A new reality for API Security testing

API threats are growing, sophistication, and impact on businesses. It is imperative that companies become – more diligent about their API security.

Cyber threats are growing in frequency, sophistication, and impact on businesses. It is imperative that both companies and consumers become more diligent about their security posture and educate themselves on how to recognize threats and how to prevent them.

This article details our approach to the prevention of security flaws oriented on business logic vulnerabilities, focusing on a high-level description of our system and its components, a walkthrough of how it works, and its use to discover bugs and security flaws in a mature E-Commerce system. We describe our system in great depth and give examples of what it can be used to discover, as well as some examples of bugs discovered.

Through demonstrations of live attacks and vulnerabilities, you will see first-hand how to implement a secure design. Learn why certain countermeasures are needed to achieve a secure design from the experts on what works in today’s world and what does not work.

First, let’s go back in time and look at how the web has changed and what that means for API security.

Table of Contents

The history and Evolution of API security

To understand why APIs are so important on the web nowadays, we need to understand its history. API (Application Programming Interface) is behind every online business today. While it is very easy to identify when the first modern APIs became quite noticeable, there were earlier forms of system integration before the existence of APIs. Most of the early forms of applications and systems were stand-alone which tend to produce a unique form of data. As computers and applications revolved during the years there was a need for interaction between these systems to suit the needs of the consumer market. 

Years passed, the interface to interact with each software required a bunch of commands to be fired from a terminal. In the modern and present time, especially after the proliferation of www (World Wide Web), this Interface was transformed into what is popularly referred to as APIs. 

During the internet era, it was realized that www can deliver services across the set in. Service-Oriented service was the preferred model adopted for distribution at that time and they came with a lot of limitations. Many companies and organizations sprung up to this web opportunity to offer unique services by transforming the present sales model into a virtual store. 

The first company to discover the use of this data transformation was salesforce. They made use of XML which was the first iteration of API. The XML was based on the data exchange format SOAP (Simple Object Access Protocol) which provided specifications for message formats, processing requests, and encoding rules in response to the API. SOAP was known to be complex to build, use and utilize and this was because there was no standard of how APIs should be built. The XML data interchange came with a lot of hindrances as it evolved as a makeup derived from HTML. There was a need for its transformation to make it more suited for better interoperability of APIs on the web.

APIs Evolution in Web 2.0 World

Web 2.0 highlights user-generated content and usability. Its popularity is referred to as “participatory web” and does not refer to any technical specification to operate. The design and usage of the web pages were the only modifications required. This period of evolution continued to see the foundation of APIs. With Web 2.0, the software played an active role in analyzing operations, outliners, and producing more proactive inputs. With this development, analyzing customer processes through various channels of interaction helps reduce the workload of humans reasonably.

REST (Representational State Transfer) framework

This framework contributed largely to the transformation of the software. REST is an application programming interface that was designed and created to guide the development of the web. Developed by computer scientist Roy Fielding, REST was developed to conform to the constraints of its architectural style and interact with its services. REST universal rules tend to make APIs much simpler and easier for developers to utilize.

API Evolution in Web 3.0

As the world is evolving fast, there has been a massive development in software that is all about engaging web experiences. With the seamless engagement of machines and humans, there is an advance on all tiers of IT architecture. Web 3.0 is an internet version that aims at promoting intelligence networks across the world. It is solely based on blockchain, open software, and open APIs. The most distinctive feature of this evolution is that developers can work openly without being bound by company rules or policies.

Unlike web 2.0, which was based on decentralization, web 3.0 tends to focus more on data control. With the transformation of SaaS to XaaS, online services have evolved from software-based on an object delivery model. Now the software no longer represents a real-world operation but the whole thing. There is a need for APIs to help query and monitor the needs of their users. Some of the advancements in the business economy include:

  • API that produces and analyzes data.
  • API that manages the entire operations of organizations.

The evolution of web vulnerabilities

The OWASP (Open Web Application Security Project) lists the top ten security risks that web applications face. This list is updated to reflect the current threats to our business.

The risks are in a ranked order based on frequency, severity, and magnitude of impact.

This list is very critical for security teams and developers.

According to the official OWASP Top 10:2021, three new categories have been added and a few issues in their rank have changed:

OWASP top 10:2021
Source: https://owasp.org/

Broken Access Control came in the first place. Security Misconfiguration moved up to 5th place.

In this article, we will talk about the difference between security misconfiguration and broken access control, which is part of business logic.

We often hear about business logic and the fact that it can really damage our business reputation, but in this article we will try to analyze the source of these flaws. Business logic refers to the set of rules that define how the application works (not always directly related to a business).

The term “business logic vulnerability” refers to when an attacker can make a website or application do something that the developers didn’t want to happen.

In this context, we will use “juice shop”, which is an insecure web application made by OWASP for training a vulnerable website, to explain these flaws. 

Security Design Flaw

We believe that most security breaches arise due to poor or insecure designs of systems. It is easier for an attacker to get into a computer system if it is built with security in mind rather than added on later. This is because we have built, deployed, and checked many security mechanisms and products.

  • Trusted users won’t always remain trustworthy

If business rules and security measures are not applied consistently throughout the application, this can lead to potentially dangerous loopholes that may be exploited by an attacker. Despite the fact that the user is authenticated, it must have a security policy. Do not think that if a user is authenticated, they are also authorized to do some tasks.

On the application website, there is a possibility for authenticated users to upgrade to a deluxe membership. The endpoint is “/rest/deluxe-memship”.

Malicious users can interact with the server and tamper the parameter request.

Simply change the parameter payment to “none” and you will get a deluxe membership without paying.

Simply change the parameter payment to “none” and you will get a deluxe membership without paying.

The user successfully gets a deluxe membership without paying anything.

  • Users won’t always supply mandatory input

One misconception is that users will always supply values for mandatory input fields. Browsers may prevent ordinary users from submitting a form without the required input, but the client-side is always not enough. An attacker can bypass it with a proxy. For example, if a user wants to change his password from the client side, it is mandatory to give the current one, but an attacker can intercept the request, change the username to another user and change his password.

What about if I tell you that a client can give a devastating review on your website? Having a good reputation is an important thing.

Users can use a proxy to make sure they don’t have to put in any of these things in the request. Then he changes the rating parameter to 0.(endpoint: /api/feedbacks).

Example of POST to /api/feedbacks
  • Users won’t always follow the intended sequence

The Web interface will typically guide users through a process during registration or purchase, taking them to the next step of the workflow each time they complete the current one. However, attackers won’t necessarily adhere to this intended sequence. If an attacker can avoid some of the sequence or get the final step, that can lead to dangerous security flaws.

For example, during the login, after a user sends his username and password, he is automatically redirected to the 2FA page. 

Here, a malicious user can intercept the 302 response and redirect to his account without proceeding to the 2FA.

Weak enforcement of business logic, such as workflows and steps required

by transactions (e.g., A, B, and C, not A to C directly).

  • Exposure sensitive data

Even the smallest organization may have some sort of valuable information that requires protection. Here are just some examples of this type of information: client lists and data, financial reports or records, employee or partner-company data, design documents or drawings, research and development results and patents, marketing materials or plans. All these pieces of information can be valuable to companies or competitors and can cause great damage if they’re leaked.

During one of our pentesting we noticed that there was a parameter that pointed to a file id. We noticed that it was possible to change the id to any other number. Then the response of the server was the location of this file on the server’s storage. An attacker can write a script in order to download all the sensitive files on this storage. This could potentially lead to a data breach. 

Remember that one of the most common causes of logic flaws is making bad assumptions about how users will act.

Security Coding Errors

No code is complete without bugs, and no system is infallible. Your project needs someone who takes the time to find and eliminate the most common security mistakes. Potential code errors in applications can result in critical vulnerabilities which allow cyber-criminals to hack the system, modify data or erase it completely. For reliable and fast detection of potential vulnerabilities in software it is necessary to implement a quality control process.

  • Excessive trust in client-side controls.

The website controls user input through the front-end, and the back-end does not handle the user input.

In vulnerable e-commerce, a legitimate user wants to get the basket of his purchase.

We intercept the request with a proxy, and we see the API request.

GET /rest/basket/id-user

Example of GET /rest/basket/id-user

In the following code, written in JavaScript (express framework), the endpoint intends to return the basket of the client. The endpoint receives an id parameter through the URL. (REQ.params.id).

JS code - express framework, showing API endpoints

The function retrieveBasket does not properly handle the parameters sent by the user.

A malicious user can intercept the request and modify the ID with another that doesn’t own it.

The common example in e-commerce is when an attacker intercepts the request with a proxy and modifies the parameter “price” as he wants.

In another real scenario, Toufik Araine, a security researcher, found a broken access control vulnerability on Vimeo bug bounty (link to description: https://hackerone.com/reports/42587).

The attacker has the possibility to reset the password of other users by guessing their id.

IDOR - example of a hackers password reset
  • Failing to handle unconventional input 

Sometimes, users can insert data that is not intended by the logic rules. For example, if the logic of an e-commerce application limits the stock of a specific article, the attacker can exploit this by ordering more than the limit, or in bank applications, assuming the account has limitations, users can withdraw more than the amount in the account.

API Security example of /api/BasketItems HTTP/1.1

Let’s investigate a concrete scenario. Imagine you are the owner of a web shop, assuming that customers might figure out a way to receive money instead of paying for their purchase. Is it not a crazy bug? In JuiceShop (a vulnerable web application) in the lab, during the purchase, we can change the amount of an article, but the client side handles the user input only to a positive value.

Then a malicious user can intercept the request (with a proxy, for example) and change the amount to a negative integer.

Below, the vulnerable request is intercepted, and the parameter “quantity” is modified with a negative number. Then the account balance is increased.

Example of OWASP JuiceShop website - account balance changed maliciously

Now let’s dive into the source code. The quantityCheck function only checks if the quantity is greater than the quantity in stock but does not verify that the quantity parameter is greater or equal to zero.

Remember to follow the business rules throughout the development of your application and cover all the possibilities.

Making flawed assumptions about user behavior
  • Making flawed assumptions about user behavior

Programmers do not always think about what a malicious user can do with a legitime feature on a website.
Making flawed assumptions about user behavior can lead to denial of service or abuse of promo codes.

Security Mis-configurations

Security misconfigurations While that may sound like a fancy technical term, it isn’t as difficult to explain as it may seem. While security misconfigurations can be easy to fix, they can be difficult to find, especially for large businesses. If businesses want to be quick to respond, they should try to avoid a lot of these security mistakes, so they should focus on that.

What is a security misconfiguration?

Security misconfigurations are essentially any aspect of your business network’s security controls that isn’t configured in a way that protects data or generally has vulnerabilities. This creates an easy way for hackers to try to take over and steal information.

Some of the most common causes of security misconfigurations include default settings and neglecting software updates.

Why are they not completely possible to avoid?

As a company continues to grow, so do its IT and network requirements. This adds additional complexity to a network that can provide potential holes for hackers to exploit. With complexity comes errors. And with errors come vulnerabilities that allow for outsiders to gain inside access and information. The good news? They’re often difficult to find. While they’re not avoidable, it’s unlikely that you’ll have any big gaping holes in your security protocol. This means finding a security misconfiguration can be very challenging. This is good news in the case of being vulnerable to others outside of the organization, but not such great news for those trying to remedy the issue. It’s hard to fix something when you don’t know what or where it needs to be repaired. 

The Most Common Security Misconfigurations

There are quite a few different security misconfigurations that are more common than others. 

Some of those include secure logins not being enabled, the account lockout not being timed and limited, no lockout threshold being established after multiple failed attempts to log in, the antivirus system not being installed, and the list goes on.

Examples of Security Misconfigurations

There have been quite a few high-profile cases in recent years resulting in security breaches due to security misconfigurations. Some examples include the Amazon Storage breach, where top-secret files were not stored with proper authentication. This resulted in several data breaches of sensitive information and data.Default passwords are a major cause of security breaches.

How to Minimize Security Misconfigurations

Understanding the network and system is integral to protecting valuable data and assets. Without a good understanding of cybersecurity, it can be difficult to implement changes that will encourage tighter security measures and prevent data breaches in the future. Without understanding and knowing the ins and outs of your system or network, it’ll be challenging to understand its weaknesses. Having a good idea of your network and settings is key. For example, checking to see if default passwords are enabled will help you implement certain security measures to avoid those being exploited.

Ultimately, the more knowledge you have of your network, the easier it will be to combat any disasters that happen in the future. It’s important to remember that there is no such thing as a perfect, impenetrable security system, so trying to perfect yours is going to result in frustration. Simply view it from a curiosity perspective and look for ways to improve your existing security. Keep software up-to-date, and make sure any security patches are implemented quickly. And as always, keep your eyes open for potential situations or problems that may arise or seem out of the norm.

In conclusion

The number of APIs that are available is increasing, which means that software developers can leverage almost all cloud or web services to build their own applications. The number of APIs integrated into the software being built is going to influence the company’s competitive advantage. With this, we can see that the world tends to be more interconnected. With this change comes many vulnerabilities which makes API Security a top concern.

That being said, it is important to keep in mind that with great power comes great responsibility.

As developers, we need to be careful when integrating APIs into our applications and make sure that we are not putting our users’ data at risk.

Stay secure, know your infrastructure, your system, and do not forget to understand your logic 😉