Detectify is expanding its web app fuzzing engine to scan public-facing APIs for vulnerabilities. Earlier in the year, we released a new fuzzing engine, and it was developed with API scanning in mind. In Fall 2021, we will roll out open beta testing.
Content from the video has been edited for this blog post.
What’s the fuzz about APIs?
APIs allow businesses to integrate. Fredrik explains, “You can have many different systems that can talk and interact, and that is how you develop modern web applications and mobile apps. You’re probably developing APIs yourself. We must look at APIs; that’s our natural progression.”
Building single-page applications or mobile apps? Then this is for you!
Modern single-page web applications (SPAs) and native applications running on mobile devices require APIs to function.
As Tom Hudson, Security Research Tech Lead at Detectify explains,
“you have the separation between the code that’s running in the web browser or on a mobile device, and the code that’s running on servers. The API is necessary for those two systems to integrate.”
What is Detectify’s approach to API fuzzing?
We understand that every API is different, so it’s challenging to have a standardized approach to security testing on APIs. Our approach? We’re trying to take example usage of our customer’s APIs and modify those requests in a way that allows us to spot unique and previously unknown vulnerabilities.
The research team at Detectify looks at it in a different way than traditional web applications. Fredrik Nordberg Almroth, Sr Security Researcher and Co-founder, says,
“You don’t really have any client-side vulnerabilities, or you shouldn’t have them, in an API. Instead, there will be anomalies in how data is deserialized, and how data is passed between your public-facing API to microservices in your backend. “
The fuzzer will focus on server-side vulnerabilities
Almroth states that Injection attacks are more prominent, and that’s what led the team to the conclusion that they need to focus more on server-side vulnerabilities.
“To find server-side vulnerabilities, it’s a pretty tough job. There is a discrepancy between how computers traditionally look for server-side vulnerabilities and how actual penetration tests versus security engineers are finding them.”
The new fuzzer will instrument the API and see what works and what doesn’t work based on the intelligence received from the different parameters. This allows the Detectify scanning engine to attempt various vulnerabilities.
✨The beta will scan REST APIs for:
▪️ Remote Code Execution (RCE)
▪️ Server-Side Request-Forgery (SSRF)
Testing APIs was a natural next move
As Fredrik explains, expanding the fuzzing engine to cover APIs was a natural development:
“We have already put in a lot of effort into scanning SPAs. It’s a front end that we crawl that, in turn, speaks to APIs in the background. For us to deliver results and find vulnerabilities, we must find vulnerabilities in APIs.”
The future of Internet Security needs fuzzing
While the research and product development teams have a lot of experience looking for known vulnerabilities and CVEs and software, Tom Hudson says that this expansion to API fuzzing is at the leading edge of application security.
“We know that if we want to drive the future of internet security, fuzzing is our best bet to to find vulnerabilities that are previously not known. New and unique vulnerabilities in APIs can’t be found if you don’t know what you’re looking for without fuzzing.”
If you’re curious about Detectify and how our product currently helps thousands of companies stay on top of web app threats, start a 2-week free trial.
Detectify is building web app security solutions that are automated and crowd-based. By collaborating with ethical hackers, business critical security research is put into the hands of those who need it most to bring safer web apps to market. Curious to see what we will find in your live web apps? Start a free 2-week trial today.