Online Courses
API Penetration Testing Course
Online Courses
API Penetration Testing Course
  • Introduction
  • Setting Up
    • Tools
    • Hacking Lab
  • API Reconnaissance
    • Introduction to API Reconnaissance
    • Passive Reconnaissance
      • Google Dorking
      • GitDorking
      • TruffleHog
      • API Directories
      • Shodan
      • The Wayback Machine
    • Active Reconnaissance
      • Nmap
      • OWASP Amass
      • Directory Brute-force with Gobuster
      • Kiterunner
      • DevTools
      • Directory Brute-Forcing
  • Endpoint Analysis
    • Reverse Engineering an API
    • Excessive Data Exposure
    • Assessment
  • Scanning APIs
    • Finding Security Misconfigurations
    • Scanning APIs with OWASP ZAP
    • Assessment
  • Authentication Attacks
    • Classic Authentication Attacks
      • Note on Base64 Encoding
    • Token Attacks
    • Assessment
  • Exploiting API Authorization
    • Exploiting API Authorization
    • Broken Object Level Authorization (BOLA)
    • Broken Function Level Authorization (BFLA)
    • Assessment
  • Improper Assets Management
    • Improper Assets Management
    • Finding Improper Assets Management Vulnerabilities
    • Assessment
  • Mass Assignment
    • Mass Assignment Attacks
    • Other Mass Assignment Vectors
    • Hunting for Mass Assignment
    • Assessment
  • Exploiting Server-Side Request Forgery
    • Server-Side Request Forgery
    • Types of SSRF
    • Ingredients for SSRF
    • Testing for SSRF
    • Assessment
  • Injection Vulnerabilities
    • Testing for Injection Vulnerabilities
    • Discovering Injection Vulnerabilities
      • SQL Injection Metacharacters
      • NoSQL Injection
      • OS Injection
    • Fuzzing Wide with Postman
    • Fuzzing Deep with WFuzz
    • Assessment
  • Evasion and Combining Techniques
    • Evasive Maneuvers
    • Combining Techniques
Powered by GitBook
On this page
  1. Scanning APIs

Finding Security Misconfigurations

PreviousAssessmentNextScanning APIs with OWASP ZAP

Last updated 1 year ago

Once you have discovered an API and used it as it was intended, you can proceed to perform a baseline vulnerability scan. A good reason to perform your testing in this order is to avoid having any of your scans set off a security control like a WAF that results in your traffic being blocked. Ideally, a vulnerability scan will help you find weaknesses that you can then test, confirm, and exploit. Realistically, vulnerability scans are rarely 100% accurate and rarely if ever, identify all of the issues present. So, we will not use vulnerability scans to determine all of the weaknesses an app has, but instead, we will use the scan results to help guide and focus our testing.

When vulnerability scans are applied generically to web APIs the most common outcome is to receive false-negative results. False-negative results take place when vulnerability scans do not detect or report existing problems. For most organizations, this can result in a false sense of security because the scans came back with no evidence of any present weaknesses. The current state of many free and paid vulnerability scanners is that they were not designed for web APIs and often do not detect many of the vulnerabilities listed on the . These vulnerability scanners, however, do a decent job of detecting .

Security misconfiguration includes missing system patches, unnecessary features enabled, lack of secure transit encryption, weak security headers, verbose error messages, and Cross-Origin Resource Sharing (CORS) policy misconfigurations. In this module, our focus will be on configuring OWASP ZAP to thoroughly discover API security misconfigurations and to get the most out of a vulnerability scanner.

First, if you'd like to see how a generic scan can result in false-negative results, you can experience this for yourself. You can do this by scanning crAPI with Nikto, a web application vulnerability scanner. Open a terminal and run:

nikto -h http://crapi.apisec.ai

If you run this scan then you should notice a couple of things. The Nikto scan discloses that the web app server is running the OpenResty platform with the version. In addition, X-Frame-Options and X-XSS-Protection headers are missing or misconfigured. Besides these findings, the results are missing the gambit of API-related vulnerabilities that crAPI contains. Keep in mind that the crAPI application was designed with all of the OWASP API Security Top 10 vulnerabilities.

OWASP API Security Top 10
API7:2019 Security Misconfiguration