‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector

API security serves as an excellent entry point into a penetration testing career, according to a field specialist.

API Security Overview

INTERVIEW Effective web API security demands a distinct strategy from traditional web application security, as standard testing methods often overlook pervasive vulnerabilities.

This perspective comes from API security expert Corey J. Ball, who cautions that traditional assessment techniques may yield false negatives for penetration testers if not properly adjusted for web APIs.

Ball embarked on his journey in web application penetration testing in 2015, enhancing his knowledge through hacking literature, HackTheBox, and VulnHub, followed by practical experience on servers running Cold Fusion, WordPress, Apache Tomcat, and various enterprise web applications.

Discover more interviews with industry leaders

He subsequently earned CEH, CISSP, and OSCP certifications before joining public accounting firm Moss Adams as a lead web app pen tester, focusing on delivering penetration testing services.

Diving deeper into the often overlooked area of web API security, Ball has introduced a free online course about the subject and authored Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).

In an interview with The Daily Swig, Ball discusses the pressing need to rethink our application security strategies due to the escalation in web API usage.

A Rising Target

Recent years have witnessed a rapid surge in the adoption of web APIs across numerous sectors. As reported by Akamai in 2018, API calls constituted 83% of web traffic.

“Companies have discovered they don’t need to create every component of their application from scratch (like maps, payment processing, communication, authentication, etc.),” Ball explains. “Instead, they can utilize existing web APIs to build upon what others have done and concentrate on their unique specializations.”

API stands for application programming interface, serving as a collection of definitions and protocols for creating and integrating application software.

Accessible via the HTTP protocol, web APIs have paved the way for API services that monetize various technologies, infrastructures, functionalities, and data. However, they also attract the attention of cybercriminals.

“Vulnerable APIs can jeopardize confidentiality, integrity, and availability,” Ball warns. “Given that many APIs are available on the internet, their vulnerabilities designate them as prime attack targets.”

Shifting Paradigms

Incorporating security-focused team members at the design phase, promoting secure coding practices, performing regular security tests, and monitoring programming calls can significantly mitigate the risks associated with APIs.

According to Ball, securing web APIs necessitates a fundamentally different methodology than traditional web application security.

“Conventional web application tests often lead to false-negative findings for web APIs,” he clarifies. “Tools and techniques not specifically tailored for web APIs commonly overlook virtually all standard vulnerabilities.”

An illustrative case involves a vulnerability found in the USPS Informed Visibility API, which was identified by security researcher Brian Krebs. Standard web application tests were performed just one month prior to Krebs’s report about the data exposure.

DON’T MISS How to Become a Penetration Tester: Part 1 – Your Path into Offensive Security Testing

Tools such as Nessus and HP WebInspect were generically applied, resulting in a failure to detect a significant web API vulnerability. This oversight allowed any authenticated user to access personal data, including email addresses, usernames, package updates, mailing addresses, and phone numbers tied to 60 million customers.

“The vulnerability assessment conducted on the Informed Visibility system’s external attack surface exemplifies the consequences of applying web application hacking techniques to APIs,” Ball emphasizes. “The critical takeaway is that appropriate tools and techniques are essential when testing APIs.”

Revealing Vulnerabilities

Ball has made notable discoveries during API-focused penetration tests, including a favorite timing attack that extracted information from an administrative API utilized for searching client records.

Typically, the API would deny unauthorized requests and send a standard HTTP 401 Unauthorized response. However, due to the absence of rate limiting, Ball was able to issue numerous requests, testing various user IDs and names gathered through passive reconnaissance. He observed that specific responses contained slightly different byte sizes compared to others.

“Upon further examination (using Comparer), it became evident that a middleware header indicated how much longer the server needed to process specific requests,” he recounts. “I found that requests involving existing records took the server five times longer to process compared to those with non-existing records.”

By correlating various pieces of leaked information, Ball succeeded in assembling sensitive data, linking users with their user ID, zip code, phone number, health records, and social security numbers.

“I did not need to breach the external network, circumvent a firewall, navigate within the network, and ultimately access the right database to extract data; instead, I leveraged a web API to unveil the crucial information,” Ball concluded.

Addressing the Gap

As web APIs gain notoriety as potential attack vectors, Ball notes a lack of resources available for testing these APIs for vulnerabilities before he decided to focus on this niche himself.

“There were no dedicated books on API security testing, no certifications, and very few blog entries or videos,” he observes. “I attended conferences and posed questions to speakers on the latest web application hacking talks regarding their strategies for API security testing. Many either were unsure of how to test APIs or only had one team member familiar with the process.”

Stay updated on the latest web API security news and analysis

Encouraged by a partner at Moss Adams, Ball embarked on a path to become an API subject matter expert, accumulating around 150 pages of notes before realizing he was halfway through drafting a book on API security.

“I recognized an opportunity to disseminate my research, empower testers, and reduce the likelihood of future API-related data breaches,” he shares. “I initiated contact with No Starch Press, and the rest is history.”

Ball has also curated a free online course at APIsec University, where he instructs on various stages of the API penetration testing process, including lab setup, reconnaissance, endpoint analysis, and attack execution.

Growing Standards

Standards and resources around API security are gradually taking form, with the publication of the top 10 API vulnerabilities by the Open Source Web Application Project (OWASP) in 2019.

Nevertheless, Ball notices that common API security mistakes persist across the web. “Authorization problems remain the leading API security mistake,” he states.

He often encounters instances of broken object level authorization and broken function level authorization, which are both listed on OWASP’s top vulnerabilities. Typically, these vulnerabilities enable one authenticated user to access another user’s data through the API.

“Given the frequent occurrence of API authorization vulnerabilities, it implies a significant degree of trust in legitimate users, coupled with insufficient testing to ensure users and groups cannot inadvertently access or modify one another’s data,” Ball asserts.

Pathways to Penetration Testing

As APIs continue to proliferate, the demand for API security experts is climbing.

“I consider APIs to be a remarkable gateway for anyone aspiring to enter the penetration testing field. APIs could be the very first target for emerging hackers,” Ball comments.

For those interested in learning about API security, Ball recommends the following resources: