API Discovery

Modern web applications rely heavily on APIs and their integration with web applications. They are responsible for the transfer and the “serving” of data between databases and front-end web applications, as well as between web applications. A study indicates that nearly 40% of the largest companies have more than 250 internal APIs. From this, we can deduce that APIs play a major role for any company, big or small, for both organization owners and developers.

However, API adoption is just the first step. An organization has to proactively manage and monitor APIs for efficiency and security. The first step towards establishing a robust API infrastructure is “knowing what you own.” Keeping an updated list of your APIs enables better monitoring and minimizes the risks to your infrastructure. For this inventory to be realized, an organization must first discover those APIs. It is easy to keep track of a few APIs. However, the task becomes complex for large enterprises using hundreds of APIs for external and internal applications.

This article discusses several approaches and practices to help an organization in its API discovery mission.

Summary of API discovery best practices

The rest of the article outlines the practices mentioned above in detail.

API Endpoint discovery

Endpoint discovery is a central aspect of API management and API discovery. It involves using tools that map an organization's APIs. You can utilize offensive techniques such as subdomain enumeration and directory fuzzing or tools such as subfinder and dirsearch. Similarly, you can also use defensive tools, such as Impart Security, that monitor an already-given network of hosts and continuously scan and monitor for new hosts.

The discovered APIs can vary in their nature and purpose. Apart from the production APIs, there can be APIs for:

• Staging
• Developing
• Testing purposes

Their criticality may vary, and all of the APIs, important or not, should be included. Also, public and internal APIs from different departments should be added to this inventory by applying the discovery practices mentioned above. It helps document those endpoints, team inter-communication, and issue identification, such as redundancies.

Discovering endpoints and hosts should be a practice that happens periodically to ensure that an organization stays ahead of changes in its environment.

Sensitive data discovery

Once endpoints have been discovered, it is important to identify APIs and hosts where sensitive data resides. Sensitive refers to data important to the users and clients or the organization itself. For example—

• Personally identifiable information (PII)
• User credentials
• Financial details such as credit card numbers
• Secrets like API keys

To discover which APIs handle sensitive data, an organization should utilize solutions like scanning tools from  the red and blue security teams. With the documentation of each API, a more thorough and detailed scan can be carried out. Fuzzing tools like ffuf, and auditing tools like Kiterunner can scan a list of APIs for sensitive data and information.

Prioritizing sensitive data discovery through Impart Security’s full API traffic inspection helps your organization keep up with the changes in critical systems. The critical hosts in which sensitive data are being stored and/or processed must be treated with a specific plan to comply with the appropriate regulatory standards, such as

• General Data Protection Regulation (GDPR)
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI-DSS)

The plan should involve data encryption, regular penetration tests, conformance assessments, and instructions a regulation authority instructs.

API Documentation

For development teams to better understand, implement, and integrate APIs, it is crucial to maintain proper documentation of the existing APIs and have a proper methodology for documenting new APIs and endpoints. In the discovery phase, documentation aids in understanding the nature of an API and the sensitivity of the data it holds and processes.

For this practice, documentation tools such as Swagger and standards such as OpenAPI have been created. These tools and standards allow developers to generate documentation in a machine-readable format synchronizing with code changes. With the help of tools like Impart Security, teams can automatically generate Open API documentation based on traffic inspection. This allows the documentation process to be automated.

Impart Security, Swagger, as well as other tools such as Postman, Redoc, and Apiary creaes detailed documentation, including:

• API requests
• API responses
• Authentication schemes
• Example code snippets.

By assembling the existing documentation of APIs, developers can also discover new APIs to add to the organization’s inventory.

Developer-based and automatic discovery

API discovery can be approached with two methods, i.e., manual and automatic. The manual approach requires human intervention, where developers manually contribute to the API discovery and the expansion of the API inventory. This contribution takes the form of observing the CI/CD pipeline, reading documentation, as mentioned earlier, or manually searching for APIs in logs. This approach has fewer false-positive results but is more time-consuming and may not cover the whole API landscape.

Developers can contribute to organizing and maintaining an API “awareness” of what the teams deal with and what resources and assets they are working with. Many APIs are hard to discover automatically due to complex naming schemes or lack of visibility from automated solutions. A human approach can be invaluable by adding new APIs to the API inventory as soon as they are created. Internal wikis and management boards like Trello may informally track APIs during development. Pre-checking existing documentation with existing tools and solutions can help reduce the development of redundant APIs when solutions already exist. Impart Security has a functionality called “development inspector” that can integrate documentation inspection in your CI/CD pipeline to help automate this process by reviewing and inspecting the documentation available for the APIs in question.

The automatic approach utilizes scanners and automated tools to discover APIs in IP ranges, registries, or, again, in documentation. This automation should have criteria to distinguish APIs from other services to catalog them. While faster than the manual approach, this automatic method is more prone to false-positive results and can lack a deeper understanding of the nature of a discovered API.

Choosing one of the two approaches depends on the time constraint, the level of precision, and the requirements needed. For maximum efficiency, a combination of the two approaches yields the best results in terms of quality.

{{banner-small-1="/design-banners"}}

Managing discovered APIs

After the discovery phase and aggregating the APIs your organization holds and owns, finding an optimal way to manage them and maintain an efficient inventory is essential. This can be realized by implementing or utilizing a robust system for cataloging, documenting, and overviewing your API assets with Impart Security. It should contain detailed information regarding the actions and requests that can be taken under each API, the authentication methods, and a high-level overview of their security posture.

Additionally, the inventory should include details for each API, such as ownership and responsibilities, to help developers communicate further. Better communication in the development team leads to a better system design and the product's security aspect. It’s not uncommon for teams to not have a clear understanding of their operations. This leads to miscommunication and, ultimately, to bad design. Shadow APIs, weak authorization checks, and information leaks are some of the logic vulnerabilities that can be prevented if clear communication occurs.

Managing discovered APIs also involves identifying API risks and vulnerabilities. That can happen via regular penetration tests, vulnerability assessments, code reviews, and compliance checks. Penetration testers use offensive security tools to enumerate hosts and probe them for API-related issues such as injections, mass assignments, etc. These tools include OWASP ZAP, Postman, and command line interface (CLI) tools like nuclei, httpx, as well as the above-mentioned ffuf. A simple one-line script for going through a list of domains and looking for APi vulnerabilities can be the following:

httpx -l domains.txt -p 80,443 -o httpx-output.txt | nuclei -t /path/to/api/related/templates/ -o nuclei.txt

After we get the results, one can test for leaks of specific endpoints with the ffuf command

while read $line; do ffuf -u "$line/FUZZ" -w /path/to/api-wordlist.txt -of csv -o ffuf-output.txt -mc 200; done < httpx-output.txt

Apart from vulnerability discovery, these practices also allow an organization to pinpoint areas where sensitive data exposures occur, also aiding in the practice of sensitive data discovery. Additionally, monitoring inbound as well as outbound API traffic aids in threat intelligence as well as in identifying risks.

Making API management a part of the organization’s culture can ensure that its API inventory is comprehensive, up-to-date, and includes all the details necessary to be aware of its API landscape.

{{banner-large-white="/design-banners"}}

Conclusion

Effective API discovery of an organization demands multiple practices to successfully create a list of assets of APIs to keep track of. This inventory of API assets is there to aid teams in searching, developing, documenting, monitoring, and managing the API landscape without wasting time.

By utilizing these five practices, organizations can stay ahead of the constant changes in their network without losing time in searching for the API hosts they need, as well as stay ahead of attacks against their API infrastructure by properly indexing their assets for monitoring and system hardening.

Contact Impart Security at try.imp.art for more API security tips and best practices and be sure to follow us on LinkedIn for the latest product news and updates.