What is API Security Testing?
An application programming interface (API) is a method of communication between two applications based on a syntax and a set of business rules. Of all the components that make up an application, the API (Application Programming Interface) is possibly the simplest access point for an attacker. API security testing enables organizations to ensure that APIs are secure, and identify security gaps or vulnerabilities that need to be remediated.
Is Your API Secure? 4 Quick Tests
Use the following quick tests to identify gaping security holes in your API. This is not a comprehensive API security test, but is a “smoke test” that can identify if your API uses basic security practices.
Test Name |
What is Being Tested |
Testing Procedure |
1. Parameter Tampering | Whether an attacker can change values of the API to manipulate its functionality. | If there is a hidden field in a web form that results in an API request, you can change the value of the field to a value not allowed by your business logic. For example, change product price from $100 to $0. |
2. Operating System Command
Injection |
Whether an attacker can inject operating system commands into API inputs, causing the command to execute on the server. | If your API accepts a filename and displays or otherwise processes the file, append an operating system command to the file name, and see if it is executed on the server. You can use open source APIs such as OPSWAT to verify if an uploaded file contains malicious code.
For example: https://example.com/view?name=file.txt;reboot |
3. Input Fuzzing | Whether an attacker can try random data inputs until the API behaves unexpectedly. | Try inputting unexpected values to your API. If it accepts textual inputs, try text with strange characters, text that is very long or very short. If it accepts numeric inputs, try 0, negative numbers, large numbers, or non-numeric characters.
This should be handled in your API code. Each input/parameter type needs to be checked and must adhere to data input rules. |
4. Unhandled HTTP Methods | Whether an attacker can use HTTP methods that are not supported on the server, and are therefore not authenticated. | Make a request to the API endpoint from the Head section of an HTML page using multiple HTTP methods like POST, PUT, or DELETE, and see if the API accepts them. All unimplemented methods should return standard HTTP Error like 404 or 500. |
API Security Checklist: How to Perform a Security Test on an API
Determine Security Requirements
To plan for API security testing, you must first understand the basic parameters. Investigate the following:
- Does your API use TLS/SSL certificates and do you need to access them over HTTPS?
- What are the permission groups for various resources provided by the application?
- What is the process for user authentication? Are you using an external OAUTH provider?
- What is the API’s attack surface? Identify which endpoints, commands or connection methods might be vulnerable to attack.
Set up Test Environment
After developing the test scope, prepare the application environment for testing. For small-scale applications, use a standard staging environment. For large, complex applications, you may need to mock up certain components or integrated systems. WireMock is a tool that can help with this.
Sanity Check
In your test environments, make some requests in the API simulating typical business processes, to make sure everything is set up correctly.
Define the Input Domain
Identify what are the inputs accepted by the API, the function of each command and parameter, and which parameters or input values are allowed. Use this to define:
- Edge cases—values that are allowed by the application’s business logic, but may result in unexpected responses.
- Invalid inputs—values that are not allowed by business logic, but should still be tested to ensure they correctly return an error.
Both types of inputs could be vulnerable to code injection attacks.
Develop and Execute Test Cases
Now, prepare test cases that you will run against the API to check if it is vulnerable to attack. Here are some examples of test cases:
- Is it possible to access the resource using both HTTP and HTTPS?
- Do all endpoints require some basic authentication?
- If an endpoint supports file upload, what happens if you upload a potentially malicious file using the MIME type your application expects?
- What if a web application using this API asks the user for a custom input, and instead you provide an HTML or JavaScript element?
- Can you access resources that the API access token is not authorized to access?
Top Open Source API Security Testing Tools
Following are four free tools you can use to perform security testing for your APIs.
SoapUI
SoapUI is the first tool to try, especially if your team has a complex API testing scheme and is mainly composed of QA/Test Engineers.
This tool has the most functional test elements built for API tests, and lets you define your outputs in code in a flexible and convenient way.
Key capabilities of SoapUI include:
- SoapUI MockServices allows you to mock and create tests for SOAP and REST web services before implementation.
- Supports all popular protocols and standards, including SOAP services.
- End-to-end automation of API testing that can reduce the time needed to create test cases.
JMeter + Jenkins
JMeter was originally created for load testing, but it has other uses as well, including security testing. JMeter can handle CSV files automatically. Using a CSV file can help you create your own set of parameter values for your tests.
The Jenkins integration allows you to run API tests. By combining Jenkins with JMeter, you can include API functional tests in your JMeter performance tests.
Key capabilities of JMeter with Jenkins:
- Support for playback of test results.
- Automatically processes the CSV file so you can quickly generate unique parameter values for API testing.
- Embed API tests in your CI pipeline.
- Can be used for performance testing of both static and dynamic resources.
Karate
Karate is an open source framework that enables scripted test automation. It lets you write scripts that automate API calls, and verify that requests are correct, supporting JSON and XML responses. The scripting language is Gherkin.
Key capabilities of Karate include:
- Based on the familiar Cucumber JVM.
- Runs tests and generates reports like a standard Java project.
- Lets you create tests for Java applications without knowing Java.
- Configuration switching for staging environments.
- Multithreaded parallel execution support.
Fiddler
You can use Fiddler to reuse and monitor HTTP requests, in order to understand the behavior of a web API. It comes with API testing extensions and can be used at any stage of the development process.
Key capabilities of Fiddler include:
- Strong support for .NET languages, as well as Java, Ruby, and other languages.
- Can debug traffic on macOS, Windows, Linux, and iOS or Android mobile devices.
- Requires you to pass cookies, headers and caching instructions between client and server, making for a more realistic test.
- API Composer allowing you to test, group, and organize API requests.
- Autoresponder enables creation and configuration of mock requests and responses, letting you test complex systems with no code changes.
Conclusion
This article covered several ways to test that APIs are secure—a quick sanity check, a detailed API security checklist, and open source tools you can use to test APIs in more depth. Use these techniques and tools on a regular basis to ensure APIs are secure, and make sure they remain secure, as they undergo ongoing development and configuration of the underlying infrastructure change.