13 December 2022

Don’t Let API Penetration Testing Fall Through the Cracks

Synack

API (application programming interface) cybersecurity isn’t as thorough as it needs to be. When it comes to pentesting, web APIs are often lumped in with web applications, despite 90% of web applications having a larger attack surface exposed via APIs than user interfaces, according to Gartner. However, that kind of testing doesn’t cover the full spectrum of APIs, potentially leaving vulnerabilities undiscovered. As APIs become both increasingly important and increasingly vulnerable, it’s more important than ever to keep your APIs secure.

APIs vs. Web Applications

APIs are how software programs talk to each other. APIs are interfaces that allow software programs to transmit data to other software programs. Integrating applications via APIs allows one piece of software to access and use the capabilities of another. In today’s increasingly connected digital world, it’s no surprise that APIs are becoming more and more prevalent.

When most people think of APIs, what they’re really thinking about are APIs  exposed via a web application UI, usually by means of an HTTP-based web server. A web application is any application program that is stored remotely and delivered via the internet through a browser interface. 

APIs, however, connect and power everything from mobile applications, to cloud-based services, to internal applications, partner platforms and more. An organization’s APIs may be more numerous than those that can be enumerated through browsing a web application.

Differences in Pentesting

Frequently, organizations that perform pentesting on their web applications assume that a clean bill of health for web applications means that their APIs are just as secure. Unfortunately, that isn’t the case. An effective API security testing strategy requires understanding the differences between web application testing and API security testing. 

Web application security mostly focuses on threats like injection attacks, cross-site scripting and buffer overflows. Meanwhile, API breaches typically occur through issues with authorization and authentication, which lets cyber attackers get access to business logic or data.

Web application pentesting isn’t sufficient for testing APIs. Web application testing usually only covers the API calls made by the application, though APIs have a much broader range of functioning than that.

To begin a web application pentest, you provide your pentesters with a list of and they test all of the fields associated with these URLs. Some of these fields will have APIs behind them, allowing them to communicate with something. If the pentesters find a vulnerability here, that’s an API vulnerability – and that kind of API vulnerability will be caught. However, any APIs that aren’t connected to a field won’t be tested.

Most organizations have more APIs than just the ones attached to web application fields. Any time an application needs to talk to another application or to a database, that’s an API that might still be vulnerable. While a web application pentest won’t be able to test these APIs, an API pentest will.

The Importance of API Pentesting

Unlike web applications, APIs have direct access to endpoints, and cyber attackers can manipulate the data that these endpoints accept. So, it’s important to make sure that your APIs are just as thoroughly tested as your web applications. By performing separate pentesting for APIs and web applications, you make sure that you have your attack surface covered.

Synack can help. To learn more about the importance of pentesting for APIs, read this white paper and visit our API security solution page.