About me: I write, review, and build API security tools and best practices.
The purpose of this article is to show Appsec/developers how to get started with API security scanning with an open source API. In the process you will learn what vulnerabilities will look like. And at the end of the write-up I’ll share a couple of tool recommendations for you to play with.
API is the new internet protocol kind of. It’s the gateway to all kinds of applications you’re building or integrating with example mobile, web, AI, serverless, microservices, blockchain, web3.0, etc.
APIs now dominate the internet traffic. This is evident from the recent Akamai report, that over 90% of the internet web traffic are API calls. Without your realization you and your’re organization are using APIs predominately.
APIs are also the most attacked surface. They have overtaken traditional attacked surfaces like networks, computers, etc. Which means your chances of getting a security incident/breach this quarter is more likely at the APIs layer.
Since APIs are a new paradigm. Most organizations are under prepared when it comes to API security. API security validation are hard to achieve, it’s still in it’s early stage, mostly human powered, under staff, and done not as frequent as new code is deployed. Traditional security/penetration testing staff focuses on mobile and web front ends making the matters even worst for the APIs.
Here are a few tools you can use to get started with API security.
Use this opensource API for scanning and review the vulnerability report: http://52.250.110.188:8080/v2/api-docs
Tool #1
EthicalCheck
Pros: free, point and scan solution
Cons: Only covers OWASP #2
Tool #2
Burp
Pros: free community edition, write your own tests
Cons: Learning curve
I avoided adding commercial tools since most of the tools are closed and offer a custom pricing.
If you have any questions. Feel free to reach out to me at my email and twitter
intesar.mohammed@gmail.com
https://twitter.com/shannan_
Top comments (0)