Brandon Torio is a senior product marketing manager at Synack.
When I helped Synack launch its new API Pentesting product last year, I caught on to an internal narrative: The researchers of the Synack Red Team (SRT) were going to make our API Security product stand out. Before launching API pentesting, SRT researchers had already been getting their feet wet with a few beta customers.
Since the launch, it’s been exciting to see more SRT researchers level up their skills to meet the challenge of an increasing number of API assessments and find new vulnerabilities that matter to our customers. I’ve also heard from many SRT members that they consider APIs to be an increasingly important part of the attack surface for vulnerability discovery, with a few citing API testing as their new favorite kind of assessment at Synack.
Our API Pentesting gives customers a new way to have API endpoints checked for common and critical vulnerabilities, such as a subset of the OWASP API Top 10. The following are our three most common vulnerabilities so far:
#1 IDOR Read/Write Vulnerabilities
Coming in first, 20% of the API vulnerabilities found have been Insecure Direct Object Reference (IDOR) read/write vulnerabilities, which OWASP categorizes under the larger category of Broken Access Controls.
IDOR read/write vulnerabilities involve users being able to access objects or functions directly. For example, imagine that your bank account is accessed via the following endpoint:
www.myunsafebank.com/account_view/customer_id?=21153
In this case, you may simply be able to change the ID number in the URL to access a different customer’s bank account information!
One common way this vulnerability can be prevented is by using indirect references, where the value (in this case, a customer ID) is replaced with a cryptographic substitution. This way, it is not easy for an attacker to guess or even brute force the value of a different ID. Check out the OWASP IDOR prevention cheat sheet for more detail.
#2 Improper Input Filtering
Coming in second is improper input validation (or improper input filtering). This vulnerability involves dangerous manipulations of data that go unchecked, such as a transaction date or order quantity.
For example, consider a request to order a collectible item, where the website has limited your order to a quantity of 2 (something common for collectibles, to prevent scalpers buying and reselling stock). The HTTP request could be intercepted, and a variable could be changed to bypass the limit. Consider the following simple representation of that HTTP request:
POST /myfavoritestore.com/collectible/order<br />
selectedQuantity=200
In this case, the web application GUI may limit you to select either a quantity of “1” or “2”, but by intercepting and changing the API request directly with a tool such as Burp Suite, you can bypass this limitation on user input. To prevent this vulnerability, additional logic on the backend must check to see if the input was appropriate. That could mean checking the length of the input, or in this case, that the input is less than 3.
#3 SQL injection
Injection turned out to be the second most common type of vulnerability found at Synack across all of our 2022 assessments, so it’s no surprise that it’s turning up in our new API assessments, too. Specifically, we’re seeing a lot of SQL injection.
Imagine an API endpoint that provides product descriptions:
GET /api/products/product_description?id=21153
This request causes the SQL server to look up the description with the matching ID, by executing the following SQL command:
SELECT * FROM products WHERE product_description_id = 21153
Now, imagine that you alter the request in the following way:
GET /api/products/product_description?id=21153; DROP TABLE users
The System will take the “;” to be the end of the previous command, and execute the second injected command, DROP TABLE users.
This would cause the system to delete the table of users, potentially causing an outage for the online store. There are many methods to prevent this type of SQL injection, including the appendage of additional logic to every SQL call that prevents injection of malicious queries.
Automated testing doesn’t match up
These vulnerabilities represent Synack’s most common findings across our new API assessments so far. (Be sure to check out our State of Vulnerabilities report, which aggregates the most common findings across all of our assessments in 2022.) As APIs and their respective vulnerabilities continue to proliferate, we expect API tests to make up a larger part of our strategic pentesting and vulnerability findings next year.
Using automated testing does not guarantee that these vulnerabilities will be detected, as the pages would still return a valid response, rather than the error messages many automated tools are looking for. By leveraging our global researcher community, Synack is able to deliver peace of mind that your APIs are thoroughly pentested for any potential vulnerabilities.
In the meantime, stay tuned to our exploits explained series for breakdowns of real vulnerabilities found across all Synack tests. If you’re interested in receiving API testing, contact us today, or read more about our API pentests here.
