Domain-Associated API Discovery

​​Domain-associated API discovery, in the context of cybersecurity, is the process of identifying Application Programming Interfaces (APIs) that are related to a specific domain name or organization. This process is crucial for security because APIs often expose sensitive data and functionalities, making them attractive targets for malicious actors.

Here's a breakdown of what this involves:

• Identifying Related APIs: This step involves identifying all APIs associated with a target domain. This includes APIs hosted on the main domain, subdomains, or even entirely different domains owned by the same organization.

• Mapping API Endpoints: Once the related APIs are identified, the next step is to map all accessible endpoints for each API. An endpoint is a specific URL that the API uses to receive requests and send responses.

• Analyzing API Characteristics: After identifying the endpoints, security professionals analyze various characteristics of the APIs, such as:

• Authentication and authorization mechanisms

• Input and output formats

• Data being exchanged (especially sensitive data)

• Potential vulnerabilities

• Assessing Security Risks: The final step involves evaluating the security risks associated with the discovered APIs. This includes identifying potential vulnerabilities, misconfigurations, and data exposure issues that attackers could exploit.

By performing domain-associated API discovery, organizations can gain a better understanding of their API landscape and proactively address potential security weaknesses.

Here’s how ThreatNG aids in domain-associated API discovery:

1. External Discovery

• ThreatNG's ability to perform external, unauthenticated discovery without connectors is fundamental to domain-associated API discovery. It enables the platform to identify APIs across an organization's entire external footprint, including those that might be undocumented or reside on less obvious subdomains.

2. External Assessment

ThreatNG's external assessment capabilities provide valuable context for discovered APIs:

• Web Application Hijack Susceptibility: This assessment helps evaluate the risk of attackers compromising web applications, which often include or rely on APIs. For example, ThreatNG can assess if weaknesses in an API's authentication mechanism could lead to a hijack.

• Subdomain Takeover Susceptibility: Since APIs can be hosted on various subdomains, ThreatNG's ability to assess subdomain takeover susceptibility is crucial. It can identify subdomains hosting APIs that are vulnerable to takeover, allowing attackers to control the API.

• Cyber Risk Exposure: ThreatNG's analysis of parameters such as certificates, subdomain headers, and vulnerabilities helps assess the overall risk associated with discovered APIs. For instance, it can detect APIs with outdated certificates or known vulnerabilities in server software.

• Code Secret Exposure: ThreatNG's discovery of exposed code repositories is vital because API keys, credentials, and other sensitive information are often found in code. Finding these secrets is critical in preventing unauthorized API access.

• Mobile App Exposure: ThreatNG's evaluation of mobile apps can identify APIs that the apps communicate with and any security issues related to their use of those APIs (e.g., hardcoded keys).

3. Reporting

• ThreatNG's reporting capabilities are essential for organizing and presenting the findings of domain-associated API discovery. Reports can highlight the number of APIs discovered, their associated risks, and prioritized recommendations for remediation.

• The Knowledgebase embedded in the solution and reports provides risk levels, reasoning, recommendations, and reference links to help organizations understand and address API-related risks.

4. Continuous Monitoring

• ThreatNG's continuous monitoring of the external attack surface ensures that any new or changed APIs are promptly discovered and assessed. This is crucial in the dynamic landscape of web applications and APIs.

5. Investigation Modules

ThreatNG's investigation modules offer in-depth analysis capabilities:

• Domain Intelligence: This module provides crucial insights for discovering domain-associated APIs.

• Domain Overview: Reveals related SwaggerHub instances, which provide interactive API documentation.

• DNS Intelligence: Helps identify subdomains and other domain-related information that may lead to the discovery of APIs.

• Subdomain Intelligence: Can identify API endpoints, server technologies, and potential vulnerabilities.

• Sensitive Code Exposure: This module identifies secrets in code repositories, which is crucial for discovering API keys and credentials.

• Mobile Application Discovery: This module helps identify APIs used by mobile apps by analyzing them for sensitive data.

• Search Engine Exploitation: This module can help discover API endpoints or documentation that may be exposed to search engines.

• Cloud and SaaS Exposure: This module identifies cloud services and SaaS solutions used by the organization, which often involve APIs.

• Archived Web Pages: This module can find older versions of APIs or API documentation that may contain sensitive information or vulnerabilities.

6. Intelligence Repositories

• ThreatNG's intelligence repositories provide valuable context for API discovery:

• Compromised credentials can be used to gain unauthorized access to application programming interfaces (APIs).

• Known vulnerabilities can be exploited in application programming interfaces (APIs).

• Mobile app indicators can reveal sensitive information related to mobile application programming interfaces (APIs).

7. Working with Complementary Solutions

• While the document doesn't detail specific integrations, ThreatNG's capabilities suggest it can enhance other security tools:

• Vulnerability scanners: ThreatNG can provide a list of API endpoints for vulnerability scanners to assess.

• API gateways: ThreatNG can help identify misconfigurations or vulnerabilities in API gateway setups.

• SIEM systems: ThreatNG's findings can be integrated into SIEMs for broader security monitoring and correlation.

8. Examples of ThreatNG Helping

• ThreatNG discovers an undocumented API on a subdomain that is transmitting sensitive customer data without encryption.

• ThreatNG identifies API keys hardcoded in a mobile app, preventing a potential data breach.

• ThreatNG detects an older version of an API still running, which contains a known vulnerability.

9. Examples of ThreatNG Working with Complementary Solutions

• ThreatNG discovers a list of API endpoints, which it provides to a vulnerability scanner for in-depth testing.

• ThreatNG detects unusual traffic patterns to an API and sends an alert to a SIEM system, which correlates it with other network activity.

In conclusion, ThreatNG provides a robust platform for domain-associated API discovery, offering a wide range of capabilities to identify, assess, and manage API-related security risks.