How to security scan your web API for vulnerabilities

This content originally appeared on DEV Community and was authored by Intesar Shannan Mohammed

About me: I write, review, and build API security tools and best practices.

The purpose of this article is to show Appsec/developers how to get started with API security scanning with an open source API. In the process you will learn what vulnerabilities will look like. And at the end of the write-up I’ll share a couple of tool recommendations for you to play with.

API is the new internet protocol kind of. It’s the gateway to all kinds of applications you’re building or integrating with example mobile, web, AI, serverless, microservices, blockchain, web3.0, etc.

APIs now dominate the internet traffic. This is evident from the recent Akamai report, that over 90% of the internet web traffic are API calls. Without your realization you and your’re organization are using APIs predominately.

APIs are also the most attacked surface. They have overtaken traditional attacked surfaces like networks, computers, etc. Which means your chances of getting a security incident/breach this quarter is more likely at the APIs layer.

Since APIs are a new paradigm. Most organizations are under prepared when it comes to API security. API security validation are hard to achieve, it’s still in it’s early stage, mostly human powered, under staff, and done not as frequent as new code is deployed. Traditional security/penetration testing staff focuses on mobile and web front ends making the matters even worst for the APIs.

Here are a few tools you can use to get started with API security.

Use this opensource API for scanning and review the vulnerability report: http://52.250.110.188:8080/v2/api-docs

Tool #1
EthicalCheck
Pros: free, point and scan solution
Cons: Only covers OWASP #2

Tool #2
Burp
Pros: free community edition, write your own tests
Cons: Learning curve

I avoided adding commercial tools since most of the tools are closed and offer a custom pricing.

If you have any questions. Feel free to reach out to me at my email and twitter
intesar.mohammed@gmail.com
https://twitter.com/shannan_

This content originally appeared on DEV Community and was authored by Intesar Shannan Mohammed

Print Share Comment Cite Upload Translate Updates

APA

Intesar Shannan Mohammed | Sciencx (2022-04-26T19:26:07+00:00) How to security scan your web API for vulnerabilities. Retrieved from https://www.scien.cx/2022/04/26/how-to-security-scan-your-web-api-for-vulnerabilities/

MLA

" » How to security scan your web API for vulnerabilities." Intesar Shannan Mohammed | Sciencx - Tuesday April 26, 2022, https://www.scien.cx/2022/04/26/how-to-security-scan-your-web-api-for-vulnerabilities/

HARVARD

Intesar Shannan Mohammed | Sciencx Tuesday April 26, 2022 » How to security scan your web API for vulnerabilities., viewed ,<https://www.scien.cx/2022/04/26/how-to-security-scan-your-web-api-for-vulnerabilities/>

VANCOUVER

Intesar Shannan Mohammed | Sciencx - » How to security scan your web API for vulnerabilities. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2022/04/26/how-to-security-scan-your-web-api-for-vulnerabilities/

CHICAGO

" » How to security scan your web API for vulnerabilities." Intesar Shannan Mohammed | Sciencx - Accessed . https://www.scien.cx/2022/04/26/how-to-security-scan-your-web-api-for-vulnerabilities/

IEEE

" » How to security scan your web API for vulnerabilities." Intesar Shannan Mohammed | Sciencx [Online]. Available: https://www.scien.cx/2022/04/26/how-to-security-scan-your-web-api-for-vulnerabilities/. [Accessed: ]

rf:citation

» How to security scan your web API for vulnerabilities | Intesar Shannan Mohammed | Sciencx | https://www.scien.cx/2022/04/26/how-to-security-scan-your-web-api-for-vulnerabilities/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.