Akto Tests: Are your Private APIs vulnerable to the Public?
Akto now lets you conduct API Security testing based on the Access Type of an API Endpoint.
Raaga Srinivas
5 mins
In API Security, Private APIs refer to the specific API endpoints that are used strictly internally.
These APIs are typically used by the other microservices and internal tools. For example, a /api/v1/send-welcome-email
API endpoint to send email notifications to new users. This API is used by another microservice (register.company.io
) to send a welcome message to new users.
Private APIs are NOT to be exposed to public networks.
As a developer, how do you ensure this API is not accessible to the public and is not revealing sensitive information?
For this, Akto has added a new test and filter to conduct API Security testing based on the ’access type’ of the API.
What are Access Types?
In API security, an access type refers to the level of permissions or access that an API provides. It determines what actions can be performed via the API and what data can be accessed. Akto tags public, private (or Internal), and partner APIs to ensure proper inventory management.
Public APIs: API endpoints that are exposed to the public network.
Private APIs: As mentioned earlier, these are API endpoints that are used strictly internally and are NOT exposed to public networks.
Partner APIs: Specific API endpoints that can be used by IPs outside your VPC, but the access is limited to a small set of IPs.
Check out our documentation on configuring these access types with Akto.
Now that you know the different access types of your APIs, you can conduct API security testing to check what vulnerabilities are revealed to users with different permissions. Let’s dig into how to do this with Akto.
Monthly product updates in your inbox. No spam.
Testing for Access Type vulnerabilities with Akto
There are 2 ways you can check your APIs for ‘access type’ based vulnerabilities on Akto:
Use our Template: Improper Inventory Management Test by identifying Publicly Accessible APIs in a private environment
Write a custom test with the filter
Akto’s Template for identifying Publicly Accessible APIs in a private environment
Akto provides a built-in, customizable YAML test template from our Test Library to identify which of your private APIs are accessible to the public and reveal sensitive data.
Here is how you can conduct this test on Akto’s Test Editor:
Write a custom test with the ‘Access Type’ filter
Akto also allows you to write your custom tests. You can either make edits to our existing templates or write one of your own from scratch.
To check for ‘access type’ based issues in your APIs, add the following filter to your test -
api_access_type
eq: private
Alternatively, you can test for vulnerabilities in your Partner APIs by replacing the above access type with partner
.
You’re all set!
Final Thoughts
Akto thinks about your security team’s challenges from a 360-degree view.
Proper inventory management, which involves organizing your API inventory with tags and recognizing hidden APIs, is essential to improving your API security testing.
In this case, Akto ensures that not only are your APIs tagged as public, private, or partner APIs, but you can also test to see if they reveal sensitive information based on their access type.
With the API Security Testing now completely automated, your team can now focus on the important task of remediating vulnerabilities immediately.
To know more on how Akto proactively conducts API Security Testing, check out these resources:
Keep reading
News
6 mins
April Product News: API Access Type-Based Testing, Removing Bad Endpoints, and more
This edition of Akto’s newsletter talks about changes to your dashboard and tests that think about your API Security Testing from a 360-degree view.
News
7 mins
March Product News: 98 New Tests, Dynamic wordlists, and more
This edition of Akto’s newsletter is packed with new features and tests that will greatly decrease your API Security testing time and increase targeted testing.
Product updates
5 mins
Detailed Errors on Postman and Swagger File Import
Akto now replays APIs to automatically get data during an import of Postman and Swagger files and transparently displays reasons why each specific API couldn't be replayed in the case of an error.