In today’s interconnected digital landscape, the significance of securing APIs cannot be overstated. Modern web and mobile applications are built around Representational State Transfer (REST) APIs, which allow for smooth system communication. However, this increased connectivity also exposes APIs to various security threats. Therefore, it’s imperative for developers and testers to implement robust security testing practices to safeguard these APIs from potential vulnerabilities.
Why Is API Security Increasingly Important?
Globally, the number of APIs is expanding quickly. Postman reported a usual growth rate for the previous year (https://www.postman.com/state-of-api/api-global-growth/). API security is increasingly important due to the rising adoption of APIs across various industries and applications. As APIs serve as the primary means of communication between different software components and external systems, securing them is paramount to protect sensitive data, prevent unauthorized access, and mitigate the risk of cyber threats such as data breaches, injection attacks, and API abuse. According to Gartner (https://www.cloudflare.com/en-gb/the-net/api-proliferation/) 90 percent of web applications will have more attack surface exposed in APIs than in the UI. With the proliferation of interconnected systems and the growing reliance on third-party integrations, robust API security measures are essential to safeguard digital assets, maintain trust among users, and ensure compliance with regulatory requirements.
Benefits of RESTful API security testing?
Testing RESTful APIs makes sure they are safe and work well. It helps find and fix mistakes, making the APIs more reliable. It also helps the APIs run faster and use less resources, which is good for the system. Testing makes sure the data in the APIs is right and works with other programs smoothly. Overall, testing APIs helps developers make better software that works well and is safe to use.
Security Testing for RESTful APIs Using OWASP Zap and Postman
In API security testing with Postman and OWASP Zap, you leverage Postman to create and execute API requests, while using OWASP Zap to intercept, scan, and analyze the requests and responses for security vulnerabilities. This integrated approach streamlines the testing process and helps ensure the robustness and resilience of API systems against cyber attacks.
The idea here is to send the Postman requests to OWASP Zap to be able to start automated pen-testing (In a security exercise known as penetration testing, a cyber-security specialist looks for and attempts to exploit weaknesses in a computer system.).
Step 1:
Open OWASP Zap, go to application and go to Tools > Options > Local Proxies as shown on the following screen shot.
In our case the local proxy is on port 8081 remember this number because we will use it very soon. On your PC, the port number can be different.
Step 2:
Open “Postman”, go to File > Settings > Proxy as shown on the following screen shot.
Enable “Use custom proxy configuration” and fill the following values :
- Proxy Server : Localhost
- Port : 8081 (which was obtained from the OWASP Zap configuration in step 1)
Step 3:
As seen in the following Postman example, begin sending API queries from the selected API collection using Postman.
The API calls made in Postman need to be included in the OWASP Sites list, as shown in the screenshot below.
NOTE: – Don’t forget to return the Postman proxy settings to the previous / default settings after you finish.
Step 4:
It is time to start the scan on OWASP ZAP.
Click on the main directory, then choose “Attack” followed by selecting “Active Scan”. The new window will open click on “Start Scan”.
The scan will be started and you should notice some findings under “Alerts” section as the following screen shot.
On OWASP Zap, you can accomplish more than just an active scan.
Conclusion
In summary, keeping RESTful APIs safe is really important nowadays because there are more and more APIs being used. Testing them with tools like Postman and OWASP Zap helps find and fix any problems early on. By using these tools together, developers can make sure their APIs are strong against cyber threats. This helps protect people’s data, keeps systems working well, and builds trust with users. So, by staying careful and using the right tools, we can keep our APIs safe and reliable for everyone to use.