents of a website, malicious code can be executed with the web address. Parameters provided via an API call are frequently vulnerable to manipulation. An attacker can change the values of a product and hence obtain it nearly for free by manipulating them. Any browser’s element inspector can be used to accomplish this. So, when sending queries to your API endpoint, make sure to test such hidden fields.

  3. Unhandled HTTP methods

    HTTP methods are frequently used by web applications interfacing with APIs. These HTTP methods are used to save, delete, and retrieve data. If a server does not support an HTTP method, it should normally return an error. This isn’t always the case, especially with vulnerable APIs.
    Make a HEAD request to your API endpoint that requires authentication to test for such a vulnerability. HEAD requests can be sent in a variety of methods. If we get a 405 method not allowed or 501, things are fine. It could be a vulnerability if we get a 200 OK without authentication.
    Using SSL to encrypt HTTP messages to and from the API is helpful in the handling of HTTP methods.

    These methods are the existing methods for vulnerability assessment and penetration testing on REST APIs. If your API is vulnerable, you may follow certain security practices to save your APIs from attacks. Validate access tokens every time a user requests an API functionality. The access tokens exist to maintain a level of authorization for users. At the same time, these input parameters should be sanitized.
    Limiting the number of requests to API by any user, a security solution should be in place to scan each request for every API request made.