External API Surface Mapping

External API Surface Mapping in cybersecurity is a crucial practice for understanding and mitigating potential risks associated with your organization's publicly accessible Application Programming Interfaces (APIs).

What is an API Surface?

Before we define the mapping, let's clarify what an API surface is. In essence, the API surface represents the total collection of publicly exposed endpoints, functionalities, and data structures that an API offers. Think of it as the "face" your API presents to the outside world. This includes:

• Endpoints: The specific URLs or entry points that external clients can interact with (e.g., /users, /products, /orders).

• Operations: The actions that can be performed at each endpoint (e.g., GET, POST, PUT, DELETE).

• Parameters: The input data that the API expects for each operation (e.g., request body, query parameters, headers).

• Responses: The data structures and formats that the API returns.

• Authentication and Authorization Mechanisms: How external clients prove their identity and gain access to specific resources.

Defining External API Surface Mapping

External API Surface Mapping is the process of systematically identifying, documenting, and analyzing all the publicly accessible components of an organization's APIs. It involves creating a comprehensive inventory of every external-facing endpoint, the operations it supports, the data it exchanges, and the security controls governing its access.

Why is External API Surface Mapping Important for Cybersecurity?

Understanding your external API surface is fundamental for a robust cybersecurity posture for several critical reasons:

1. Attack Surface Reduction: Having a clear map of your external APIs provides visibility into potential entry points for attackers. This allows you to proactively identify and minimize unnecessary or overly permissive endpoints, thereby reducing your overall attack surface.  

2. Vulnerability Management: APIs, like any software, can have vulnerabilities. Knowing your external API surface enables you to focus your vulnerability scanning and penetration testing efforts on the exposed components that are most likely to be targeted.  

3. Misconfiguration Detection: Mapping helps identify misconfigurations in API security controls, such as overly permissive CORS policies, weak authentication schemes, or inadequate input validation. Attackers can exploit these misconfigurations.  

4. Data Leakage Prevention: Understanding the data exchanged through your APIs is crucial for preventing sensitive information from being unintentionally exposed. Mapping helps identify which endpoints handle sensitive data, allowing you to implement appropriate data protection measures.  

5. Compliance and Governance: Many regulatory frameworks require organizations to have a clear understanding of their data flows and security controls. API surface mapping helps meet these compliance requirements by providing a documented inventory of external-facing interfaces.  

6. Incident Response: In the event of a security incident involving an API, a detailed surface map can significantly expedite the investigation and containment process by providing a clear understanding of the affected components.

7. Shadow API Detection: Mapping efforts can uncover "shadow APIs" – undocumented or forgotten APIs that may have been deployed without proper security oversight. These can represent significant security risks.  

The Process of External API Surface Mapping

The process typically involves several steps:

1. Discovery: Identifying all publicly accessible API endpoints. This can involve:

• Analyzing API gateways and load balancer configurations.

• Reviewing documentation (Swagger/OpenAPI specifications, developer portals).

• Conducting network scanning and reconnaissance.  

• Analyzing web application traffic.

2. Documentation: Creating a detailed inventory of each identified API component, including:

• Endpoint URLs.

• Supported HTTP methods (GET, POST, PUT, DELETE, etc.).

• Request parameters (types, formats, validation rules).

• Request and response body structures (data formats like JSON, XML). 

• Authentication and authorization mechanisms in use (e.g., OAuth 2.0, API keys).

• Rate limiting and throttling policies.

• Error handling mechanisms.

3. Analysis: Evaluating the security posture of the identified API surface, including:

• Identifying potential vulnerabilities based on known API security risks (e.g., OWASP API Security Top 10).

• Assessing the strength of authentication and authorization controls.

• Evaluating input validation and output encoding practices.

• Analyzing the sensitivity of the data being exchanged.

• Reviewing CORS policies and other security headers.

4. Maintenance: API surfaces are dynamic and evolve over time as new features are added or changes are made. Therefore, the mapping process needs to be continuous and integrated into the software development lifecycle (SDLC) to ensure it remains accurate and up-to-date.  

Tools and Techniques for API Surface Mapping

Organizations can use a variety of tools and techniques for external API surface mapping, including:

• API Gateways and Management Platforms: Often provide features for documenting and managing APIs.  

• API Documentation Tools: Like Swagger UI and ReDoc, which render OpenAPI specifications. 

• Network Scanners: Can identify open ports and services, potentially revealing API endpoints. 

• Web Application Scanners: Specifically designed to identify vulnerabilities in web applications and APIs.

• Traffic Analysis Tools: Can capture and analyze API traffic to understand exposed endpoints and data flows. 

• Manual Review: Human expertise is crucial for understanding the business logic and potential security implications of API interactions.

External API Surface Mapping is not just about creating a list of endpoints; it's a fundamental cybersecurity practice that provides critical visibility into an organization's external-facing digital assets. By understanding and continuously monitoring their API surface, organizations can proactively identify and mitigate security risks, protect sensitive data, and maintain a stronger overall security posture in an increasingly API-driven world.

Here's how ThreatNG can help with external API surface mapping:

1. External Discovery

• ThreatNG's ability to perform external, unauthenticated discovery is the foundation of its API surface mapping capability. It allows the platform to identify all publicly accessible APIs across an organization's digital footprint, without needing any internal connections. This is critical because APIs can be located on various subdomains, cloud services, and even shadow IT systems.

2. External Assessment

ThreatNG's external assessment capabilities provide crucial context for understanding the security risks associated with discovered APIs:

• Web Application Hijack Susceptibility: ThreatNG analyzes externally accessible parts of web applications to identify potential entry points for attackers. Since APIs are often integral to web applications, this assessment can reveal vulnerabilities in API authentication or authorization mechanisms. For example, ThreatNG might identify an API endpoint that lacks proper input validation, making it susceptible to injection attacks.

• Subdomain Takeover Susceptibility: ThreatNG assesses the risk of subdomains being compromised by attackers. Because APIs are frequently hosted on subdomains, this assessment is vital. For instance, ThreatNG can detect if an API is hosted on a subdomain with outdated DNS records, which could allow an attacker to redirect traffic to a malicious server.

• Cyber Risk Exposure: ThreatNG assesses cyber risk by considering factors like certificates, subdomain headers, vulnerabilities, and exposed ports. This is directly applicable to APIs, as ThreatNG can identify risks such as APIs using expired SSL certificates or running on servers with known vulnerabilities.

• Code Secret Exposure: ThreatNG discovers code repositories and analyzes their contents for sensitive data, including API keys and credentials. This is crucial because exposed API keys can allow unauthorized access to APIs. For example, ThreatNG can detect API keys stored in public GitHub repositories.

• Mobile App Exposure: ThreatNG evaluates the security of mobile apps, which often interact with APIs. This assessment can identify vulnerabilities in how mobile apps utilize APIs, such as the use of hardcoded API keys or insecure data transmission.

3. Reporting

• ThreatNG provides various reports, including technical and prioritized reports, that can detail the discovered API surface and its associated security risks. These reports help organizations understand their API footprint and prioritize remediation efforts.

• The platform's Knowledgebase provides context and recommendations for identified risks, helping to understand and mitigate API-related vulnerabilities.

4. Continuous Monitoring

• ThreatNG continuously monitors the external attack surface, ensuring that any changes to the API surface, such as the addition of new APIs or modifications to existing ones, are promptly detected. This is essential for maintaining an accurate and up-to-date API inventory.

5. Investigation Modules

ThreatNG's investigation modules offer detailed insights into the discovered API surface:

• Domain Intelligence:

• Domain Overview: This module can provide information on related SwaggerHub instances, which often contain API documentation and specifications. This helps security professionals understand the functionality and structure of APIs.

• Subdomain Intelligence: This module identifies subdomains hosting APIs and extracts information about API endpoints, server technologies, and potential vulnerabilities.

• Sensitive Code Exposure: This module identifies secrets in code repositories, which is crucial for discovering API keys, credentials, and other sensitive information that could be exploited to compromise APIs.

• Mobile Application Discovery: This module identifies mobile apps and analyzes their content, which can reveal the APIs used by the apps and any security vulnerabilities in their API interactions.

• Search Engine Exploitation: This module can help identify API endpoints or documentation exposed to search engines, potentially revealing sensitive information or vulnerabilities.

• Cloud and SaaS Exposure: This module identifies cloud services and SaaS applications used by the organization, which often involve APIs.

• Archived Web Pages: This module can discover older versions of web pages and files, which might contain outdated or vulnerable API documentation or endpoints.

6. Intelligence Repositories

• ThreatNG's intelligence repositories provide valuable context for API surface mapping:

• Compromised credentials can be used to gain unauthorized access to application programming interfaces (APIs).

• Known vulnerabilities can be exploited in application programming interfaces (APIs).

• Mobile app indicators can reveal sensitive information related to mobile application programming interfaces (APIs).

7. Working with Complementary Solutions

• While the document does not explicitly detail specific integrations, ThreatNG's capabilities allow it to work with other security tools:

• Vulnerability scanners: ThreatNG can provide a list of API endpoints to vulnerability scanners for detailed security testing.

• API gateways: ThreatNG can help identify misconfigurations or vulnerabilities in API gateway configurations.

• SIEM systems: ThreatNG can feed API security findings into SIEM systems for centralized security monitoring and analysis.

8. Examples of ThreatNG Helping

• ThreatNG discovers an undocumented API that lacks proper authentication, posing a significant security risk.

• ThreatNG identifies API keys exposed in a public code repository, preventing potential unauthorized access.

• ThreatNG's continuous monitoring detects a new API endpoint being deployed without security review.

9. Examples of ThreatNG Working with Complementary Solutions

• ThreatNG provides a list of discovered API endpoints to a vulnerability scanner, which then performs automated security testing.

• ThreatNG detects unusual traffic patterns to an API endpoint and sends an alert to a Security Information and Event Management (SIEM) system, which correlates it with other security events to identify potential attacks.

ThreatNG provides a comprehensive platform for mapping external API surfaces, offering the necessary capabilities for discovery, assessment, reporting, monitoring, and investigation to manage API security risks effectively.