API security serves as an excellent entry point into a penetration testing career, as noted by an expert in the field.
INTERVIEW: Securing web APIs demands a unique approach compared to traditional web application security, as standard tests often overlook prevalent vulnerabilities.
According to API security specialist Corey J Ball, employing methods that are not tailored for web APIs can lead to false negatives for penetration testers.
Starting his journey in web application penetration testing in 2015, Ball expanded his knowledge through books, HackTheBox, and VulnHub. He further developed his skills on platforms like Cold Fusion, WordPress, Apache Tomcat, and other enterprise-oriented web applications.
After securing CEH, CISSP, and OSCP certifications, he went on to lead penetration testing initiatives at Moss Adams, where he continues as the lead web app penetration tester.
His recent focus has been on web API security, a sector that demands attention. Ball has introduced a free online course on this subject and published the book Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).
In his interview with The Daily Swig, Ball discusses how the increasing prevalence of web APIs necessitates a shift in our security strategies.
Emerging Threats
Recent years have witnessed a marked rise in the usage of web APIs across different industries. In 2018, Akamai reported that API calls represented 83% of web traffic.
“Organizations understand that they don’t need to be experts in every aspect of application development (like maps, payment processing, communication, and authentication),” says Ball. “They can leverage existing web APIs provided by third parties and concentrate on their core services.”
API stands for application programming interface, referring to a set of definitions and protocols for creating and integrating application software.
Web APIs, accessible via the HTTP protocol, have led to the development of services that capitalize on their technology, infrastructure, functionality, and data. However, these APIs have also caught the attention of cybercriminals.
“Compromised APIs threaten confidentiality, integrity, and availability,” highlights Ball. “Their internet-facing nature makes vulnerable APIs one of the most enticing attack vectors.”
Need for a New Approach
To mitigate risks, APIs should involve security-minded team members during their design process, promote secure coding practices, conduct regular security assessments, and monitor for malicious activity and misuse.
Ball asserts that securing web APIs requires a distinct strategy from conventional web application security. “Generic web application tests yield false negatives when applied to web APIs,” he cautions. “Standard tools and techniques often fail to identify most common vulnerabilities.”
A notable instance involved a vulnerability in the USPS Informed Visibility API, documented by security researcher Brian Krebs, where thorough testing had been performed just a month prior to the discovery of exposed data.
DON’T MISS: How to become a penetration tester: Part 1 – your path into offensive security testing
The testing conducted utilized tools like Nessus and HP WebInspect on a generic basis, which led to missing a significant web API vulnerability. This flaw allowed authenticated users to access email addresses, usernames, package details, and mailing addresses of 60 million customers.
“The vulnerability assessment of the Informed Visibility system’s external attack surface exemplifies the pitfalls of applying web application hacking techniques to APIs,” warns Ball. “It underscores the necessity of proper tools and methods during API assessments.”
Complex Attack Techniques
Ball has identified multiple bugs through his API-centered penetration testing. Among his notable findings is a side-channel timing attack that exfiltrated data from an administrative API tasked with searching client records.
Typically, this API would deny unauthorized requests, returning a standard HTTP 401 Unauthorized response. However, due to the absence of rate limiting, Ball was able to send numerous requests, testing various user IDs obtained through passive reconnaissance. He observed certain responses contained slightly differing byte counts.
“With further analysis using Comparer, I noted that a middleware header indicated processing times for specific requests,” he shares. “I found that requests related to existing records took significantly longer to process than those related to non-existing records.”
By correlating various pieces of disclosed information, Ball successfully uncovered sensitive data, effectively mapping users to their IDs, zip codes, phone numbers, health records, and social security numbers.
“I didn’t need to compromise external networks, bypass firewalls, or navigate through networks to access the database. Instead, I utilized a web API to unveil critical sensitive information,” he concluded.
Growing Expertise Needed
Despite the rising popularity of web APIs as an attack surface, Ball has noticed a glaring lack of educational resources pertaining to their vulnerability testing.
“Resources on API security testing are minimal: no dedicated books, scarce certifications, and limited blog articles or videos,” he remarks. “At conferences, I probed speakers on web application hacking about their API security testing practices. Their responses ranged from cluelessness to having just one team member experts in API testing.”
Stay updated on the latest API security news and analyses
A partner at Moss Adams encouraged Ball to specialize in API security. He compiled nearly 150 pages of notes on the subject before realizing he was essentially penning a book on API security.
“I seized the opportunity to share my findings, empower testers, and help thwart potential API-related data breaches,” he states. “This led me to collaborate with No Starch Press to publish my work.”
Ball has also introduced a free online course at APIsec University, covering various stages of the API penetration testing procedure, which includes lab setup, reconnaissance, endpoint analysis, and executing various attacks.
Establishing Standards
Standards and guidelines for API security are gradually being developed, highlighted by the release of the top 10 API vulnerabilities by the Open Web Application Security Project (OWASP) in 2019.
However, Ball continues to observe common API security pitfalls that persist across the internet. “Authorization remains a prevalent security flaw among APIs,” he notes.
He frequently encounters instances of broken object-level and function-level authorization, both of which are well-documented vulnerabilities on OWASP’s list. These often result in one authenticated user leveraging the API to access unauthorized data belonging to others.
“Given the prevalence of API authorization vulnerabilities, it appears that there is excessive trust in legitimate users and insufficient testing to ensure users cannot access or modify each other’s information,” Ball remarks.
Pathway to Pen Testing
As the usage of APIs continues to grow, there is an increasing demand for experts in API security.
“I think APIs represent a promising pathway for those looking to become penetration testers. APIs might just be the first target for new hackers,” Ball suggests.
For resources on API security education, Ball recommends:
- API Penetration Testing at APIsec University
- PortSwigger’s Web Security Academy
- OWASP API Security Project
“Familiarize yourself with Postman and Burp Suite,” Ball advises. “If you’re seeking a single resource, consider my book, Hacking APIs.”
*PortSwigger is the parent company of The Daily Swig
Based on an article from portsweigger.net: https://portswigger.net/daily-swig/most-web-api-flaws-are-missed-by-standard-security-tests-corey-j-ball-on-securing-a-neglected-attack-vector
