‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector

API security presents a valuable entry point into a career in penetration testing, according to an expert in the field.

API Security

INTERVIEW Securing web APIs requires a specialized approach rather than relying on traditional web application security, as standard tests often overlook prevalent vulnerabilities.

This perspective is shared by API security specialist Corey J Ball, who cautions that conventional methods not adapted for web APIs can lead to misleading results for penetration testers.

Ball gained his expertise in web application penetration testing in 2015 through the study of various hacking literature and platforms like HackTheBox and VulnHub, further refining his skills with platforms like Cold Fusion, WordPress, and Apache Tomcat.

He subsequently earned CEH, CISSP, and OSCP certifications before receiving the opportunity to lead penetration testing services at Moss Adams, a public accounting firm where he currently serves as the principal web application penetration tester.

With a newfound focus on web API security, a crucial yet often neglected area, Ball has released a free online course on the subject as well as a book titled Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).

In a recent interview with The Daily Swig, Ball elaborates on how the increasing reliance on web APIs necessitates a revised approach to securing applications.

Significant Attack Vector

In recent years, web API adoption has surged across various industries. In a 2018 report, Akamai noted that API requests comprised 83% of all web traffic.

“Companies learned that they do not have to manage all aspects of their applications, such as mapping, payment processes, communication, and authentication,” Ball notes. “By leveraging web APIs, they can utilize existing work from third parties and concentrate on their specialties.”

API, or application programming interface, comprises a series of definitions and protocols designed for application software development and integration.

Accessible via the HTTP protocol, web APIs have given rise to services that monetize their technologies, infrastructures, functionalities, and data. However, these APIs have also attracted the scrutiny of cybercriminals.

“Insecure APIs risk compromising confidentiality, integrity, and availability,” Ball remarks. “When combined with the prevalence of internet-facing APIs, vulnerable API endpoints form one of the most attractive attack vectors.”

Adopting New Security Measures

To mitigate risks, APIs benefit from having security-oriented team members involved during the design phase, promoting secure coding practices, regularly conducting security assessments, and monitoring programming calls for signs of attacks or misuse.

According to Ball, securing web APIs entails a fundamentally different methodology than traditional web application security.

“Applying standard web application tests can lead to misleading results for web APIs,” he clarifies. “Generic tools and techniques that aren’t tailored specifically for web APIs often fail to detect most common vulnerabilities.”

A case in point is a vulnerability found in the USPS Informed Visibility API, initially brought to light by security researcher Brian Krebs. The web application underwent thorough testing just a month before Krebs revealed the data leak.

DON’T MISS How to become a penetration tester: Part 1 – your path into offensive security testing

Traditional testing tools such as Nessus and HP WebInspect were indiscriminately used on the testing targets, resulting in the significant vulnerability in the USPS Informed Visibility API remaining undetected. This vulnerability allowed any authenticated user access to the email addresses, usernames, package updates, mailing addresses, and phone numbers associated with 60 million customers.

“The vulnerability assessment of the Informed Visibility system’s external attack surface exemplifies the pitfalls of applying conventional web application hacking methodologies to APIs,” Ball emphasizes. “The takeaway is that the appropriate tools and techniques must specifically cater to API testing.”

API Timing Attacks

Ball has uncovered several vulnerabilities through targeted API pen testing, with a notable one being a side-channel timing attack that retrieved information from an admin API utilized to search client records.

Typically, the API would reject unauthorized requests and return a standard HTTP 401 Unauthorized response. However, due to inadequate rate limiting, Ball was able to send a multitude of requests, probing various user IDs and names obtained through passive reconnaissance. He noted discrepancies in the response sizes.

“Using a tool called Comparer, I found that a certain middleware header indicated how long the server required to process specific requests,” he explains. “Requests involving existing records took noticeably longer than those for non-existent records.”

Through careful analysis of the disclosed information, Ball was able to compile sensitive data linking users to their user IDs, postal codes, phone numbers, health records, and social security numbers.

“I didn’t need to breach the external network, bypass a firewall, or navigate within the network to access the right database; I merely exploited a web API to uncover privileged information,” Ball concluded.

A Growing Need for Experts

Despite the rising popularity of web APIs as an attack point, Ball observed a scarcity of information on how to assess them for vulnerabilities prior to dedicating himself to this niche.

“There were negligible resources, such as books specifically about API security testing, limited certifications, and very few relevant blog posts or videos,” he observed. “At conferences, I inquired with speakers discussing web app hacking about their API security testing strategies, and their responses ranged from bewilderment to acknowledging that one team member had a limited understanding of APIs.”

Discover the latest news and analyses on web API security

A partner at Moss Adams urged Ball to emerge as a recognized authority on API security. Over the course of several months, he amassed around 150 pages of notes on the subject, which eventually coalesced into the framework for his upcoming book on API security.

“I recognized a chance to extend my findings, empower testers, and contribute to the prevention of future API-related data breaches,” he noted. “I partnered with No Starch Press, and the rest is history.”

Additionally, Ball has developed a complimentary online course through APIsec University, covering various stages of the API penetration testing process, incorporating lab setup, reconnaissance, endpoint analysis, and attack strategies.

Emerging Standards

Standards and resources concerning API security are gradually taking form, exemplified by the 2019 publication of the top ten API vulnerabilities by the Open Web Application Security Project (OWASP).

However, Ball continues to witness persistent API security missteps across the digital landscape. “Authorization remains the leading API security flaw observed in real-world scenarios,” he states.

He frequently encounters instances of broken object-level authorization and broken function-level authorization, both of which feature on OWASP’s high-risk list. In many situations, these flaws allow one authenticated user to utilize the API for unauthorized access to another user’s data.

“In the pervasive presence of API authorization issues, it appears that there is excessive trust placed in legitimate users, and insufficient assessment to ensure that users cannot access or alter each other’s data,” Ball concludes.

The Path Ahead

With the continuous integration of APIs in various applications, the necessity for experts in API security is growing.

“I contend that APIs are an excellent gateway for those yearning to get into penetration testing. It’s often the initial target for budding hackers,” Ball asserts.

For those eager to gain insights into API security, Ball recommends the following resources: