Finding Security Misconfigurations
Once you have discovered an API and used it as it was intended, you can proceed to perform a baseline vulnerability scan. A good reason to perform your testing in this order is to avoid having any of your scans set off a security control like a WAF that results in your traffic being blocked. Ideally, a vulnerability scan will help you find weaknesses that you can then test, confirm, and exploit. Realistically, vulnerability scans are rarely 100% accurate and rarely if ever, identify all of the issues present. So, we will not use vulnerability scans to determine all of the weaknesses an app has, but instead, we will use the scan results to help guide and focus our testing.
When vulnerability scans are applied generically to web APIs the most common outcome is to receive false-negative results. False-negative results take place when vulnerability scans do not detect or report existing problems. For most organizations, this can result in a false sense of security because the scans came back with no evidence of any present weaknesses. The current state of many free and paid vulnerability scanners is that they were not designed for web APIs and often do not detect many of the vulnerabilities listed on the OWASP API Security Top 10. These vulnerability scanners, however, do a decent job of detecting API7:2019 Security Misconfiguration.
Security misconfiguration includes missing system patches, unnecessary features enabled, lack of secure transit encryption, weak security headers, verbose error messages, and Cross-Origin Resource Sharing (CORS) policy misconfigurations. In this module, our focus will be on configuring OWASP ZAP to thoroughly discover API security misconfigurations and to get the most out of a vulnerability scanner.
First, if you'd like to see how a generic scan can result in false-negative results, you can experience this for yourself. You can do this by scanning crAPI with Nikto, a web application vulnerability scanner. Open a terminal and run:
If you run this scan then you should notice a couple of things. The Nikto scan discloses that the web app server is running the OpenResty platform with the version. In addition, X-Frame-Options and X-XSS-Protection headers are missing or misconfigured. Besides these findings, the results are missing the gambit of API-related vulnerabilities that crAPI contains. Keep in mind that the crAPI application was designed with all of the OWASP API Security Top 10 vulnerabilities.
Last updated
