API security serves as an excellent entry point for those aspiring to embark on a career in penetration testing, as highlighted by an expert in the field.
INTERVIEW – Protecting web APIs requires distinct strategies as conventional web application security approaches frequently overlook the prevalent vulnerabilities.
According to Corey J Ball, an authority in API security, using methods not tailored to web APIs can produce misleading results for penetration testers.
Ball began his journey in web application penetration testing in 2015, utilizing hacking literature and platforms like HackTheBox and VulnHub, refining his skills on Cold Fusion, WordPress, Apache Tomcat, and other enterprise web applications.
He later achieved certifications, including CEH, CISSP, and OSCP, and embraced a leadership role in penetration testing at the accounting firm Moss Adams, where he currently excels as the lead web app penetration tester.
Now specializing in the often-neglected sphere of web API security, Ball has introduced a complimentary online course on the subject and authored the book Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).
During an interview with The Daily Swig, Ball discusses the increasing reliance on web APIs and the necessary shift in approach to secure applications.
Attractive Attack Vector
In recent years, the utilization of web APIs has surged across multiple industries. A 2018 report by Akamai showed that API requests represented 83% of web traffic.
“Businesses have understood that they no longer have to be all-encompassing in application development (for features like maps, payment processing, and authentication),” Ball remarks. “They can harness web APIs to utilize third-party enhancements and focus on their core competencies.”
API refers to application programming interface, a collection of protocols and definitions for developing and integrating application software.
Accessible via the HTTP protocol, web APIs have stimulated services that capitalize on their technology, infrastructure, and data, but they have also attracted the attention of cybercriminals.
“Vulnerable APIs can jeopardize confidentiality, integrity, and availability,” says Ball. “Given that many APIs are exposed on the internet, compromised APIs represent a highly desirable attack vector.”
Different Rules Apply
To mitigate the security risks associated with APIs, organizations should incorporate security-minded team members during the design phase, foster secure coding practices, perform regular security assessments, and keep vigilant watch on API calls for signs of attacks or misuse.
According to Ball, securing web APIs requires uniquely tailored strategies in contrast to traditional web application security.
“Standard web application assessments often yield inaccurate results when applied to web APIs,” he notes. “Techniques not specifically designed for web APIs frequently overlook the prevalent vulnerabilities.”
A case in point is a vulnerability found in the USPS Informed Visibility API, which was first disclosed by security researcher Brian Krebs. This web application was thoroughly assessed just one month before Krebs highlighted the security breach.
DON’T MISS How to become a penetration tester: Part 1 – your path into offensive security testing
During its assessment, generic tools such as Nessus and HP WebInspect were used, resulting in a significant web API vulnerability going unnoticed. This overlooked flaw allowed unauthorized users to access sensitive data of 60 million customers.
“The oversight in assessing the Informed Visibility API’s external attack surface perfectly illustrates the pitfalls of rigid web application security techniques applied to APIs,” Ball emphasizes. “The takeaway is that appropriate tools and methodologies must be employed for API testing.”
Side-Channel API Attacks
Ball has successfully identified numerous vulnerabilities through targeted API penetration testing. His standout find includes a side-channel timing attack that extracted sensitive information from an administrative API used for searching client records.
Typically, the API would deny all unauthorized attempts, issuing a standard HTTP 401 Unauthorized response. However, the API lacked rate limiting, which allowed Ball to send numerous requests while testing various user IDs and names gathered during reconnaissance. He noted that some responses contained a greater byte count than others.
“On further analysis (using Comparer), it became apparent that a middleware header indicated how much time the server required to process specific requests,” he disclosed. “I found that requests for existing records took five times longer to process than those for non-existent records.”
By collating various bits of revealed information, Ball was able to glean sensitive details, linking users to their user ID, zip code, phone number, health records, and social security number.
“I circumvented the need to infiltrate external networks, bypass firewalls, and navigate within the network to access the database; instead, I exploited a web API to uncover critical information,” Ball concluded.
Opportunity Knocks
Despite the rise of web APIs as a target for attacks, Ball observed a notable lack of resources available for vulnerability testing in this domain before diving into the topic himself.
“There were hardly any books on API security testing, limited certifications, and few informative blog posts or videos,” he notes. “At conferences, when I asked speakers on web app hacking about API security testing, they either seemed clueless or indicated that only one team member was knowledgeable about API tests.”
Stay updated on the latest API security news and insights
Encouraged by a partner at Moss Adams, Ball set out to become an API subject matter expert. In a few months, he compiled about 150 pages of notes before realizing he was essentially penning a book on API security.
“I recognized the chance to disseminate my findings, empower testers, and help avert future API-related data breaches,” he recounts. “This led me to collaborate with No Starch Press, resulting in my published work.”
Ball also offers a free online course at APIsec University covering various stages of the API penetration testing process, including lab setup, reconnaissance, endpoint analysis, and attack preparation.
UnAPI Days
Standards and resources for API security are gradually emerging, highlighted by the OWASP’s publication of the top 10 API vulnerabilities in 2019.
However, Ball continues to witness persistent API security mistakes across the digital landscape. “Authorization remains the primary security flaw observed in APIs,” he remarks.
He frequently encounters instances of broken object and function-level authorization, both of which are documented by OWASP. Generally, these flaws lead to unauthorized data access by authenticated users through the API.
“The persistence of API authorization vulnerabilities suggests there is excessive trust placed in valid users without sufficient testing to ensure users cannot access or alter each other’s data,” Ball concludes.
Gateway Bug
As the prevalence of APIs increases, the demand for API security experts is simultaneously rising.
“I believe APIs can serve as an excellent introduction for anyone interested in penetration testing. For many newcomers, APIs might be the first target to hack,” Ball shares.
If you’re looking to learn about API security, Ball recommends the following resources:
- API Penetration Testing at APIsec University
- PortSwigger’s* Web Security Academy
- OWASP API Security Project
“Familiarize yourself with Postman and Burp Suite,” advises Ball. “If you prefer a comprehensive resource, be sure to check out my book, Hacking APIs.”
*PortSwigger is the parent organization of The Daily Swig
Based on an article from ports wigger.net: https://portswigger.net/daily-swig/most-web-api-flaws-are-missed-by-standard-security-tests-corey-j-ball-on-securing-a-neglected-attack-vector
