Traceable's API Security Testing (AST) provides you with an option to test your APIs against various vulnerabilities and security gaps before they are deployed in a production environment. Application security testing gives your developers and product security engineers the right context about vulnerabilities so that they can prioritize the threats that may arise because of gaps in API specifications and implementation. Traceable’s AST is built on top ofAPI Catalogthat provides the necessary context to run heavily contextualized tests, prioritize the mitigation of vulnerabilities, and build resilient systems.
The Application security testing suite performs specific tests on APIs. You can choose the type of tests you want to run. These tests intelligently leaves those APIs from tests that have been inactive from a long time or have never been used. Following is a list of tests that you can currently run:
- Server Side Request Forgery (SSRF)
- Remote code execution
- NoSQL injection
- Business logic
- User defined
To start the security tests, you can either use Traceable generatedOpenAPI specificationor you can upload your own API specification. Traceable’s CI/CD Integrations can be used to continuously test your software builds for active vulnerabilities and get comprehensive reports. These reports help you decide whether a build should pass or not based on new or existing vulnerabilities exposed by the new code. Traceable supports the following pipelines:
- GitHub Actions
If the test results report vulnerabilities in your APIs, you can directly create a JIRA ticket for your developers and product security engineers. The following diagram summarizes the process of application security testing:
Start API security testing (AST)
Complete the following steps to start your API security testing:
- To start your application security testing, click onAPI Testing>Generate Scan Policy.
- In the pop-up window, select the tests that you would want to carry out on your APIs and click onNext. You can also choose to select all the tests.
- Verify the list of tests under each category and click onNext. In this step you can choose specific test that you want to run for a category. For example, SQLi category has Error Based SQLi and Blind SQLi. You can choose both or either of them.
- Create theScan Policy by entering the:
- Profile Name- Provide a name that will help you identify the test.
- API Specification- Choose from Traceable generated specification or if you wish to upload your own specification. For more information on Traceable generated specification, seeOpenAPI Specification.
- Traffic - Choose the traffic source from live traffic, replay traffic from other environments, or use the provided API specification to fuzz data to generate test traffic.
- Traffic Environment - Choose the environment in which you would like to run the test suite.
- Generate Token - Generate an API Token which helps the Traceable CLI and CI/ CD plugins connect to Traceable Platform.
- Choose the API Endpoints on which you want to run the security tests. You can choose from:
- All Endpoints
- A set of Endpoints
- Labels - All Endpoints which are tagged with a certain label, for example, critical, sensitive, external, and so on.
- You can copy the command to run in your Python or Docker environment or you can choose to trigger the CI/CD pipeline by clicking onRun Scan.
Following is short clickable demo to summarize the steps:
Scan history dashboard
You can view the scan in theScan Historydashboard as soon as a scan is triggered. The Dashboard summary section displays all theVulnerabilitiesandVulnerabilities Distributionacross all the reports for the selected time period for the chosen environment. As shown in the screenshot below, the Dashboard displays a history of scans run for the selected time period. You can filter these scans based on the scan status, for example, the scans in the below screenshot are filtered based onCompleted status.
The Dashboard gives a summary of the report metadata like:
- Scan policy name- The name of the test run that you set in step 4 of the previous section.
- Build ID- This is a unique ID generated by CI build which is hyperlinked to the build URL. This helps you correlate scans with builds.
- Start time- The time at which you triggered the security test.
- Mode- Provides you information about the origin of the security test. The two supported modes are CLI or CI/CD. You had configured this in step 6 of the previous section.
- Scan status - Displays the status of the scan whether it is completed, initialized, running, or aborted. You can also filter the reports based on the scan status as shown in the screenshot above.
- Initiated by - Displays the name of the person who initiated the test.
- Vulnerabilities - This shows the distribution of critical, high, medium, and low severity vulnerabilities that Traceable found in this particular scan.
Understand the test report
You can view the details about the test result by clicking on the report name under theScan policy namecolumn. The detailed view window displays the summary dashboard with allVulnerabilities andVulnerabilities Distributionfor the specific report. For example, in the screenshot below the summary section shows the total number of vulnerabilities (13) for this specific report along with the distribution across different vulnerabilities.The summary report dashboard displays:
- The different vulnerabilities that the test discovered
- The API Endpoint in which the vulnerability was found. Note that a
POST /workshop/api/shopis a different API than
- The service associated with the API
- The status of the vulnerability, like, Open, Accepted Risk, Not a Vulnerability, Under Review, and Fixed.
- Option to create a JIRA directly from the vulnerability summary report.
You can also view a detailed summary report by clicking on theView Summary Reportas shown in the screenshot above.
Scan summary report
The scan summary report displays the high-level information about the scan result. The summary section displays the number of APIs scanned, the environment for which the tests were run, and the number of tests that were run. The summary section also displays the time taken for all tests to run.
TheResult section of the report, for example, displays the attack category and subcategory for which the tests were run, the number of vulnerabilities found for each tests and the associated severity. The scan report also displays the number of tests that were run for each attack category as shown in the screenshot below:
The severity is displayed when a vulnerability is found against an attack.
View detailed vulnerability report
You can view detailed report about a vulnerability by clicking on the vulnerability name. For example, if you click on Broken Object Level Authorization (BOLA) as shown in above screenshot, Traceable would display a detailed report as shown below:
The detailed report gives a wealth of information about the vulnerability. Information like CVSS 3.1 score, status of the vulnerability, the approximate time it will take to fix the vulnerability, and so on. Traceable also displays theUser API Flowwhich shows all the APIs that the request has traveled through. The detailed report also provides the description of the vulnerability, possible mitigation, and the impact that the vulnerability can have on your API ecosystem.
You can also separately re-run the test command to identify the vulnerability. Copy the cURL command to re-run the test.
Following is a short clickable demo:
You can carry out further analysis, for example, based on request header x-traceable-ast as shown in the screenshot below:
Copy the x-traceable-ast header value and navigate toAPI Analytics as marked in screenshot above. In the API Analytics page, enter the
request header.x-traceable-ast=<value of x-traceable-ast request header>. The result of search displays the various Endpoint Traces. Click on individual traces to view detailed information as shown below: