API Security Testing
Rapid analysis.
Immediate risk triage.
Data Shows that API Risk is Increasing… Not Going Away
Actual deployment data from Edgescan customers reveals a 320% rise in API vulnerability in 2022 – that is a shocking number.
And to top it off, Gartner research indicates that API abuse will become the most frequent attack vector. Don’t let your company make a news headline. Time to get your security under control.
Know Your APIs. Scan Your APIs.
Don’t confuse API security configuration assessment with traditional vulnerability scanning – it is different. Using multi-layer probing technology the Edgescan API discovery engine utilizes asynchronous port scanning to identify and then monitor network changes. It automatically discovers active API endpoints across your entire attack surface and profiles from given endpoints.
API Data Sheet
In-depth Approach to Securing APIs
Complete cloud coverage
Discover hidden and rogue APIs across your cloud providers including AWS, Microsoft Azure, GCP, VMware NSX, and Cisco ACI.
Our multi-layered approach to discovering APIs results in a confidence interval describing if an API is actually present.
API discovery works by applying specialised probing traffic across each endpoint and evaluating the results. This multi-layered approach results in detection of APIs based on responses to the probes sent.
Securing APIs is as easy as
one, two, three.
1. API Discovery
Identify known and rogue APIs on each host across your IP/CIDR ranges using patented, multi-layer, production safe API probing technology.
2. API Vulnerability Scanning
Detects security vulnerabilities with accuracy to keep pace with your ever-changing IT landscape.
3. API Penetration Testing
A manual penetration test is conducted on every business critical APIs.
Key Benefits of API Security Testing
API discovery across your global ecosystem
Identify known and rogue APIs on each host across your IP/CIDR ranges using patented, multi-layer, production safe API probing technology.
Accurately monitor & track changes
Map out entire APIs to ensure a rigorous assessment and detect changes by consuming OpenAPI/Swagger/ GraphQL files.
Proactive & continuous API protection
Establish unfettered monitoring and defense against botnets, advanced threats, and DDoS with on demand and real time alerts.
Complete cloud coverage
Discover hidden and rogue APIs across your cloud providers including AWS, Microsoft Azure, GCP, VMware NSX, and Cisco ACI.
High Risk API Vulnerabilities Discovered by Edgescan
Broken Object-Level Authorization
APIs often expose endpoints handling object identifiers. Any function that accepts users input and uses it to access a data source can create a Level Access Control issue, widening the attack surface. Object-level authorization checks should be carried out on all such functions.
Broken User Authentication
Attackers often take advantage of incorrectly applied authentication mechanisms. They may compromise an authentication token or exploit flaws in implementation to pose as another user, either on a one-time basis or permanently. If the system’s ability to identify the client/user is compromised, so is the overall API’s security.
Excessive Data Exposure
Developers often rely on the client side to filter the data before displaying it to the user. This can create serious security issues—data must always be filtered at the server side, and only the relevant information should be delivered to the client side.
Lack of Resources and Rate Limiting
APIs often don’t restrict the number or size of resources that the client/user can request. This can impact the performance of the API server, resulting in Denial of Service (DoS), and exposing authentication vulnerabilities, enabling brute force attack.
Broken Function-Level Authorization
Authorization flaws often result from overly complex access control policies, or if there is no clear separation between regular and administrative functions. Attackers can exploit these vulnerabilities to gain access to a user’s resources or perform administrative functions.
Mass Assignment:
Mass assignment typically results from the binding of client-provided data (i.e. JSON) to a data model based on an allowlist, without proper filtering of properties. Attackers can modify object properties in a number of ways—they can explore API endpoints, read the documentation, guess object properties, or provide additional properties through request payloads.
Security Misconfiguration
Security misconfiguration often results from inadequate default configurations, ad-hoc or incomplete configurations, misconfigured HTTP headers or inappropriate HTTP methods, insufficiently restrictive Cross-Origin Resource Sharing (CORS), open cloud storage, or error messages that contain sensitive information.
Injection
Injection flaws (including SQL injection, NoSQL injection, and command injection) involve data that is sent to an interpreter from an untrusted source via a command or query. Attackers can send malicious data to trick the interpreter into executing dangerous commands, or allow the attacker to access data without the necessary authorization.
