Skip to main content

Learnings After 400 API Security Testing

 We recently launched EthicalCheck, a free and instant API security testing DAST (Dynamic Application Security Testing) web tool on GitHub. 


Here is the GitHub URL for the tool:

https://apisec-inc.github.io/pentest/


What kind of vulnerabilities does EthicalCheck find?

Most automated scanners would find vulnerabilities like SQL Injections, NoSQL Injections, XSS, etc. 

EthicalCheck performs different checks, including OAuth 2.0, JWT, BasicAuth, OWASP API #2, and broken authentication defects in web, mobile, and public-facing APIs.


How EthicalCheck work?

It requires two inputs: 

  1. API (OpenAPI Spec/Swagger) documentation URL.
  2. Email address for receiving security testing report










We only did a soft launch across a couple of developer forums in the past three months. We weren't hoping that we would get anywhere close to 400 tests.


Here are the stats:

Start Date: Feb 2022 - Apr 2022 (3 months)

Total APIs Tested: 400

Total APIs with Vulnerabilities: 164

Total APIs with 10+ Vulnerabilities: 16

Max vulnerabilities found in an API: 65

Total Vulnerabilities Found: 948

Total Bug Bounty Savings: 1,896,000 USD (Based on HackerOne's payout model)

Total API Penetration Test Savings: 343,000 USD (Based on avg penetration testing cost)

Percentage of APIs with Vulnerabilities: 47.9%




Conclusion:

On average, close to 50% of the tested public-facing APIs had security vulnerabilities. These vulnerabilities can easily be picked up by automated bots and hackers alike. Security breaches are expensive and can cost exponentially upwards of $8.64m to startups and large organizations alike.


Your public-facing mobile/web API has a close to 50% chance of having security vulnerabilities. You can instantly test your public-facing APIs for vulnerabilities:

https://apisec-inc.github.io/pentest/

Comments

UptimeMonster said…

EthicalCheck, a powerful DAST tool on GitHub, excels in uncovering diverse API vulnerabilities, from SQL injection to broken authentication. Its simplicity, needing just API documentation and an email, ensures easy and effective security testing. Read more: UptimeMonster
January 19, 2024 at 2:45 AM
Post a Comment

Popular posts from this blog

Access multiple Databases in JPA

According to JPA specification we can define multiple "persistence-unit" elements (i.e. like below) in persistence.xml file and can easily refer them inside Dao layers as this. public class PolarDaoImpl {     @PersistenceContext(unitName="PolarPU")     protected EntityManager entityManager; -- } public class BearDaoImpl {     @PersistenceContext(unitName="BearPU")     protected EntityManager entityManager; -- } Checkout sample persistence.xml <?xml version="1.0" encoding="UTF-8"?> <persistence version="2.0" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd">     <!-- Database 1 -->     <persistence-unit name="PolarPU" transaction-type="RESOURCE_LOCAL">        ...
3 comments
Read more

Validating CSV Files

What is CsvValidator ?   A Java framework which validates any CSV files something similar to XML validation using XSD. Why should I use this ?   You don't have to use this and in fact its easy to write something your own and also checkout its source code for reference. Why did I write this ?   Some of our projects integrate with third party application which exchanges information in CSV files so I thought of writing a generic validator which can be hooked in multiple projects or can be used by QA for integration testing. What is the license clause ?   GNU GPL v2 Are there any JUnit test cases for me checkout ?  Yes,  source How to integrate in my existing project ? Just add the Jar which can be downloaded from here  CsvValidator.jar  and you are good. Instantiate  CsvValidator c onstructor which takes these 3 arguements          // filename is the the file to be validated and here ...
7 comments
Read more
               Top 10 Apps missing in HP TouchPad Without these Apps my experience is only limited to browsing web pages, though WebOS is really better multitasking device than iOS but without commonly used Apps it's only limited. 1. Native YouTube App   - You can't just use finger to do everything on 60% YouTube.com                       2. Netflix - I love to do multitasking, with Netflix running and ability to do other stuff     3 Facebook - Most of the people always like to be connected all the time here   My Mistake Skype Video is working     4  Skype - Ability to do voice and video chat, and without this I need to keep my Mac on.   5 Google Talk - Ability to do voice, video chat...
16 comments
Read more