API Security Testing
Rapid analysis.
Immediate risk triage.
Data Shows that API Risk is Increasing… Not Going Away
Actual deployment data from Edgescan customers reveals a 320% rise in API vulnerability in 2022 – that is a shocking number. And to top it off Gartner research points that API abuse will become the most-frequent attack vector. Don’t let your company make a news headline. Time to get your security under control.
Know Your APIs, Scan Your APIs, Test Your APIs
Don’t confuse API security configuration assessment with traditional vulnerability scanning – it is different. Using multi-layer probing technology the Edgescan API discovery engine utilizes asynchronous port scanning to identify and then monitor network changes. It automatically discovers active API endpoints across your entire attack surface and profiles from given endpoints.
The Threat is Real – Here’s the Proof
Attack
2022: API Abuse will be the most-frequent attack vector – GARTNER
Vulnerability
In 2022 Edgescan has seen a 320% rise in vulnerable API’s deployed
breaches
66% of Cloud breaches are due to misconfigured API’s – IBM Security
Scanners
Web Application scanner tools do not suit API security properly.
Tools
API Security Testing can be difficult due to many tools simply not being built to test API security.
We handle it
We provide continuous security testing for the ever-growing world of APIs which are becoming ever more popular given the explosive growth in mobile apps and the fintech sector.
We are accustomed to providing rigorous testing of APIs in all their shapes and forms. This can include but is not limited to SOAP/XML, RESTful and other Web Services.
Our team built an API testing: Traditional web scanning tools simply don’t scan APIs with any rigor. Edgescan’s custom API technology maps an APIs method calls via ingestion of descriptor (swagger/opanAPI/GraphQL) files and also provide rigorous assessment coupled with intelligent expert validation.
High Risk API Vulnerabilities Discovered by Edgescan
Broken Object-Level Authorization
APIs often expose endpoints handling object identifiers. Any function that accepts users input and uses it to access a data source can create a Level Access Control issue, widening the attack surface. Object-level authorization checks should be carried out on all such functions.
Broken User Authentication
Attackers often take advantage of incorrectly applied authentication mechanisms. They may compromise an authentication token or exploit flaws in implementation to pose as another user, either on a one-time basis or permanently. If the system’s ability to identify the client/user is compromised, so is the overall API’s security.
Excessive Data Exposure
Developers often rely on the client side to filter the data before displaying it to the user. This can create serious security issues—data must always be filtered at the server side, and only the relevant information should be delivered to the client side.
Lack of Resources and Rate Limiting
APIs often don’t restrict the number or size of resources that the client/user can request. This can impact the performance of the API server, resulting in Denial of Service (DoS), and exposing authentication vulnerabilities, enabling brute force attack.
Broken Function-Level Authorization
Authorization flaws often result from overly complex access control policies, or if there is no clear separation between regular and administrative functions. Attackers can exploit these vulnerabilities to gain access to a user’s resources or perform administrative functions.
Mass Assignment:
Mass assignment typically results from the binding of client-provided data (i.e. JSON) to a data model based on an allowlist, without proper filtering of properties. Attackers can modify object properties in a number of ways—they can explore API endpoints, read the documentation, guess object properties, or provide additional properties through request payloads.
Security Misconfiguration
Security misconfiguration often results from inadequate default configurations, ad-hoc or incomplete configurations, misconfigured HTTP headers or inappropriate HTTP methods, insufficiently restrictive Cross-Origin Resource Sharing (CORS), open cloud storage, or error messages that contain sensitive information.
Injection
Injection flaws (including SQL injection, NoSQL injection, and command injection) involve data that is sent to an interpreter from an untrusted source via a command or query. Attackers can send malicious data to trick the interpreter into executing dangerous commands, or allow the attacker to access data without the necessary authorization.
API Discovery
How it Works
Download our one page Edgescan API Discovery document to understand how it works.
Learn How it WorksBenefits for Edgescan Customers
Identify APIs present on each host in your external estate. Discovers APIs across your IP/CIDR ranges using our multi-layer API discovery technology. Finds rogue or unknown APIs across your estate and alerts you to new discoveries.
API Discovery provides understand of the API topology within an estate.
API Vulnerability Scanning detects security vulnerabilities with accuracy and keep pace with change.
API Penetration Testing provides a manual penetration test on an organization’s business critical APIs.
Consumes OpenAPI/ Swagger /GraphQL files to map out the entire API which is designed to ensure the entire API gets a rigorous assessment. As your development team changes the API over time, Edgescan detects the change and maintains security coverage.
Easily test headless API deployments because not all API endpoints are accessible through a web UI or tested during a web app pen test.
Continuous monitoring and defense against botnet and advanced threats including DDoS. Tests run include: Common API routes, API descriptor files (Swagger/ WADL), SOAP protocol detection, JSON/SML response analysis, API endpoints metadata, API route in HTTP attributes, Cookie based API indicators, etc.
Discover hidden and shadow API’s on across any cloud provider Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) or any external network.
The Edgescan platform is SaaS-based so there is no software to deploy so your team can start using it quickly.
Our Solution
No Limits:
Scan on demand as much as you need. Scans can be invoked via API for DevOps environments and via the Edgescan portal.
Edgescan API Security Testing:
Combines technical and logical security testing, all of which is validated & supported by experts.
Coverage and Depth:
Edgescan technology uses bespoke scanning engines in order to provide optimal coverage of the API. API vulnerabilities can be different from typical web application issues.
Intelligent Assessment:
Edgescan API assessments also assess logical controls associated with the API; items such as authorization, request flooding, parameter manipulation and attribute injection are assessed to help ensure you have a strong security posture.
FAQ
This is the first item's accordion body. It is shown by default, until the collapse plugin adds the appropriate classes that we use to style each element. These classes control the overall appearance, as well as the showing and hiding via CSS transitions. You can modify any of this with custom CSS or overriding our default variables. It's also worth noting that just about any HTML can go within the .accordion-body, though the transition does limit overflow.
This is the second item's accordion body. It is hidden by default, until the collapse plugin adds the appropriate classes that we use to style each element. These classes control the overall appearance, as well as the showing and hiding via CSS transitions. You can modify any of this with custom CSS or overriding our default variables. It's also worth noting that just about any HTML can go within the .accordion-body, though the transition does limit overflow.
This is the third item's accordion body. It is hidden by default, until the collapse plugin adds the appropriate classes that we use to style each element. These classes control the overall appearance, as well as the showing and hiding via CSS transitions. You can modify any of this with custom CSS or overriding our default variables. It's also worth noting that just about any HTML can go within the .accordion-body, though the transition does limit overflow.
This is the third item's accordion body. It is hidden by default, until the collapse plugin adds the appropriate classes that we use to style each element. These classes control the overall appearance, as well as the showing and hiding via CSS transitions. You can modify any of this with custom CSS or overriding our default variables. It's also worth noting that just about any HTML can go within the .accordion-body, though the transition does limit overflow.