DEV Community

Intesar Mohammed
Intesar Mohammed

Posted on • Edited on

4 3

How to security scan your web API for vulnerabilities

About me: I write, review, and build API security tools and best practices.

The purpose of this article is to show Appsec/developers how to get started with API security scanning with an open source API. In the process you will learn what vulnerabilities will look like. And at the end of the write-up I’ll share a couple of tool recommendations for you to play with.

API is the new internet protocol kind of. It’s the gateway to all kinds of applications you’re building or integrating with example mobile, web, AI, serverless, microservices, blockchain, web3.0, etc.

APIs now dominate the internet traffic. This is evident from the recent Akamai report, that over 90% of the internet web traffic are API calls. Without your realization you and your’re organization are using APIs predominately.

APIs are also the most attacked surface. They have overtaken traditional attacked surfaces like networks, computers, etc. Which means your chances of getting a security incident/breach this quarter is more likely at the APIs layer.

Since APIs are a new paradigm. Most organizations are under prepared when it comes to API security. API security validation are hard to achieve, it’s still in it’s early stage, mostly human powered, under staff, and done not as frequent as new code is deployed. Traditional security/penetration testing staff focuses on mobile and web front ends making the matters even worst for the APIs.

Here are a few tools you can use to get started with API security.

Use this opensource API for scanning and review the vulnerability report: http://52.250.110.188:8080/v2/api-docs

Tool #1
EthicalCheck
Pros: free, point and scan solution
Cons: Only covers OWASP #2

Tool #2
Burp
Pros: free community edition, write your own tests
Cons: Learning curve

I avoided adding commercial tools since most of the tools are closed and offer a custom pricing.

If you have any questions. Feel free to reach out to me at my email and twitter
intesar.mohammed@gmail.com
https://twitter.com/shannan_

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay