API Security Masterclass Recap: Where Are All the APIs, Anyway?

In our last Traceable API Security Masterclass session, we explored the fascinating world of APIs—what they are, why developers love them, the different types available, and the significant challenges they pose to security. If you happened to miss the webinar, don’t worry; it’s available on demand.

Now, let’s quickly recap the highlights!

Developers love APIs for their standardized, reusable nature, which is usually built into a framework or library they’re currentlt using. APIs allow new products to easily scale, to launch on new platforms and integrate into third parties. There are many different types of APIs, and they are usually selected based on what a developer or product needs.

For example, IoT devices often implement RPC type APIs that focus on calling code, while RESTful APIs are commonly used for developer APIs that are made available to third parties due to their predictable nature and ease.  Webhooks allow for an API to react to events, while GraphQL implements a very different approach to API design, creation and management.

To make matters worse, each type of API presents a different challenge for security teams!

The Challenge of API Sprawl and Rapid Change

One of the biggest challenges in securing any API is the ever-present issue of API sprawl. APIs are ubiquitous and used throughout different industries for various tasks. API management and design are often developer-led, with developers choosing to add new endpoints without much governance control or pushback. While many of these decisions are made on the assumption that an API is internal only (development teams may not even write documentation explaining an endpoint, even internally), they could be publicly accessible.

Combined with the frequency of deployment, many security teams simply don’t know what APIs are accessible. Even if they have visibility, they may not fully understand how an API is being used. Further, should they be aware of a security issue, the codebase could be entirely different within 24 hours, rendering their knowledge obsolete. To add to these already challenging circumstances, API attacks aren’t easily distinguished from legitimate traffic, and relying on tools that simply block malicious attacks like Web Application Firewalls is not enough.

API Reconnaissance: Shedding Light on Your Attack Surface

So, where does that leave security teams? Well, one of the best starting points for any API security project is actually figuring out what APIs exist, how they’re being used, and whether they’re intended for public, internal, public-facing, or third-party access.

That’s where API reconnaissance comes in!

While specialized security tools like Traceable offer a range of detection techniques (including Traceable Sonar for black-box attack surface exploration, API gateway traffic monitoring, or eBPF utilization), not every security team will have access to these resources.

API Enumeration: Why It’s Not as Easy as It Seems

So, we’re starting from the outside – how do we locate APIs? The answer depends on the specific APIs we seek, but the most prevalent type is the RESTful API. RESTful APIs are readily identifiable due to their structure, which maps their endpoints to CRUD (Create, Read, Update, Delete) operations, with variations in resource names. This introduces our first challenge: API enumeration.

Why is API enumeration tricky? Here are four key reasons:

• Endpoints can be any word and are API-specific. A finance API might employ terms like “balance” and “transaction,” while an e-commerce site would use “orders” and “payments.” Both could have “customers.”
• RESTful APIs establish a standard, but adherence is inconsistent. A common deviation is the omission of PUT/DELETE HTTP verbs, instead using a URL postfix like “/delete/” or a parameter within the API request (e.g., “{ ‘_method’: ‘delete’ }”).
• API design varies across developers, even within the same team. Everyone has their stylistic preferences.
• Even if you pinpoint the endpoints, you still need to uncover all the associated parameters.

Mapping Your API Territory: Fuzzing, Exploration and Beyond

It’s not impossible, though! We can use fuzzing tools like FFUF or Burp Intruder along with a well-crafted wordlist. To start, we need to grasp how the API functions. Experimenting with the API’s interface to locate CRUD operations can reveal any developer-specific quirks. Once we have the ability to customize our API fuzzing, we need to identify existing resources. API-specific wordlists like those found in the /Discover/Web-Content/api wordlists in SecLists or TomNomNom’s method for creating custom wordlist methods can prove helpful.

However, the specificity of API wordlists means we might need to brainstorm our own or consult a dictionary or thesaurus. These wordlists remain relatively small, and even if they do identify resources, it’s likely only one or two out of a list of 200. Often, exploring the application itself for these resources is faster and more efficient. Use the reconnaissance process to uncover the remaining CRUD endpoints for a known resource.

Regardless of where and how you do your API recon or API discovery, once you have your attack surface, the next step is to actually attack it, which takes us to next month’s webinar!

Join us on episode 3 of the API security masterclass in March as we look at the OWASP API Top 10, we’ll cover every entry, what the vulnerability is, how the vulnerability works, what the signs of each vulnerability is and put together our testing plan. So join us in the live session on March 26th and if you missed this session and what to review it it’s now available on demand.

API Security Masterclass Ep.3: The New OWASP API Top 10, Explained

About Traceable

Traceable is the industry’s leading API Security company helping organizations achieve API visibility and attack protection in a cloud-first, API-driven world. Traceable is the only intelligent and context-aware solution that powers complete API security – API discovery and posture management, API security testing, attack detection and threat hunting, and attack protection anywhere your APIs live. Traceable enables organizations to minimize risk and maximize the value that APIs bring their customers. To learn more about how API security can help your business, book a demo with a security expert.