30 Days of API Testing - Day 25: Security is important in APIs, how are you security testing your APIs?

Here is an article about API Security Testing. Some simple rules for API testing:

• For a given input, the API must provide the expected output
• Inputs must appear within a specific range for the most part, so values outside the range must be rejected
• Inputs of an incorrect type must be rejected
• Any input that is null (empty), when a null is unacceptable, must be rejected
• Inputs of an incorrect size must be rejected

Actually I’m not an expert in security of api. But I want to write about one simple thing. When we test security of any api we should know on what side of system Authentication&Data validation is performed. Usually Authentication is a server side task, but Data validation can be done both on client or server side.

From the participants on Twitter:

This is also an interesting read on the topic from the folks at API Fortress

I have not worked real API security project yet. However, I research API security and I summary about ‘how are you security testing your APIs’:

• Always use HTTPS to protect sensitive data (authentication credentials, API Keys, etc.) in transit.
• Use Password Hash
• GET methods are an easy target for attackers. So never perform an operation that changes the state of your application in a GET method
• Make sure your API is not vulnerable to XSS (Cross-Site Scripting) attacks.
• Sign JWT (JSON Web Tokens) securely preferably using secrets.
• Any input or data being imported may also end up being inserted into your database, so make sure your application is protected against SQL Injection attacks.
• Do not put any sensitive information in the URL params as they can be logged by servers. Put them in the request header or body.

I haven’t done any security testing APIs, so I search for it and find a post about it. It has some Methods Of API Security Testing and Rules For API Security Testing, I will refer them if test API:

Fuzz Testing: It is basically a black box software testing technique which includes finding bugs using malformed data injection.

Command Injection: An injection flaw occurs with respect to web services and API when the web application pass information from HTTP request through other commands such as database command, system call, or request to an external service.

(Un) Authorized Endpoints And Methods: It is very important that an API should authorize every single request before processing it because when the API reveals any sensitive data and allow the users to make damaging actions.

Test For Authentication On All EndPoints: This is one of the ways to test your API security is to set up automated tests in the scenarios such as test authorized endpoints without authorization, test authorized endpoints without authorization and test user privileges.

Test Unhandled HTTP Methods: API that uses HTTP have various methods that are used to retrieve, save and delete data. The ways to set up a security test for these cases are using HEAD to bypass authentication and test arbitrary HTTP methods.

Parameter Tampering: It takes the advantage of backend sanitizing errors and then manipulates parameters sent in API requests. According to this, the forms that use type=”hidden” input should always be tested in order to make sure that backend server correctly validates them.

First thing I think when executing security testing the API is request the API with wrong authentication data and make sure the HTTP Code and message return correctly.
Another thing is requesting the API with the incorrect input: null, empty, not support data… and make sure the API return correctly and the server is not down.

P/s: I’d like to thanks to @kms_trangta and @kms_thanhhuynh for your finding. It help me have new approach for security testing API.

First thank to @oceannguyen for your link provided API testing.
I have not worked real API security project yet, after researching and reading in [API testing](https://smartbear.com/learn/api-testing/security-testing-apis/). Please see some sumary as below:

• Choose the data for testing is a most important: The difference data testing will give you the difference result from API responding(data correct, incorrect, data not support, data null some parameters).
• Know Your Vulnerabilities: This will help you when defining the test cases because there are many different attacks with different methods and targets.
• • Network / OS / Driver : issues in the operating system and network components (e.g. buffer overruns, flooding with sockets, DOS attacks)
  • Application layer : issues in the hosting application server and related services (e.g. message parsing, session hijacking or security misconfiguratio
  • API / component : functional issues in the actual API (e.g. injection attacks, sensitive data exposure, incomplete access control)
• Detect Insecure API Calls With Sniffers: One practical method to locate mobile app security issues is to run a sniffer to analyze the call-home traffic from the mobile app.
• Test Unhandled HTTP/HTTPS Methods: API that uses HTTP/HTTPS have various methods that are used to retrieve, save and delete data
  We can find more at REST Security Cheat Sheet

I found some types of tests and rules as below:

• https://nordicapis.com/9-types-of-tests-to-perform-on-your-apis/

• https://www.testbytes.net/blog/api-security-testing-rules-and-checklist/

Security testing is something I’d really like to become more knowledgeable at and API testing seems to be a good way to introduce oneself to that subject. I found this article regarding API Security Testing With JMeter.

Depending on the context I do more security or less security testing of the API. But for Security testing help I always try to use OWASP

Thank you everyone for your input. I found lots of useful information on how to do API security testing.

I created this mindmap:

Security Testing APIs3214×1494 489 KB