Securing REST APIs is particularly difficult since they are highly interconnected and not designed for manual access. To save time and be more efficient, many developers rely on testing solutions that can automatically detect REST API endpoints and test parameter properties within them. In this article, I want to provide an overview of the 6 biggest challenges of REST API security testing and how test automation can help resolve them.
What makes REST API testing so challenging is the large number of parameter combinations that have to be covered. The purpose of API parameters is to pass data values through API endpoints via data requests. Choosing the wrong REST API parameter combinations can trigger faulty program states that might potentially expose APIs to external attacks or cause crashes.
One of the best ways to ensure the security of a REST API, is to test all of its parameter combinations. However, with each added parameter, the amount of possible combinations increases exponentially. Going through these parameter combinations manually is highly time-consuming (some people might even say it’s impossible). Therefore, testing approaches that can automatically generate test cases for these parameters are particularly helpful to secure REST APIs, especially in large projects with many dependencies.
Another challenge regarding REST APIs is validating the parameters that are transmitted through API requests. A buggy application, or a malicious attacker, might call the API with parameters that don't fit the expected data types or value ranges. Without careful validation, this can trigger crashes or unexpected program behavior that might lead to security or stability issues.
Considering how many values most data types allow, it is unthinkable to test all of them manually. Even with automated testing tools the sheer number of combinations is often too big to cover. Only white-box testing solutions are smart enough to pick values that are known from experience to cause problems. This way they can automatically generate inputs that try to cover all relevant parameter combinations.
In REST API testing, data formatting describes the schema that specifies how data is formatted. Since this schema handles responses and requests of REST APIs, it has to be maintained and updated regularly to ensure that newly added parameters are included in the schema. Automated testing solutions often allow for parsing of the API documentation and generate test cases based on this. If you test your API continuously and somehow documentation and implementation are out of sync this, would be easily recognizable.
When calling an API, a client application sends multiple requests, which must be called in the correct order. If the requests are handled in the wrong order, the program will return an error. An example for this would be the error that comes up, when an API call to delete an object is made before the call to create it.
Ensuring the correct REST API call sequence is often neglected during REST API testing. Nonetheless, this step is vital for the quality and security of REST APIs, especially in multithreaded programs.
The initial configuration is the part of automated REST API testing that requires the most manual effort. While it is possible to build a continuous REST API testing cycle with open-source software, experience shows that this is usually vastly time-consuming. Particularly in large projects, I would advise against DIY automation and opt for something out-of-the-box.
Modern testing platforms, such as CI Fuzz enable a simplified set-up of automated REST API tests. Usually, such platforms provide instructions that guide users all the way from the local installation to the first automated API test. With a little bit of tuning, testing platforms can then continuously test REST APIs with each pull request.
Conventional black-box testing tools can't measure the test coverage during REST API testing, which greatly reduces the value of test reports. White-box testing approaches enable testers to generate inputs that cover large parts of REST APIs, while providing detailed error reports and code-coverage visibility. These reports support developers in planning their testing efforts and enable them to provide documentation to their team.
There are different approaches to test REST APIs. In this excerpt from a recorded live coding session on automated REST API testing, I talk about the tools and techniques that are most commonly used to test REST APIs. Hopefully, this video will help you identify the testing approach that fits your needs best.