‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector
API security is a ‘great gateway’ into a pen testing career, advises specialist in the field
INTERVIEW Securing web APIs requires a different approach to classic web application security, as standard tests routinely miss the most common vulnerabilities.
This is the view of API security expert Corey J Ball, who warns that methods that aren’t calibrated to web APIs can result in false-negative findings for pen testers.
After learning his craft in web application penetration testing in 2015 via hacking books, HackTheBox, and VulnHub, Ball further honed his skills on computers running Cold Fusion, WordPress, Apache Tomcat, and other enterprise-focused web applications.
He subsequentially obtained CEH, CISSP, and OSCP certificates before eventually being offered an opportunity to help lead penetration testing services at public accounting firm Moss Adams, where he still works as lead web app pen tester.
Recently focusing more narrowly on web API security – a largely underserved area – Ball has launched a free online course on the topic and published Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).
In an interview with The Daily Swig, Ball explains how the growing use of web APIs requires a change of perspective on how we secure our applications.
Attractive attack vector
The past few years have seen accelerating adoption of web APIs in various sectors. In 2018, Akamai reported that API calls accounted for 83% of web traffic.
“Businesses realized they no longer need to be generalists that have to develop every aspect of their application (maps, payment processing, communication, authentication, etc),” Ball says. “Instead, they can use web APIs to leverage the work that has been done by third parties and focus on specializing.”
API stands for application programming interface, a set of definitions and protocols for building and integrating application software.
Web APIs, which can be accessed with the HTTP protocol, have spawned API services that monetize their technology, infrastructure, functionality, and data. But APIs have attracted the attention of cybercriminals too.
“Insecure APIs can be used to compromise confidentiality, integrity, and availability,” Ball says. “This potential combined with the fact many APIs are internet-facing means vulnerable APIs make for one of the best attack vectors.”
Different rules apply
APIs can become less of a liability by including security-focused team members during design, encouraging secure coding, conducting regular security tests, and monitoring programming calls for attacks and misuse.
Securing web APIs requires a different approach to classic web application security, according to Ball.
“Standard web application tests will result in false-negative findings for web APIs,” he explains. “Tools and techniques that are not calibrated specifically to web APIs will miss on nearly all of the common vulnerabilities.”
A notable example is a vulnerability in the USPS Informed Visibility API, first reported by security researcher Brian Krebs. The web application was thoroughly tested one month before Krebs reported the data exposure.
During testing, tools like Nessus and HP WebInspect were applied generically to the testing targets, and therefore a significant web API vulnerability went undetected. This undiscovered security flaw, in the USPS Informed Visibility API, allowed any authenticated user to obtain access to email addresses, usernames, package updates, mailing addresses, and phone numbers associated with 60 million customers.
“The vulnerability assessment of the Informed Visibility system’s external attack surface is a great demonstration of what can happen if web application hacking techniques are applied to APIs,” Ball says. “The lesson here is that the right tools and techniques must be applied when testing APIs.”
Side-channel API attacks
Ball himself has found quite a few bugs through API-focused pen testing. His favorite discovery is a side-channel timing attack that exfiltrated information from an administrative API used for searching client records.
Normally, the API would reject all unauthorized requests and return a standard HTTP 401 Unauthorized response. Since the API lacked rate limiting, Ball could send many requests, testing different user IDs and names collected during passive reconnaissance. The security researcher realized that certain responses had slightly more bytes than others.
“Upon closer inspection (using Comparer), it became clear that a middleware header revealed how much longer the server would take to process certain requests,” he says. “I discovered requests that involved existing records took the server five times longer to process than non-existing records.”
By piecing together various items of disclosed information, Ball was able to gather sensitive information and associate users with their user ID, zip code, phone number, health records, and SSN (social security number).
“I did not need to exfiltrate the external network, bypass a firewall, pivot within the network, and finally gain access to the right database and find a way to exfiltrate data; instead I used a web API to reveal the crown jewels,” Ball concluded.
Opportunity knocks
Despite web APIs becoming an increasingly popular attack vector, Ball noticed a dearth of resources about testing them for vulnerabilities before specializing in the subject himself.
“There were no books focusing on API security testing, no certifications, few blog posts [or] videos, etc,” he says. “I went to conferences and asked the speakers giving the latest web app hacking talks what they did for API security testing. They either had no clue what to do with APIs or there was just one person on their team that knew how to test APIs.”
One of the partners at Moss Adams encouraged Ball to become an API subject matter expert. In a few months, Ball duly compiled around 150 pages of notes on the topic before realizing he was halfway through writing a book on API security.
“I saw an opportunity to share my research, to arm the testers, and help prevent that next API-related data breach,” he says. “I connected with No Starch Press. The rest is history.”
Ball has also released a free online course at APIsec University, in which he teaches different phases of the API pen testing process, including setting up a lab, doing reconnaissance, analyzing endpoints, and staging various attacks.
UnAPI days
Resources and standards around API security are gradually taking shape, including the publication of the top 10 API vulnerabilities by the Open Source Web Application Project (OWASP) in 2019.
However, Ball continues to see certain commonplace API security mistakes proliferating across the web. “Authorization continues to be the top API security mistake out in the wild,” he says.
He frequently sees instances of broken object level authorization and broken function level authorization, both entries on OWASP’s league table. In most cases, these vulnerabilities manifest themselves as one authenticated user being able to use the API to gain unauthorized access to the data of other users.
“With the prevalence of API authorization vulnerabilities, it seems there is both too much trust of valid users and not enough testing to make sure users and groups cannot access or alter each other’s data,” Ball says.
Gateway bug
As APIs continue to become more prevalent, there is a growing need for API security experts.
“I believe APIs are actually a great gateway for anyone interested in becoming a pen tester. APIs could be the first thing a new hacker hacks,” Ball says.
Where to learn about API security? Ball suggests the following resources:
API Penetration Testing at APIsec University
PortSwigger’s* Web Security Academy
OWASP API Security Project
“Get very familiar with Postman and Burp Suite,” Ball advises. “Of course, if you’d like to do all of this from a single source, check out my book, Hacking APIs.”
*PortSwigger is the parent company of The Daily Swig