Skip to main content

Learnings After 400 API Security Testing

 We recently launched EthicalCheck, a free and instant API security testing DAST (Dynamic Application Security Testing) web tool on GitHub. 


Here is the GitHub URL for the tool:

https://apisec-inc.github.io/pentest/


What kind of vulnerabilities does EthicalCheck find?

Most automated scanners would find vulnerabilities like SQL Injections, NoSQL Injections, XSS, etc. 

EthicalCheck performs different checks, including OAuth 2.0, JWT, BasicAuth, OWASP API #2, and broken authentication defects in web, mobile, and public-facing APIs.


How EthicalCheck work?

It requires two inputs: 

  1. API (OpenAPI Spec/Swagger) documentation URL.
  2. Email address for receiving security testing report










We only did a soft launch across a couple of developer forums in the past three months. We weren't hoping that we would get anywhere close to 400 tests.


Here are the stats:

Start Date: Feb 2022 - Apr 2022 (3 months)

Total APIs Tested: 400

Total APIs with Vulnerabilities: 164

Total APIs with 10+ Vulnerabilities: 16

Max vulnerabilities found in an API: 65

Total Vulnerabilities Found: 948

Total Bug Bounty Savings: 1,896,000 USD (Based on HackerOne's payout model)

Total API Penetration Test Savings: 343,000 USD (Based on avg penetration testing cost)

Percentage of APIs with Vulnerabilities: 47.9%




Conclusion:

On average, close to 50% of the tested public-facing APIs had security vulnerabilities. These vulnerabilities can easily be picked up by automated bots and hackers alike. Security breaches are expensive and can cost exponentially upwards of $8.64m to startups and large organizations alike.


Your public-facing mobile/web API has a close to 50% chance of having security vulnerabilities. You can instantly test your public-facing APIs for vulnerabilities:

https://apisec-inc.github.io/pentest/

Comments

Popular posts from this blog

What is DAST, and Why Should Developers Use It?

  DAST stands for Dynamic Application Security Testing. DAST is the process of testing web, mobile, and API applications to find vulnerabilities/security bugs through simulated attacks. DAST is the process of live testing an application either using an automated scanner or manual penetration testing practices. Most developers haven't heard about DAST scanners because they are primarily used by appsec and penetration testers. What kind of vulnerabilities does DAST find? Most automated scanners would find critical vulnerabilities like SQL Injections, NoSQL Injections, XSS, etc.  The hard-to-find vulnerabilities like logic bugs, authentication, and authorization flaws are usually done by ethical hackers, penetration testers, and AppSec engineers. The preferred approach is to write automated test cases that can be executed as part of CI/CD. Should developers care about DAST?  Yes, they should, since having any of the above critical vulnerabilities can lead to data breaches and punitive

Reuse JPA Entities as DTO

Note : Major design advantages of JPA Entities are they can detached and used across tiers and networks and later can by merged. Checkout this new way of querying entities in JPA 2.0 String ql = " SELECT new prepclass2.Employee (e.firstname, e.lastname) FROM Employee e "; List<Employee> dtos = em.createQuery(ql).getResultList(); The above query loads all Employee entities but with subset of data i.e. firstname, lastname. Employee entity looks like this. @Entity @Table(name="emp") public class Employee implements Serializable {     private static final long serialVersionUID = 1L;     @Id     @GeneratedValue(strategy = GenerationType.AUTO)     private Long id;     @Column     private String firstname;     @Column     private String lastname;     @Column     private String username;     @Column     private String street;     @Column     private String city;     @Column     private String state;     @Column     private String zipc