{"id":18802,"date":"2024-06-11T07:36:14","date_gmt":"2024-06-11T06:36:14","guid":{"rendered":"https:\/\/staging2022.42crunch.com\/?p=18802"},"modified":"2024-06-11T07:47:22","modified_gmt":"2024-06-11T06:47:22","slug":"whats-the-best-way-to-test-an-api-for-vulnerabilities","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/whats-the-best-way-to-test-an-api-for-vulnerabilities\/","title":{"rendered":"What\u2019s the best way to test an API for vulnerabilities? RTFM"},"content":{"rendered":"

\"\"<\/p>\n

If you\u2019re a child of the 80s like me, you may have had the distinction of being the only one in your house who knew how to program your VCR. My motivation was strong. Clarinet lessons were interfering with my favorite show, the A Team. I was the one in the family who handled most AV responsibilities at the time and I was confident that this would be a simple task. Nope. After fighting with the VCR for 20 minutes, I went digging through the stack of manuals in our kitchen drawer and found the one that said Sylvania. Five minutes later, I had the weekly recording set up and took comfort in knowing I\u2019d never miss another episode.<\/p>\n

These days, reading a manual to do anything seems practically medieval. I can now record my favorite shows with a click of my Roku remote. And thanks to a trend Apple started long ago with the iPhone, most of the consumer electronics that I buy don\u2019t even come with a physical manual. And yet, there are still many cases where having accurate and complete documentation pays big dividends. API Security testing happens to be one of them.<\/p>\n

Know before you test<\/strong>
\nBut why be so specific? Isn\u2019t good documentation useful for any software security testing, not just APIs? Of course! Having deep knowledge about how a web application functions, how it\u2019s built, and even how it\u2019s deployed is a huge advantage for anyone wishing to perform security testing. Armed with this knowledge, a security engineer can model specific threats and formulate a custom test plan that covers all components of the application. As a result, the testing can be far more effective than if the tester had minimal knowledge of the application.<\/p>\n

So why aren\u2019t all web applications tested this way? In short, because this approach takes too much time and requires too many people. Developers have little time to produce technical documentation and even if they did, security engineers are so vastly outnumbered by developers they\u2019d struggle to keep up and take advantage. In reality, most security teams rely on traditional DAST scanning tools (often based on something like OWASP Zap) that utilize a one-size-fits-all library of dynamic tests against their applications. While these tools can be useful in finding common vulnerabilities, they are usually accompanied by a high volume of false positives and fail miserably at finding most of the top API vulnerabilities.<\/p>\n

OpenAPI as a boon for security<\/strong>
\nSpeaking of APIs, let\u2019s get back to how they\u2019re different from web applications. One major difference is that web and mobile applications are heterogeneous by nature. Because there\u2019s no standard approach to building a web application, there\u2019s also no standard way to document how they work. In contrast, REST APIs are highly structured and adhere to various RFC standards. This has led to the emergence of a widely adopted documentation standard that describes every aspect of an API called OpenAPI Specification (OAS) or more commonly Swagger. The original purpose of OAS was to provide a human and machine readable language for producers to share information about APIs with consumers. In fact, producers that publish Swagger files early can enable consumers to build integrations at the same time that the API is being built.<\/p>\n

Based on the points in the previous section, you can see why OAS should be viewed as an absolute gift for security testers. Along with the many business benefits of having good API documentation, the value that this provides to security teams can\u2019t be overstated:<\/p>\n