API Security Testing
Rapid analysis.
Immediate risk triage.
Data Shows that API Risk is Increasing… Not Going Away
Know Your APIs, Scan Your APIs, Test Your APIs
Don’t confuse API security configuration assessment with traditional vulnerability scanning – it is different. Using multi-layer probing technology the Edgescan API discovery engine utilizes asynchronous port scanning to identify and then monitor network changes. It automatically discovers active API endpoints across your entire attack surface and profiles from given endpoints.
The Threat is Real – Here’s the Proof
Frequent
Attack
2022: API Abuse will be the most-frequent attack vector – GARTNER
Increased
Vulnerability
In 2022 Edgescan has seen a 320% rise in vulnerable API’s deployed
Cloud
breaches
66% of Cloud breaches are due to misconfigured API’s – IBM Security
Inappropriate
Scanners
Web Application scanner tools do not suit API security properly.
Inappropriate
Tools
API Security Testing can be difficult due to many tools simply not being built to test API security.
High Risk API Vulnerabilities Discovered by Edgescan
Broken Object-Level Authorization
APIs often expose endpoints handling object identifiers. Any function that accepts users input and uses it to access a data source can create a Level Access Control issue, widening the attack surface. Object-level authorization checks should be carried out on all such functions.
Broken User Authentication
Attackers often take advantage of incorrectly applied authentication mechanisms. They may compromise an authentication token or exploit flaws in implementation to pose as another user, either on a one-time basis or permanently. If the system’s ability to identify the client/user is compromised, so is the overall API’s security.
Excessive Data Exposure
Developers often rely on the client side to filter the data before displaying it to the user. This can create serious security issues—data must always be filtered at the server side, and only the relevant information should be delivered to the client side.
Lack of Resources and Rate Limiting
APIs often don’t restrict the number or size of resources that the client/user can request. This can impact the performance of the API server, resulting in Denial of Service (DoS), and exposing authentication vulnerabilities, enabling brute force attack.
Broken Function-Level Authorization
Authorization flaws often result from overly complex access control policies, or if there is no clear separation between regular and administrative functions. Attackers can exploit these vulnerabilities to gain access to a user’s resources or perform administrative functions.
Mass Assignment:
Mass assignment typically results from the binding of client-provided data (i.e. JSON) to a data model based on an allowlist, without proper filtering of properties. Attackers can modify object properties in a number of ways—they can explore API endpoints, read the documentation, guess object properties, or provide additional properties through request payloads.
Security Misconfiguration
Security misconfiguration often results from inadequate default configurations, ad-hoc or incomplete configurations, misconfigured HTTP headers or inappropriate HTTP methods, insufficiently restrictive Cross-Origin Resource Sharing (CORS), open cloud storage, or error messages that contain sensitive information.
Injection
Injection flaws (including SQL injection, NoSQL injection, and command injection) involve data that is sent to an interpreter from an untrusted source via a command or query. Attackers can send malicious data to trick the interpreter into executing dangerous commands, or allow the attacker to access data without the necessary authorization.
API Discovery
How it Works
Download our one page Edgescan API Discovery document to understand how it works.
Benefits for Edgescan Customers
API Discovery
Identify APIs present on each host in your external estate. Discovers APIs across your IP/CIDR ranges using our multi-layer API discovery technology. Finds rogue or unknown APIs across your estate and alerts you to new discoveries.
3-Phase Approach Ensures Accuracy
API Discovery provides understand of the API topology within an estate.
API Vulnerability Scanning detects security vulnerabilities with accuracy and keep pace with change.
API Penetration Testing provides a manual penetration test on an organization’s business critical APIs.
Monitor and Track Changes
Consumes OpenAPI/ Swagger /GraphQL files to map out the entire API which is designed to ensure the entire API gets a rigorous assessment. As your development team changes the API over time, Edgescan detects the change and maintains security coverage.
Test Headless Deployments
Easily test headless API deployments because not all API endpoints are accessible through a web UI or tested during a web app pen test.
Proactive and Continuous Protection Including a Full Suite of API Tests
Continuous monitoring and defense against botnet and advanced threats including DDoS. Tests run include: Common API routes, API descriptor files (Swagger/ WADL), SOAP protocol detection, JSON/SML response analysis, API endpoints metadata, API route in HTTP attributes, Cookie based API indicators, etc.
Complete Cloud Coverage
Discover hidden and shadow API’s on across any cloud provider Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) or any external network.
Fast and Easy Deployment
The Edgescan platform is SaaS-based so there is no software to deploy so your team can start using it quickly.
