Tool for API and Security Testing?

I saw an interesting conversation pop up recently where someone was asking for others experiences with SoapUI and Postman for API testing. In the first instance, they planned to only use the tool they chose

to test API’s for integration testing and also test API’s between our Front end and Back end projects for our web application.

Longer-term, they wanted to choose a tool that could potentially be used for security testing so that they could do both API and security testing within the same tool.

Have you tried something similar? Is it something you would recommend? If so, what tools would you suggest and why?

1 Like

Security testing is a harder thing that I don’t think goes well with API automation. With security you want a tool that gets updates and you should understand what your runtime environment looks like. I’ve had various architects setup WAF(Web application firewalls)'s and scanning tools that get updates and run scans against an API on intervals.

If you don’t take the time to constrain it you don’t really come up with much. There are a lot of low hanging fruit OWASP top ten that can be found from scanning but the stuff that pays out from a bug crowd campaign are things dedicated security testers find. Things like cached login credentials, poorly set authorization schemes that allow the enduser to disable encryption themselves, and on and on.

There’s low hanging fruit but as far as I know no silver bullet security tool without spending time on understanding the problem space. I would love to hear that i’m wrong and there are good automated tools on the market now.

2 Likes

Hi!

I’m the CEO of a testing automation company called Meeshkan, and this is part of the service we offer on meeshkan.com. The way we’re initially developing our service is that it tests authentication for certain popular frameworks (Spring Boot, Django, Phoenix) and certain popular providers (Okta, Auth0), although we hope to support any OAuth/JWT flow as the product grows over time.

@alanmbarr is right that this is a hard problem and it needs to be constrained. Our service only works (for now) on a small set of frameworks/languages that we can analyze to find these constraints, ie what roles exist, what scopes exist, what grants exist, what resources need what permissions, etc.

Do you know with what languages/frameworks the API you’re testing has been built? I can let you know if we support them at Meeshkan.

I thought that might be the case @alanmbarr but it’s been a long time since I looked at security testing so I’m not up to speed on what’s out there at the moment.

It’s not my project I’m afraid @mikesol so I’m not sure on the exact language/framework. If I can find the conversation again though I’ll be sure to pass your tool on :slight_smile:

1 Like

Using zed attack for security testing, you can scan the automation scripts for vulnerabilities and malicious attacks with high reporting feature.

Also you can include static code analyser in automation to do the security validations at code level.

Hope this might help

2 Likes

Scans can be useful as @alanmbarr suggests, but they are a bit of a hammer to crack a nut. Fuzzing API endpoints and requests might be useful. The mutations of data that you would inject might find potential data leakages or overflow errors.

Tools like that need configuring and tuning well to reduce the impact of false positives. They will often lead to lots of unhelpful logging and errors that aren’t real problems. So it takes some experience and knowledge of your stack to really find the gnarly issues.

That being said, myself and a colleague did find a private key exposed in an old SOAP integration once, just by using some simple SQL injection. It was fixed by deprecating the code so it couldn’t be used any more. But we tried similar attacks on the new core API for the product. It simply responded with a nice, well handled exception, but didn’t barf any data.

One of the things you could do though was effect a DOS by flooding the API, as it had no rate limiting, nor did the host have sufficient capacity to cope with the throughput. At the time, (as it was a test environment) my suggestion was to see how this would cope on a production environment.

I haven’t used this myself, but it looks like an interesting tool for exploratory API testing. It’s an extension to VS Code that gives you a combination of a Jupyter notebooks like experience and a Postman like experience.

Postman in that it lets you make calls to an API, with secrets, easily seeing stuff that comes back etc. Notebooks in that your interface is a notebook. You have a GUI that lets you edit a document (notebook) that is made of cells. Each cell can have text, code or output from the code. With Jupyter notebooks the code is often Python for data analysis and the results are things like graphs. These notebooks would have code that’s calls to the API and the results are what the API returns.

I’ve used notebooks for data analysis (using R rather than Python) and they’re surprisingly nice to use. At the end you have a permanent record of your session, combining notes you’ve made (the text), exactly what code you wrote, and exactly what results you got from that code, bundled together as one notebook. You could then attach that notebook to a ticket, put it in source control etc. as it’s a text document underneath everything.

This isn’t going to replace specialist fuzzing, scanning, or performance tools, but it seemed promising for exploratory testing or just learning.

I’m starting to see more tools in this space nowadays. https://42crunch.com/ and https://www.stackhawk.com/ It is still early days for security in my experience.

A simple approach could be to use Postman and ZAP in combination. Both tools are free and very easy to get installed and configured. Both tools also have some great documentation and ZAP has some really nice free videos to help you get started.

Configuring the tools:
ZAP:

  • Go to ‘Options’, and click on ‘Local Proxies’
  • Ensure the ‘Address’ is set, i.e. localhost
  • Ensure ‘Port’ is set, i.e. 12345

Postman:

  • Go to ‘Settings’ and click on ‘Proxy’
  • Scroll down to ‘Proxy configurations for sending requests’ and click on ‘Add a custom proxy configuration’
  • Set the ‘Proxy Server’ to localhost, and port to 12345

Ready to test:

  • Now within Postman you can run individual requests or choose to ‘Run collection’ using Postmans collection runner. Any alerts that should be investigated will be shown in ZAP along with the URLs/Endpoints called within the ‘Sites’.

As a side note. If after configuring both tools and making a request via Postman you see an error within Postman stating “SSL Error: Self signed certificate in certificate chain”. You could click on ‘Disable SSL Verification’ in order to be able to run the requests and avoid this error. Because the requests are being sent through ZAP (which uses a self-signed SSL certificate) to capture the request and response being sent you might see this error. By default, this certificate is not trusted by your system, browser, or Postman.

You can also go into Postmans ‘Preferences’ and disable ‘SSL certificate verification’ under the ‘General’ tab.

I’m sure there are other great tools and ways of achieving what the original poster was asking but this is just one way they could consider.

2 Likes

Thats the approach I would take, alternatively with BurpSuite Pro.

One thing to note is that it will take a lot of time to get used to the nuances of tools like ZAP, Burp and others. They need a lot of tuning, monitoring and learning to get the best from them (like any tool). The amount of false positives might be daunting, but eventually you’ll be able to filter those out, and focus on those issues that really are valuable to explore.

2 Likes

One thing to note is that these tools have specific capabilities for fuzzing APIs, that allow you to target your testing better.

In my opinion, both API and security testing are tasks that involve extensive complexities and need dedicated efforts. Therefore, it is a good idea that any QA service must keep both these tasks separate and use different tools to test API and security testing.

However, if it is a scenario where you need to run security testing for the SOAP and REST API itself, then you can go for tools like Katalon Studio, Postman, or AccelQ.

On the other hand, security testing initiatives could be worked well using Acunetix or ZAP (Zed Attack Proxy).

1 Like

Thanks for helping with this question!

1 Like

The custom-developed software is customized for a specific business with mlsdev.com/blog/how-to-create-a-video-streaming-website. Generally, it is made to meet the needs of the client. It is based on the needs of the client and the requirements of the business. During the development process, the company will meet with the customer and determine its exact requirements. The next step is the selection of an outsourcing company. The custom-developed software is usually a valuable investment for a growing business.

1 Like