API Specification Discovery
API specification discovery, in the context of cybersecurity, is the process of locating and analyzing machine-readable descriptions of Application Programming Interfaces (APIs). These descriptions, often in formats such as OpenAPI Specification (OAS) or Swagger, detail how APIs operate.
Here's a detailed breakdown:
Finding API Specifications: This involves actively searching for files or resources that describe Application Programming Interfaces (APIs). This can include:
Looking for common file names or URLs (e.g., swagger.json, openapi.yaml).
Crawling web pages or applications to find links to specification files.
Examining code repositories or documentation sources.
Identifying Specification Formats: APIs can be described using various formats. Common ones include:
OpenAPI Specification (OAS) (formerly Swagger Specification)
RAML
API Blueprint
Parsing and Understanding Specifications: Once found, the specification files are parsed to extract information about the API, such as:
Available endpoints (URLs)
Supported HTTP methods (e.g., GET, POST)
Input parameters and their types
Output data structures
Authentication and authorization methods
Security Relevance: API specification discovery is essential for several security reasons:
It helps security professionals understand the API's functionality and potential attack surface.
Attackers can use specifications to identify vulnerabilities or ways to exploit the API.
It enables automated security testing and analysis of APIs.
API specification discovery is a reconnaissance process focused on obtaining and interpreting API documentation to assess and manage security risks.
Here's how ThreatNG can aid in API specification discovery:
ThreatNG's external, unauthenticated discovery is the initial point of entry. It enables ThreatNG to identify web assets that may contain API specifications broadly. API specifications can be located in various places, and ThreatNG's discovery capabilities increase the likelihood of finding them.
While ThreatNG doesn't explicitly assess "API specifications," its assessments provide context:
Web Application Hijack Susceptibility: If ThreatNG finds ways to hijack a web application, this is relevant. Attackers might use API specifications to exploit those weaknesses.
Cyber Risk Exposure: By analyzing subdomains and vulnerabilities, ThreatNG helps prioritize which API specifications to review first. For example, specifications for APIs on vulnerable subdomains are more critical.
3. Reporting
ThreatNG's reports can present discovered API specifications, their location, and associated risks. This helps security teams understand the organization's API landscape.
ThreatNG's continuous monitoring identifies new or changed API specifications, which is essential because APIs and their documentation are constantly evolving.
ThreatNG's investigation modules are functional for API specification discovery:
Domain Overview: This module identifies explicitly related SwaggerHub instances that provide interactive API documentation and specifications. Swagger is a tool for working with API specifications.
Subdomain Intelligence: This module can discover subdomains where API specifications reside and identify API endpoints.
Archived Web Pages: This module can find older versions of web pages that contain API specifications.
ThreatNG's intelligence repositories provide context. For example, being aware of compromised credentials can help assess the risk of those credentials being used to access APIs documented by discovered specifications.
7. Working with Complementary Solutions
ThreatNG can work with other tools:
API testing tools: ThreatNG can provide a list of API specifications to API testing tools for automated testing.
Vulnerability scanners: ThreatNG can identify APIs described by specifications, which vulnerability scanners can then assess.
8. Examples of ThreatNG Helping
ThreatNG identifies an API specification on an unusual URL that security teams had previously missed.
ThreatNG finds an older API specification that reveals deprecated and vulnerable API endpoints.
ThreatNG's monitoring alerts security to a newly deployed API specification.
9. Examples of ThreatNG Working with Complementary Solutions
ThreatNG provides API specifications to an API testing tool, which then automatically generates security test cases.
ThreatNG identifies an API with weak authentication using its specification; a vulnerability scanner leverages this information for more in-depth analysis.
