Skip to content

API Security Analysis

Aptori performs autonomous analysis of your API to uncover hard-to-find security vulnerabilities and functional defects in the implementation of your APIs.

Aptori detects the most API security vulnerabilities identified by security researchers at OWASP, MITRE, and SANS. Aptori provides security vulnerability analyzers that check the implementation of an API. In addition to looking for the known patterns used by attackers, Aptori can introspect your API to uncover vulnerabilities that may exist within the specific business logic of your application.

Aptori vulnerability analyzers include checks for the OWASP API Security Top 10 vulnerabilities.

OpenAPI Conformance

The Conformance Analyzer can automatically validate if your API conforms to its definition by performing dynamic analysis. Conformance defects can lead to menacing Application and Server Errors caused by a mismatch in the contract between the client and server. These defects may result in a bad experience for your users, inadvertently leak sensitive information, and slow down development teams who need to debug the errors.

Broken Object Level Authorization (BOLA)

Every API endpoint that receives an ID of an object, and performs any action on the object, should implement object-level authorization checks. The checks should validate that the logged-in user is authorized to perform the requested action on the object.

Aptori can automatically detect instances of Broken Object Level Authorization (BOLA) vulnerabilities in your APIs and provide clear guidance to the developers on where the access control mechanism has not been correctly implemented.

Broken User Authentication

Authentication in APIs is complex and hard to implement correctly. Furthermore, it is exposed to everyone and presents an easy target for attackers.

Aptori can automatically check if your API authentication is vulnerable and susceptible to commonly known attack vectors. These include checks for: credential stuffing, weak passwords, brute force attacks on user accounts, incorrect token validation, and weak JWT tokens.

Excessive Data Exposure

Many times, APIs return too much information with the expectation that the client application will perform the data filtering. An adversary does not behave like a good-mannered client application and will exploit the Excessive Data Exposure to collect personal identifying information and sensitive information that can be used to mount further attacks.

Aptori can automatically identify instances when the API may be returning extra data not specified in the API definition and may contain sensitive information that should not be exposed. Aptori informs developers promptly, early in the SDLC, so that the weakness is addressed before the API implementation is released to production.

Lack of Resources & Rate Limiting

It is easy for an attacker to mount an attack on your API by making simple API requests resulting in a DoS attack, rendering your API unresponsive and unavailable. Rate Limiting can be implemented to prevent these exploits.

Aptori tests that your APIs have correctly implemented rate limiting by checking for the correct rate-limiting headers and verifying the limits are being enforced by the application.

Broken Function Level Authorization

Broken Function Level Authorization faults allow attackers to access functionality and take actions they are not authorized to take. The public exposure of APIs and the predictable structure of API operations make it possible for attackers to systematically explore APIs to uncover these defects, such as by changing the HTTP method from GET to PUT, or changing the "users" string in the URL to "admins". Implementing proper access control in APIs is a complex task, given that modern applications have a complicated user hierarchy with many types of roles or groups. The complexity of manually testing all the permutations and combinations of user roles and permissions is even harder!

Security Misconfiguration

Security misconfigurations can happen at any level of the API stack, from the network to the application level. Publicly available tools automate the detection of misconfigurations and make it easy to exploit them. Security misconfigurations can lead to exploits like exposing sensitive user data to full server compromise.

Aptori can assist you in hardening your application stack by automatically finding faults in application-level misconfigurations and providing guidance on how to fix them.

Injection

Injection flaws are common and often found in SQL or NoSQL queries, OS commands, XML parsers, and ORM. It is easy for attackers to exploit these flaws by using publicly available scanners to feed the API with malicious data to discover vulnerable API operations.

Aptori can check if your API is vulnerable to Injection attacks by simulating attacks using a library of continuously updated Injection vectors. Further, Aptori leverages its API introspection to uncover injection attacks that may exist within complex request bodies or at deeper layers of your application logic.