Penetration Testing in the times of APIs and Microservices

Request a quote
07 May, 2019

Penetration Testing in the times of APIs and Microservices

In ever-evolving cyberspace, the sources of threats cannot be limited to a certain extent. Most of the security incidents we see these days are data breach or denial of service attacks. And when it comes to taking appropriate steps, a wide array of actions needs to be taken in order to achieve the maximum level of security possible. This article throws light on various aspects that play an important role in the security 

What are Microservices? 

Microservice, or the microservice architecture, is an architectural representation of an application’s structure as a collection of services which are loosely coupled, independently deployed, require high maintenance, and organized around business capabilities.

Microservices Architecture

Figure: Microservices Architecture

Where are microservices used? 

We use microservices in those business environments which involve multiple interactions at the same time. The important point is that each independent service has a business boundary wherein it can be independently developed, tested, deployed, monitored, and scaled. These can be even developed in different programming languages. 

More or less, penetration testing of microservices is same as penetration testing of web applications. The idea is to test for multiple flaws in the system or application. To start with, user-supplied input is tested. The most likely scenario of an attack or vulnerability is A1: Injection attacks (SQL, Command, Client-Side code, etc.). Then, the testing process is carried out for logical security vulnerabilities such as authentication, password reset functionality, new user account registration, etc. 

Tools involved 

Hoverfly

A hoverfly is a tool for testing APIs. This tool allows you to perform automated tests that can run distinctly of other microservices. It is platform independent can run on Windows, Mac or Linux. 

Ambassador

Ambassador is an API gateway which is built on Lyft’s Envoy proxy and communication bus, which allows microservices to register their public API endpoint easily. Once you put microservices in the production environment, you can easily understand its behaviour. Envoy provides you with a variety of ways to get statistics about traffic and monitor messages. 

Telepresence 

Telepresence allows you to replace the running code in a staging Kubernetes or OpenShift cluster, with the application running on your machine. This means that you can manually test your code in a realistic environment or go through your code with the help of a debugger as you reproduce the problem in a real environment.

What is API?

API stands for Application Programming Interface. It allows communication and data exchange between two separate software systems. A software system implementing an API contains functions/sub-routines which can be executed by another software system. 

Where are they used?

Web APIs have set of rules for interacting with a web server, for example, Salesforce server. The most common use of an API is data retrieval.  Web APIs are built around the HTTP protocol, nearly any programming language can be used to access them such as Python, R, Java, JavaScript, Ruby, and but excludes SQL as it does not have HTTP libraries. 

Penetration testing & APIs

Just like penetration testing of microservices, API penetration testing is quite like web application penetration testing. We follow the same approach in API Penetration Testinghowever, the type of attacks that are carried out are a bit different but mostly web application flaws fit in it very easily. Standard vulnerabilities such as OWASP Top 10 are mandatorily needed to be checked. 

Tools involved 

Zed Proxy 

Zed Proxy an Open Source Tools, developed by OWASP. It is used to find security flaws in web application.

Fiddler

Fiddler is an open source tool, which can be used for many purposes like Web Debugging, Performance Testing, Web Session Alteration and for security testing. 

Postman 

Postman is an API Development and Security testing tool. It is used widely by the developers as it is the only tool which provides complete assistance to develop APIs. 

Microservices & APIs – Similarities & Differences 

Generally, APIs tend to be very large and can perform a lot of different functions. But Microservice APIs do just one job, or small set of closely related autonomous jobs and work in a quick, easy, and discrete manner—like an individual building block. An API makes microservices easier to manage and allows them to coexist with existing legacy systems. Combining a microservices architecture with a holistic API strategy is a proven way of getting the benefits of microservices while limiting the drawbacks.