Dangerous connections: how to test the API and why it is important

[Father]

Cybersecurity requires a powerful reassessment of the decisions made during the pandemic. Especially those related to API services – attacks on them are becoming more and more dynamic. This is the opinion of the majority of IT managers surveyed by analysts at Distology (UK).

The opinion of experts is confirmed by high-profile incidents. The latest attacks include a cyberattack on information exchange systems between EU countries and the theft of personal data of 37 million customers from the telecom giant T-Mobile. In both cases, hackers exploited a vulnerability in the API.

What risks should I take into account to protect my company from such attacks? How do I choose API testing tools? And who should do this? About everything in order-in this article.

What is the API?​

An API, or Application Programming Interface, is an application programming interface. It includes tools and rules that allow one program to interact with another.

The API helps developers expand the capabilities of their products and integrate them with others. Thanks to it, for example, the mobile flower delivery app uses Google maps, and the user of the online store buys goods without going to the bank's app.

Programs for testing the API​

The choice of API testing tools depends on many parameters. One of them is the language in which the main product is developed. For example, if you use Java, then you should take a closer look at REST-Assured. The utility easily integrates with any application for autotesting in this language. Also, if you need to automate the process, you can pay attention to the Citrus Framework, Katalon Studio or Assertible.

If you don't have any practice or desire to do autotests, then the Postman app may be enough. This API testing program used to be a Chrome plugin. Today, it works easily in Mac, Windows, and Linux applications. Postman has an alternative – Postwoman, with which you can conduct API testing online.

As easy to use as the previous two, the tool is Insomnia. The functionality is basically the same as in Postman.

Another popular utility is SoupUI. This option is suitable if you need to analyze and work out complex scenarios of user behavior. In this API testing tool, you can not only flexibly configure tests, but also add your own functionality.

In addition to SoupUI, QA specialists often use JMeter. Although this application was originally created for load testing, it is now actively used for functional checks.

In total, there are more than twenty utilities in the list. But what exactly to choose and how to test the API in your case is a question for which there is no clear answer. As a rule, QA specialists use several utilities. This is because one API testing tool, or rather its functionality, is usually not enough. Especially when it comes to security checks.

Alexey Yakovlev
Leading product marketer at MIMINO outsourcing company

QA specialists can use various tools, such as Burp Suite, Postman, SoapUI, OWASP ZAP, and others, to more effectively check information security risks when testing APIs.

The listed utilities, according to him, help to identify vulnerabilities in authentication and authorization, detect potential injections and other vulnerabilities.

What exactly and why to test it​

Like any software product, the API cannot be 100% protected from fraudsters. It contains vulnerabilities that must be taken into account at all stages-from choosing API testing tools to writing test cases.

The most important risks are added to the OWASP Top 10 API Issues list every year. Usually, the first places in it are occupied by vulnerabilities related to user authentication.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

It is the authentication issues that allow you to use your API unchecked. At the same time, difficulties with the lack of logging, or, for example, code injection, do not go away.
In addition to classic web application vulnerabilities, when testing the API, you can also pay attention to SOAP injections and spoofing, or value collisions and problems with the priority of duplicate keys if JSON is used.

At the same time, experts remind that when preparing test cases, it is always important to take into account the context. The risk assessment is affected by where exactly the API is tested. Each company has its own key vulnerability and usually depends on the field of activity.

Mikhail Cherkashin
Head of AppSec at Innostage

For example, in 2018, a vulnerability was found in the API of a major automaker. Through it, it was possible to remotely open the doors in cars and start the engine. And in 2020, a vulnerability was discovered in the fast payment system, through which it was possible to replace the accounts of payment senders.

Regardless of the industry, the API should initially be designed with maximum security in mind, according to Cyber Media's interlocutors. That is why you should always use at least standard methods of protection against threats.

Philip Schirov
Director of the Altap service for working in 1C via the Internet

In particular, a secure data transfer protocol is important — in the vast majority of cases, HTTPS. It allows you to encrypt all data that is transmitted between the client and the server.
Authorization is also required so that a user without access to the API cannot perform any actions with it. And you need to differentiate access to objects so that a user, even if they have rights to use the API, cannot get data from another user.

In addition, experts recommend testing all kinds of value spoofing and injection methods more often, both in the URL and in the request data. At the same time, it is important to check the data structure obtained from the query, and after parsing it, also check individual variables.

Who chooses apps for testing the API​

As a rule, API testing tools are used by a QA engineer in their work. Should an information security specialist handle such tasks? Experts believe that yes. But the answer often depends on the case, the specific company, and what requirements are imposed on the main software product.

Ekaterina Fedina
Head of iiii Tech Testing Projects

Of course, the testing team should pay attention to at least basic security checks, such as possible SQL injections and XSS attacks, when working with the API (and not only).
But if you have rather high security requirements and the product itself is extensive, it is better to hire a separate information security specialist or use the services of a third-party organization.

Other experts also agree with Ekaterina Fedina. They believe that the participation of information security specialists in testing may even be superfluous.

Peter Arapov
Datanomics Testing Specialist

If you are testing a small API with a manually issued token, designed for several thousand requests per week, then it will not be difficult for a QA specialist in conjunction with the developer to find a bottleneck and test it.
Another thing is large companies with dozens or even hundreds of services sold (external, public APIs). For such products, a QA specialist's desire to learn what pentesting is will not be enough, because they will not be able to do without common metrics, scenarios, and knowledge.

In any case, the help of an information security specialist to colleagues is always important. Even if it only deals with terminology or subject area issues.

Denis Isangulov
Head of Testing at NGR Softlab

A QA specialist should check cybersecurity risks when testing the API, as this will help identify vulnerabilities and prevent possible attacks on the system. At the same time, it is also important for an information security specialist to be involved in the testing process in order to provide additional expertise in the subject area.
An information security specialist can help a QA specialist understand the approach to testing in more detail. And later-to help fix the detected vulnerabilities.

Sometimes an information security specialist requires more than a consultation. And then he can conduct some of the checks himself.

Dmitry Tishkin
Head of the Application Security R-Vision team

In my opinion, QA can and should check cybersecurity risks when testing the API, but it should be done in close conjunction with information security experts, which are most often AppSec specialists (Application Security). Thus, they will take part of the testing, and QA will take part.

According to the expert, during regression and other tests, QA specialists can find simple vulnerabilities. They can also analyze reports received from automated security testing tools. At the same time, AppSec will focus on more complex and complex vulnerabilities.

Mikhail Cherkashin
Head of AppSec at Innostage

Information security specialists should verify the API design and establish the security by design principle for development teams. And testers should check all this according to a pre-developed security check plan.

Mikhail Cherkashin adds: it is always better to lay down security principles at the development stage. This allows you to save on security features. Although colleagues recommend looking at the process even more broadly.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

Competent structured testing at the development stage is half the battle. You will also need to properly organize client access to this API, for example, using an application-level firewall that has API protection functionality.

According to Sergey Polunin, it is also useful to conduct regular penetration testing, because hacking the API or even detecting some logical flaws in it is almost certainly a compromise of the entire application infrastructure and even a threat to users.

Results​

Two people in the company decide exactly how and how to test the API-a QA engineer and an information security specialist. This cooperation is especially important now, when attacks on the software interface of applications are becoming more frequent and large-scale.

The main thing in this war is to remember that the end is more important than the means. API testing tools can only be effective if they actually guarantee the security of a particular product or business. Relying on common utilities and solutions in this area is clearly a dangerous strategy today.