New Feature: Targeted API Security Testing with Dynamic Wordlists
Akto now uses dynamic wordlists to perform targeted API Security testing that significantly decreases test times and reduces false positives.
Raaga Srinivas
5 mins
What are Dynamic Wordlists?
Dynamic wordlists refer to a list of words that is continuously updated and used during automated security testing. These lists can include common or predicted API endpoints, parameters, and other potential vulnerabilities. They help identify potential security risks in an API and are essential in maintaining robust API security.
How does Akto use Dynamic Wordlists?
Let’s take an example to understand this.
Say you would like to perform a fuzzing test.
Fuzzing is a software testing technique that involves providing a set of predefined inputs (commonly known as "fuzz") to a system to find security vulnerabilities. These inputs can include common API endpoints, parameters, or potential vulnerabilities. Fuzzing aims to induce errors or unexpected behavior in a system, which could indicate potential security flaws.
When conducting a fuzzing test, Akto would previously make use of a static wordlist. A static wordlist is a predefined set of inputs used in software testing. These inputs can include common API endpoints, parameters, or potential vulnerabilities.
However, unlike dynamic wordlists, static lists do not adapt or change based on the specific APIs or the data they handle. This might result in less efficient testing and a higher rate of false positives.
Now, however, Akto uses Dynamic Wordlists based on specific regexes that can be completely customized to suit the vocabulary of your business. This feature is unique to Akto!
Targeting API Security Testing with Akto
Instead of blindly hitting APIs with hardcoded word lists for tests, Akto uses the advantages of a dynamic wordlist to ensure that the words being used are from the company’s vocabulary. Eg. While the word ‘Admin’ is used and stored in a static list, your company might call these individuals ‘Super Users’. With the Regex ‘UserID’ in a dynamic wordlist, Akto will automatically identify the term ‘Super User’ as a relevant input and use it in the subsequent tests.
This leads to fewer false positives and decreased testing time as the testing is completely targeted to your business.
Here’s how you use this feature with Akto:
To understand the dynamic wordlist, we’ll be exploring Akto’s Test Editor- Your playground for writing custom API security tests.
You can now assess the results of your tests and accordingly remediate your most pressing vulnerabilities.
Final Thoughts
This particular feature of Akto’s is unique to our Test Editor’s capabilities and we’re constantly thinking of new ways to improve the API security testing process. To know more, check out our resources:
Keep reading
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
News
8 mins
Akto Recognized as a High Performer in G2’s Fall 2024 Reports for API Security and DAST
We’re proud to announce that Akto has been named a High Performer in both the API Security and Dynamic Application Security Testing (DAST) in G2’s Fall 2024 reports.
Product updates
5 minutes
Introducing Akto Code: Automated API Discovery from source Code
Akto Code is the new addition to Akto's API Discovery suite, complementing our existing capabilities for traffic source analysis in production and lower environments.