Security is a major concern for APIs. Here are seven open-source tools to help protect them.
APIs have become a common way to enable communication between applications and users — ranging from your car telling you where the nearest gas station is to your smartphone fetching weather information. But as more and more organizations sharing their APIs, the opportunity for bad actors to take advantage of security vulnerabilities increases.
APIs are becoming an easy target to exploit, leaving many vulnerabilities to plug, and escalating attacks can result in severe data breaches for enterprise-level applications. These challenges are rising every day as more and more APIs play a critical role in accelerating innovation.
Thankfully, to protect this innovation, API providers have a few standard toolsets to choose from. Below, we’ll review some open-source tools that help enable API security. We’ve rounded up some helpful open-source security testing utilities, open standards, and free identity management solutions that can be used to help build and test a zero-trust API architecture.
Astra is an automated REST API penetration testing tool used by security engineers and developers as part of API development. The penetration testing is a bit complex because of continuous changes in the API model and the addition of new endpoints.
Astra can automatically test the login and logout APIs (Auth API). It can also take an API collection as input and test each API endpoint individually in a standalone mode. These features make this penetration testing tool relatively easy to integrate into a CI/CD pipeline.
- SQL injection
- Cross-site scripting
- Information Leakage
- Broken Authentication and session management
- CSRF (including Blind CSRF)
- Rate limit
- CORS misconfiguration (including CORS bypass techniques)
- JWT attack
- CRLF detection
- Blind XXE injection
Completely Ridiculous API (crAPI) can help your team understand the ten most important security aspects of an API within a mock environment. You can say crAPI has implemented every security loophole that an API should never have. This makes it a good model to showcase how not to develop API security.
crAPI uses microservices architecture and is composed of multiple services which are developed using:
- Web: Main Ingress service
- Identity: User and authentication endpoints
- Community: Community blogs and comments endpoints
- Workshop: Vehicle workshop endpoints
- Mailhog: Mail service
- Mongo: NoSQL Database
- Postgres: SQL Database
The Curity Identity Server Community Edition is a free version of Curity’s Identity Server to help secure access to your APIs. The Identity Server is an authentication server that implements OpenID Connect and OAuth 2.0 standards for your API. It provides a common way to authenticate your web applications, mobile applications, API endpoints.
The community edition comes with:
- Unlimited users
- Username/Password and social identity providers
- Complete OAuth Server
- Secure API with tokens
- Custom authentication
JWT or JSON Web Tokens is one of the most popular methods to create access tokens for applications. It is an open standard that follows RFC–7519 and defines a secure way to transfer data between the client and server.
To summarize how JWT functions, the server generates a certificate that approves the user’s identity and sends it to the client. Then moving forward, the client needs to send that certificate (token) with every request to the server to identify and authenticate the user.
The tokens are cryptographically signed but not encrypted, which means it needs to be sent over HTTPS so that it can be trusted. Using HTTPS also assures that there’s no middleman involved who can modify or interpret the token.
HAWK is a relatively new authentication technology created by the original developers of OAuth. HAWK aims to replace the 2-legged authentication and use a much simpler form of authentication. It is primarily used for HTTP authentications and uses HMAC digests.
Like HTTP Basic authentication, HAWK also uses client credentials, including a cryptographic verifier and a key. However, the key is never used for authentication but for calculating the MAC value of the request.
To make the HTTP requests, the client needs to send a token id and token key from the server. When the server needs to send the token, it uses
Hawk-Session-Token as the header. The client can break the header’s value into two parts, i.e., HAWK ID and HAWK token, which will be used in the subsequent request.
OAuth stands for Open Authorization, which allows a website or an application to access the resources hosted on a third-party application on behalf of a user. OAuth is the industry standard for authorization and is used by companies like Google, Twitter, etc.
One point to keep in mind is that OAuth is an authorization tool, not an authentication tool. This means it is primarily used as a tool to grant access data on behalf of a user who can access the data.
OAuth uses an access token to access the resource. The access token is a string that represents the authorization of a user to access the resource. In most cases, it comes with an expiration date, and to generate a new access token, we use a refresh token.
OAuth Tools is a playground that lets you experiment and test the inner-workings of OAuth. Using OAuth Tools, you can decode tokens like JWT, Access Token, Refresh Token, etc. It has a straightforward UI and allows you to test in multiple environments. In the custom environment, it will enable you to use a custom URL, scope, key, metadata, etc.
OAuth Tools also allows you to export your settings in a JSON form and import them as well, so you won’t have to fill the forms again to test the tokens. Using OAuth Tools, you can test different OAuth flows and powers, such as explicit flow, hybrid flow, revoke a token, logout flow, and more.
Best Practices for API Security
- Monitor with logs: Be a stalker. Monitor every small detail about your API. Be prepared for any error, breach, or service down. Maintaining a log can help you in the long run as it keeps a record of everything, especially the errors. Logs can help you debug API issues and be used to generate a dashboard to assist consumers when there is downtime.
- Test APIs routinely for vulnerabilities: APIs should be tested not only at the development stage but also at regular intervals. Different methods should be utilized to test an API, such as JWT attack testing.
- Maintain the surrounding tech stack: You might be using Python, PHP, NodeJS, and other technologies to build your APIs. All packages used, libraries, and other technologies must be updated to the latest stable version. This will allow the codebase to remove any vulnerabilities inherent in dependencies.
- Do not leave any open endpoints: One of the most important points to keep in mind when you’re developing the API is that you should never create an open API endpoint, even if undocumented. It means that every API endpoint needs to be secured by the Authorization headers or whichever tools you’re using to secure your API.
- API keys are insufficient: As we’ve described before, Basic Authentication and API keys are arguably inadequate for modern API security.
Many applications are being churned out faster than security teams can address them. This means that security solutions are often too slow to keep up with an organization’s agile needs, leading to frustration among different stakeholders about how to not compromise security. Visibility across the board comes into play, and a lack of security forethought can lead to a bottleneck in the deployment process.
As security is a crucial aspect of modern development, it’s an area that must mature quickly. Every day we come across data breaches and cyber-attacks, which can run a company into losses. Above, we have listed some of the best methods to secure your API, many having been adopted by the largest players in the economy. API testing also plays a very important role in security, as it helps you identify loopholes and remove them.
Source: Nordic APIs