API Fuzzing for
eCommerce Platforms
In this webinar, Khaled Yakdan will show you how to use feedback-based fuzzing
to find vulnerabilities in the backend of your web application.
How to Secure eCommerce Platforms?
The best way to secure any web application, including eCommerce platforms, is to discover and fix the bugs as early as possible. In this recorded live coding session, I will demonstrate how to efficiently detect security vulnerabilities, within the backend of your web application, using modern fuzzing techniques, e.g. SQL Injections, Cross-Site Scripting (XSS), Information Leakage, and Crashes.
In this preview, Khaled explains how software testing can help build trust in eCommerce platforms.
Why Is API Testing So Important?
Application Programming Interfaces (APIs) often regulate vulnerable data flows between different modules. That’s why testing APIs is highly significant to secure web services.
REST (Representational State Transfer) is a web API type. It presents fast and simple communication among RESTful web applications. Even though REST APIs are considered to be compatible with any protocol or data format, they mostly communicate through HTTP, using JSON, XLT, HTML, XML, or simple text. And such adaptability makes REST APIs especially useful for such complex services as e-commerce or IoT.
The Challenges Of API Testing For eCommerce Platforms
Securing APIs, by default, is challenging because they are highly complex: Detecting security bugs in eCommerce platforms manually is similar to looking for a needle in a haystack. Concerning this, many dev teams are implementing automated testing methods.1. Securing REST API Parameter Combinations
REST APIs are made up of different parameters such as the request methods, request URI, and query parameters (see the picture below). These parameters can take up innumerable combinations that have to be tested. Otherwise, it can lead to erroneous program states.
2. Validating REST API Parameters
Validating REST API parameters is also extremely challenging. If they are not validated properly, such issues as wrong data types and parameter data outside the predefined value range can come up.
3. Maintaining the Data Formatting Schema
The data formatting schema defines how REST APIs manage requests and replies. The challenge here is that whenever new parameters are included, they always have to be added to the schema.
4. Testing REST API Call Sequences
Testers have to ensure that API calls are called in the right order to prevent errors. In REST APIs this is especially important since they are generally multithreaded.
5. REST API Testing Set-Up
The part that needs the greatest manual effort is setting up automated testing cycles. Particularly for big projects enterprise testing platforms will speed up the initial set-up sharply.
6. Error Reporting for REST APIs
Problematic reporting for REST APIs is another tricky issue, as the number of tested parameter combinations is not fixed. The best approach to observe and report REST API tests is coverage-guided testing, as they provide significant coverage and error reports.
How to Automate Security Testing for eCommerce Platforms
Due to the complex structure of eCommerce platforms, automated testing is one of the most effective solutions to secure your REST APIs. However not every automated testing approach is equally effective. The easiest way to implement test automation would be black-box testing, like Burp or OWASP ZAP, probably enhanced with some other system tests.
Despite the fact that these black-box approaches are somewhat automated, they leave scope for improvement, as they require testers to have former knowledge about the system under test to be effective.
Automated white-box testing is more efficient at detecting buggy REST API requests: They apply information about the source code and automatically exclude irrelevant parameter settings from the corpus. With the information about code coverage, they can find crashing REST API requests much faster and much more accurately. White-box automation also reports better and provides code-coverage visibility. Strong sides of this method are especially useful to secure vast eCommerce microservice environments that are connected through APIs.
Fuzz Testing for eCommerce Platforms
The best way to implement automated white-box testing for eCommerce platforms is feedback-based fuzzing. During this fuzz testing, the instrumentation measures the test progress within individual microservices and APIs. Then the fuzzer collects information about test inputs and uses it to create further inputs that traverse even more code paths. Considering that this technology can be integrated into any build system, including eCommerce platforms, it enables developers to continuously test their microservice architectures for security vulnerabilities and stability issues.
See the Process in Action!
I expect this article provides you with an idea of how fuzzing can benefit you to secure eCommerce platforms. Nevertheless, the most efficient way is to see the process in action. So I shared with you a recording of my webinar. Feel free to leave comments and to reach out!
Get the Full Recording
Related Articles and Use Cases
Read more on automated security testing in our Code Intelligence Blog.
Stateful REST API Fuzzing with RESTler
In this article, Marina Polishchuk describes how RESTler works, how to use it, and what vulnerabilities developers are able to detect with RESTler.
Build Unbreakable API Endpoints using Fuzzing
Modern fuzzing enables you to build a reliable, automated testing cycle, that provides code-coverage visibility and reduces your debugging time.
5 Easy Steps to Secure Complex Microservices
Microservices are highly interconnected, which makes security testing even harder. Read how to improve the reliability and security of web services.