API Security Testing Based on Schema: Highs and Lows

Introduction

As web applications become increasingly complex and connected, API security has emerged as a critical component of the overall application security landscape.

In this HackerNoon long read, we will delve into the world of API security testing, with a focus on Swagger, a popular and widely used API documentation and management tool.

We will start by discussing stateful and stateless architectures and their relevance to API security, followed by an exploration of the limitations of Swagger when it comes to testing the business logic flow.

We will then highlight some of the key drawbacks of testing with Swagger and provide code examples to illustrate the points discussed. Let's begin with an overview of stateful and stateless systems and their implications on API security testing.

Stateful vs. Stateless Architectures

In the context of web services, stateful and stateless are terms that describe how a server maintains information about clients during a session.

Stateful architectures store client information on the server side between requests. This means that when a client sends a request, the server has access to the client's previous interactions and can tailor its response accordingly.

The main advantage of stateful architectures is that they enable personalized experiences for each client. However, they can be more resource-intensive and complex to scale.

Stateless architectures, on the other hand, do not store client information between requests. Each request is treated independently, and the server relies solely on the data provided within the request to generate a response.

Stateless systems are generally easier to scale and require fewer resources. However, they lack the ability to provide personalized experiences based on prior interactions.

Understanding the Business Logic Flow and Swagger's Limitations

One of the core challenges in API security testing is understanding the business logic flow of an application. Business logic refers to the rules and processes that dictate how an application should behave.

In an API, business logic is often implemented through a series of request and response interactions between clients and servers.

Unfortunately, Swagger is not designed to automatically capture or infer the business logic flow of an application.

Swagger is primarily a documentation and management tool, which means it can describe the structure and parameters of an API but is limited when it comes to assessing the security implications of the underlying business logic.

Limitations of Testing With Swagger

Despite its popularity and widespread adoption, Swagger has several limitations when it comes to security testing. Some of these limitations include:

Inability to Test the Business Logic Flow

As mentioned earlier, Swagger does not have the capability to automatically understand or test the business logic flow of an API.

This limitation means that, while Swagger can help identify potential security issues in the API's structure and parameters, it cannot assess vulnerabilities stemming from the business logic itself.

Code Example

Let's consider a simple banking API that allows users to transfer funds between accounts. The API might expose endpoints like /accounts/{accountId}/transfer and accept a POST request with parameters such as destinationAccountId and amount.

  /accounts/{accountId}/transfer:
    post:
      summary: Transfer funds between accounts
      operationId: transferFunds
      parameters:
        - name: accountId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                destinationAccountId:
                  type: string
                amount:
                  type: number

Swagger can generate documentation for this API and validate the structure of the request and response objects. However, it cannot detect if there are security issues in the business logic, such as insufficient authorization checks or the ability to transfer funds between other users' accounts.

Limited Support for Testing Non-Standard Security Mechanisms

Swagger relies on the OpenAPI Specification (OAS) to describe APIs, which includes support for common security mechanisms such as OAuth2, API keys, and HTTP Basic authentication.

However, if an API employs non-standard or custom security mechanisms, Swagger may not be able to effectively test for security vulnerabilities.

Code Example

Consider an API that uses a custom token-based authentication mechanism where the client must provide a valid token in the X-Custom-Token header.

codesecuritySchemes:
  customToken:
    type: apiKey
    in: header
    name: X-Custom-Token

While Swagger can document this custom security mechanism, its testing capabilities may be limited when it comes to evaluating the implementation's robustness or identifying potential vulnerabilities in the custom token handling logic.

Inability to Perform Dynamic Testing

Swagger is primarily a static analysis tool, meaning it examines the API definition without actually executing the underlying code.

As a result, Swagger cannot perform dynamic security testing, which involves sending crafted inputs to the API to observe its behavior and identify potential vulnerabilities at runtime.

Code Example

In the banking API example discussed earlier, a dynamic security testing tool might send various input combinations to the /accounts/{accountId}/transfer endpoint to identify vulnerabilities such as SQL injection or improper input validation.

{
  "destinationAccountId": "123'; DROP TABLE accounts;",
  "amount": 100
}

However, Swagger cannot execute this type of dynamic testing and is limited to analyzing the static API definition.

Conclusion

Swagger is a valuable tool for API documentation and management. However, due to its inherent limitations, it is not well-suited for security testing, particularly when it comes to assessing vulnerabilities in an API's business logic.

The Swagger/OpenAPI schema only describes the structure and parameters of an API but lacks information on the business logic flow, making it incapable of testing for business logic vulnerabilities.

To ensure comprehensive coverage of potential vulnerabilities, it is essential to complement Swagger/OpenAPI-based testing with additional in-depth security testing tools and methodologies that can address its limitations and incorporate the necessary business logic flow information.

One such approach is utilizing API security frameworks like Wallarm FAST. This tool allows for the configuration of business logic within the testing process, enabling it to test for attacks targeting the business logic of your API.

Wallarm FAST can also reuse existing integration tests, converting them into security tests while preserving the same business logic flows.

This capability ensures that your API security testing covers the full range of potential vulnerabilities, including those related to business logic.

In addition to using API security frameworks, integrating security testing into your development process through practices such as security-focused code reviews and adopting secure coding standards can help mitigate potential risks in your API implementations, including those stemming from business logic.

By combining Swagger/OpenAPI-based testing with advanced security testing tools like Wallarm FAST and integrating security-focused practices into your development process, you can achieve a robust and comprehensive API security testing strategy that effectively addresses potential vulnerabilities in your APIs.