Unraveling API security in an interconnected world
Targeting your API
An Application Programming Interface or API is used to structure the communication between two entities, recent years have seen an explosion in their use. For example, this could be a mobile app which uses an API to log in a user to an online shop.
Whilst web applications are highly visible APIs may have lower visibility or even be transparent to the user as they are used in the background. An API assessment will aim to fully uncover the operations available to and the security implications and ramifications. Over the years we’ve witnessed APIs with a plethora of security flaws.
Understanding the process
What are the typical stages?
An API assessment typically starts by mapping out all the options available in the API, these are then assessed based on real-world API calls. Some of the attack vectors and probes used may resemble those used in a web application security assessment. For example one would look to assess the authentication and error handling and access control mechanisms as in the case of a web application.
What type of findings have you made in the past?
During one API assessment we detected a case where, due to poor development practises a trivial bypass allowed one user to masquerade as any other if the victim username was known or could be guessed. This could lead to embarrassment for the service provider but more critically could lead to a loss of confidentiality for users. Where a loss of confidentiality occurs, this could lead to a fine from the Information Commissioner’s Office (ICO). This case was a high risk to our client as their platform was said to have high profile users.
Take ACTION TODAY
Protect Your Organisation with Penetration Testing
Get started with a comprehensive penetration test today and fortify your organisation against cyber threats.