Posted on

Top 10 Best Tips for API Testing (API Testing Tips)

As Microservices and APIs become more prevalent in modern software development, testing and validating these APIs is increasingly important to ensure the quality of your software.

Testing APIs and microservices offer a host of benefits. First, they allow you to easily test end-to-end behavior, without having to invest in writing and maintaining UI based testing, by mimicking the API calls clients would generate. This allows for stable and easy-to-write tests and can help identify exactly where in your system problems originate.  API tests can also be easily run as monitors, allowing you to easily identify outages and performance degradations before your users do!  However, unlike more common classes of tests like end-to-end testing and unit testing, API testing is a newer field for many engineering teams. To that end, this article will help you get started with testing your APIs.

Posted on

API Security Weekly: Issue #107

This week, we check out three API vulnerability reports for Waze, Amazon Web Services (AWS), and the UK NHS COVID-19 app. In addition, the new Forrester study of the technologies constituting application security as of Q4 2020 has been published.

Vulnerability: Waze

Remember the fun “other cars” icons that Waze, Google’s social GPS navigation app providing travel times and route details by other users, is showing on the maps? Peter Gasper decided to have a look on the API behind them and found exposure of some sensitive data lurking there.

Posted on

Summiting the Developer Pyramid: Turning Builders Into Advocates

When many set out to build a developer program they think first and foremost of the benefits that come from having developers actively participating in their community: supporting other developers in your forums, writing blog articles, hosting meetups and hackathons, helping with documentation, and contributing to open-source projects. The developers who grow into these roles are your advocates, and they bring to our developer programs what we all hope to achieve: scale. 

A common miscalculation is an assumption that these outcomes will happen naturally. And while some products and platforms are better situated to achieve these outcomes more organically, the vast majority of platforms need to be much more intentional and conscientious in the creation of their advocacy engine. 

Posted on

API Security Weekly: Issue #102

This week, we look into the recent API vulnerabilities at Facebook and the campaing apps for US presidential election, a new book on the OpenAPI Specification (OAS), and a guest post by API security trainer Mohammed Aldoub on how to build APIs that are easy to defend against attackers.

Vulnerability: Facebook

Marcos Ferreira found a Broken Object-Level Authorization (BOLA/IDOR) vulnerability in Facebook’s GraphQL API. The vulnerability allowed anyone to change the URL of a Facebook Page (so not your Facebook profile or user account), and then take over the old URL.

Posted on

Treat APIs as a Product, or The Sun Is Not the Centre of Your Solar System


I recently stumbled across the above beautiful animation of celestial mechanics by Malin Christersson. On the left-hand side, you see how simple and elegant it is to plot out celestial mechanics when you assume that all the planets in our solar system are in orbit around the sun. Whereas on the right-hand side, you see the resulting chaos if you assume earth is at the center.

If you fail to treat your APIs as products then you’ll end up with the chaos and disarray as seen in the geocentric view of the solar system. Unfortunately, APIs are often relegated to middleware or plumbing. As such, they can be perceived as a cost/liability to an organization and not direct value to the business. In this scenario, APIs are often one-offs resulting in chaos and a high cost of ownership due to the difficulties in untangling the knots that are created by multiple one-offs. However, change the perspective, treat APIs, and integrations as a product. Now instead of chaos, you’ll end up with a beautiful heliocentric solar system of APIs.

Posted on

API Security Weekly: Issue #98

This week, we take a look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and a talk on OWASP API Top 10 from DEF CON 2020.

Vulnerability: Aura COVID-19 Tracing App

Another mandatory COVID-19 tracing app, was found to leak personal information and health status of users. This time it was Aura, an app that Albion College in Michigan has made mandatory for all students.

Posted on

What Are Good Traits That Make Great API Product Managers

As more companies realize the benefits of an API-first mindset and treating their APIs as products, there is a growing need for good API product management practices to make a company’s API strategy a reality. However, API product management is a relatively new field with little established knowledge on what is API product management and what a PM should be doing to ensure their API platform is successful.

Many of the current practices of API product management have carried over from other products and platforms like web and mobile, but API products have their own unique set of challenges due to the way they are marketed and used by customers. While it would be rare for a consumer mobile app to have detailed developer docs and a developer relations team, you’ll find these items common among API product-focused companies. A second unique challenge is that APIs are very developer-centric and many times API PMs are engineers themselves. Yet, this can cause an API or developer program to lose empathy for what their customers actually want if good processes are not in place. Just because you’re an engineer, don’t assume your customers will want the same features and use cases that you want.

Posted on

4 Problems with Screen Scraping An API-First Approach Solves

What Is Screen Scraping?

Screen scraping is what a developer might do to get access to information that's usually only shared via a webpage. The idea of scraping the screen, meaning, programmatically taking what the user would normally see on the screen so that the developer can get access to the data outside of the "application" (web page/web app) in which it's presented.

The screen scraper uses code to access a webpage just the same way that a user would. The code pretends to be the user in a browser, intercepts the stream of bits, and instead of displaying them in a browser analyzes them to get at the desired information on the page.

Posted on

API Security Weekly: Issue #94

This week, we have a potential username exposure in WordPress APIs, an upcoming API security training at the Black Hat USA 2020 conference, and some industry statistics on the poor security performance of web application firewalls (WAFs) and the importance of API security.

Vulnerability: WordPress

If you use WordPress, check if the REST API endpoint of WordPress is openly sharing usernames at your_domain/wp-json/wp/v2/users.

Posted on

API Security Weekly: Issue #92

This week, Pen Test Partners take a dive deep into why API vulnerabilities are so common in the cheaper smart tracker devices, and we also look at a vulnerability in TP-LINK’s Kasa Cameras. On the sunny side of the street, we have helpful simulators to figure out the different OAuth2 and OpenID Connect (OIDC) flows, and another upcoming webinar on API security.

Vulnerability: SETracker and Smartwatches for Dementia Patients

This is one of those API vulnerabilities that can have life-or-death consequences: Pen Test Partners found serious API vulnerabilities in SETracker, a backend service behind kids’ smartwatches, car trackers, dementia patients’ devices, to name but a few.

Posted on

5 Factors to Consider Before Choosing an API Management Platform

The remarkable growth of the API (Application Programming Interface) economy has resulted in a corresponding rise in the need for API management platforms. 

These solutions assist in creating, implementing, monitoring, analyzing, securing, and managing APIs — throughout their entire lifecycle.

Posted on

API Security Weekly: Issue #90

This week, we take a look at how Twitter API erroneously allowed browsers to cache sensitive data, and how skimmers have found a way to use Google Analytics APIs to get their hands on credit card data. Plus, there is a live demo of API hacking, as well as a new book on API security.

Vulnerability: Twitter

HTTP headers can play an important role in API security, like the case with Twitter API shows. The header cache-control:no-store had not been set on the API, which meant that the data that this API returned to the web page was stored in the browser cache.

Posted on

API Security Weekly: Issue #88

This week, we take a break from vulnerabilities and direct our gaze to the wider landscape of API security.

On the practical side, we have a toolkit for JSON Web Token (JWT) security. The more high-level items include a video on API discovery, an eBook on API security, and a discussion on the role of the OpenAPI standard in API security.

Posted on

API Security Weekly: Issue #87

Vulnerability: Digilocker

A critical API vulnerability in India’s digital wallet system, Digilocker, exposed personal documents of more than 38 million citizens. This app lets you store your key documents, such as driver’s license and national identity card, in digital format instead of carrying the physical documents with you. Ashish Gahlot and Mohesh Mohan have both reported this issue independently of one another.

Both the mobile and the web app of Digilocker use APIs to communicate with the backend. As it often happens with REST APIs, one can find a vulnerability by invoking them in a different sequence than the intended one.

Posted on

API Security Weekly: Issue #82

Opinion: The 5 Most Common Vulnerabilities in GraphQL

Although the adoption of GraphQL is still fairly limited, it is undeniably on the rise. GraphQL is different from the traditional REST APIs: it is effectively a data query and manipulation language for APIs. When not done right, GraphQL APIs can vastly expand the surface area for data attacks and lead to excessive data exposure.

Carve Systems have published a blog post that summarizes the security issues that they see in GraphQL implementations. According to them, the most common GraphQL security vulnerabilities:

Posted on

What Does API Monitoring Mean for API Product Managers and Growth Teams

Today, countless engineering teams have leveraged API monitoring to track infrastructure health and report when services are down or unhealthy. There are a variety of API metrics that can be tracked that are aligned with engineering goals, such as uptime, average latency, requests per minute, and errors per minute. 

However, these metrics are not aligned with the business goals of product owners and growth teams. This article goes through how to leverage API monitoring tools to further your business growth and product road map.