Did you know you could use OpenAPI for security?

nathan20

Nathan

Posted on October 9, 2022

Did you know you could use OpenAPI for security?

What is openapi?

Openapi is a set of tools and standards for creating, managing, and securing APIs. It includes a specification for describing APIs, a runtime for executing APIs, and a set of tools for managing APIs.
The goal of the OpenAPI Initiative is to standardize how APIs are described and to make it easier for developers to create, use, and manage APIs.

API supports, the parameters that each operation requires, the data types that are used by the API, and other information. I already wrote an article about it, you can check it before continue to read.

How can openapi be used for security?

OpenAPI can be used to secure access to APIs by requiring authentication and authorization for all API calls.
OpenAPI can also be used to validate input and output data, ensuring that data is valid and properly formatted. By using OpenAPI, developers can be sure that their APIs are secure and reliable.
I want to talk about these two type of vulnerabilities.

Lack of Authentication.

API often suffer of authentication problem.
For example in this bug report .
A user has the possibility to get Admin permission with a simple endpoint that used to reset password.

Image description

So how we can avoid this type of Vulnerability?

Using an Specification can help to have more structure about your permissions level.

In this example the security definition which apply to this endpoint API operations is "pestore_auth" which include "write and read".
We can see, each operation has a scope of defined permissions.
Having a permissions like this type can help to have a better understanding of permissions for an specific operation.

path: "/pet/findByStatus": {
      "get": {
    ....},
        "security": [
          {
            "petstore_auth": [
              "write:pets",
              "read:pets"
            ]
          }
        ]
      },
Enter fullscreen mode Exit fullscreen mode

Insecure Direct Object Reference (IDOR).

Another important common vulnerability occurs when unvalidated user input can be used for unauthorized access to resources or operations.
In this bug report the researcher succeed to delete images from others by simply changing id of the image.

Here we are facing an coding error, the lack of verification from the back-end leads to a high vulnerability.

Back-end be like:
Image description

Using OAS here won't necessarily solve the problem, but can detect the problem more easily and earlier (I will explain in the next section).

What are the benefits of using openapi for security?

OpenAPI is a great tool for security because it allows you to easily and quickly understand your API. This makes it easy for Pentester to understand what your API does and how they can exploit it.
Additionally OpenAPI is a great tool for automation not only to generate code but also to automated your security testing.

Using API security tool like Cherrrybomb in earlier stage of development helps you to detect vulnerabilities before the production!

If you're looking for a new way to understand and manage your API, consider using OpenAPI, and if you want to secure it consider using CherryBomb to automate your security test.
Managing and Testing it's the key,now your can keep your API safe :)

Star our Github repo and join the discussion in our Discord channel!
Test your API for free now at BLST!

💖 💪 🙅 🚩
nathan20
Nathan

Posted on October 9, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related