API Security Testing is to identify, classify and exploit potential vulnerabilities in Application Programming Interfaces (API) and Web Services. Security Assessments aids the developers to timely remediate the vulnerabilities, enhance its overall security and safeguard the software from any unauthorized access which can cause a negative impact on the organization.
OWASP API Top 10, SANS 25, NIST,PCI and all applicable industry standard security frameworks are the usual standard documents that are followed for VAPT of APIs.
Best Scanning Practice includes performing all scans and re-scans within 30 days. Also, organizations should deploy all vulnerability patches having Critical and High severity in 15 days. If organizations are unable to fix any vulnerability within 30 days, then the particular vulnerability is to be reported, so that the alternative controls to mitigate the risk could be applied and the organizations can conduct assessment for the particular finding in the next scan.
It takes 4-5 days to complete the test (might vary depending upon the number of API’s) and 1-2 days for the reporting.
The API Security Test report consists of the following:
• The report defines a detailed risk description for every reported vulnerability.
• The report demonstrates all the identified vulnerabilities with Proof-of-Concept (POC) collected while performing the security assessment.
• The report categorizes all the reported vulnerabilities in the report into severity levels such as ‘Critical,’ ‘High,’ ‘Medium’ & ‘Low’ depending on the risk and the potential business impact it may cause due to vulnerability exploitation.
• Recommendations for the effective mitigation and closure of the identified vulnerabilities are assigned and mentioned in the report.
• Usually, only those vulnerabilities that are identified on the date of the assessment are reported and no vulnerabilities will be reported that are present before or after the period of the assessment.
For VAPT of API various commercial and open source tools such as Burpsuite, Netsparker, Kali Linux etc are used.
In Vulnerability Analysis of API, the vulnerable input parameters of the API are identified, and the weakness of the API is displayed.
The below types of testing are done in this phase:
a. Automated Testing: Automated Testing is conducted using Automated and Commercial API Security assessment scanners to identify and detect security vulnerabilities in the API.
b. Manual Testing: It is conducted for the following reasons:
• To identify potential vulnerabilities detected in Automated Testing to gain confirmation of the identified vulnerability.
• To identify vulnerabilities which may not be possible to identify in Automated Testing.
• To exploit vulnerabilities which may not be exploited using automated API Security assessment scanners.
API Security Testing is required to identify the potential security issues in the web services that interact with discrete applications such as Web, mobile and Point of Sale applications and application systems. These potential security issues, if go undetected, can cause an impact on the organization or on the end users.