Why we need API Security Testing
In today’s world API is an essential part of the organization. From Banks, Transportation, Mobile Apps, IOT, everywhere API is used. All the businesses are increasingly relying on APIs for their products. API provides the easiest access point for a hacker who wants to access organization data. Organization conduct API security testing to ensure API is safe and free from security issues. If an attacker can hack any API using an existing threat, it will affect every application that relies on that API. In other words, a single security issue can create problems for the entire organization, as well as any other third party who is using your API.
Web application security testing practice is a good starting point for securing your APIs, but APIs are different from a web application and required different security testing plan and test. APIs provide direct access to data and can be implemented insecurely by the developer, they are low hanging fruit for hackers, who can exploit any vulnerability to gain access to your most sensitive data and system.
What is API
API (Application Security Interface) is an Interface where two components communicate with each other. In other words, API is a set of rules and contract between the service provider and receiver. A simple example of API is an airline ticket booking system where different airlines provide ticket booking API’s which is used by travel apps for price comparison and ticket booking.
Some of the common ways with which you can strengthen your API Security
- Assign Tokens for trusted identities so that the identifies can access the services and resources securely.
- Use methods like TLS to encrypt your data and the encrypted data must require a signature to ensure that the data is being decrypted by a valid user.
- Identify Vulnerabilities: know how everything works together and identify weak spots that could be used to break into your APIs and make sure that the APIs are tested by security engineers.
- Use quotas and throttling: Place quotas and track its use over history. More calls on APIs may indicate that it is being abused. It could also be a programming error such as calling the API in an infinite loop. Make rules for throttling to protect your APIs from spikes and Denial-of-Service attacks.
- HTTP Methods: Whitelist the permitted HTTP methods/verbs, for example – GET, POST, PUT and Delete. If the request method does not match the whitelisted method / verb, then API must reject the request
- Content-Types: Document/whitelist all the supported content types. API must reject the request containing unexpected or missing content-type.
- Input Validation: API endpoint must validate all user-supplied inputs/values against a whitelisted set of characters. All the inputs must be validated for length, range, format and type. Structured data must strongly be typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers or telephone, etc). implement an implicit input validation by using strong types like numbers, Booleans, dates, times or fixed data ranges in API parameters
- Rate Limiting: API should return 429 Too Many Requests if the user has sent too many requests in a given time.
- Error Handling: API must return a generic error message for all expected and unexpected error conditions.
- HTTP Headers: Microservice must implement following headers for all HTTP responses
- Strict-Transport-Security: max-age=31536000; includeSubDomains
- X-Frame-Options: SAMEORIGIN / DENY
- X-XSS-Protection: 1; mode=block
- X-Content-Type-Options: nosniff
- Content-Security-Policy: default-src ‘self’
- Cache-control: no-store
- Pragma: no-cache
- Use an API gateway: API gateways acts as the major point of execution for API traffic. A good gateway will let you authenticate traffic as well as control and analyze how your APIs are used.