Product Update: Detectify fuzzing engine will cover public-facing APIs

Detectify is expanding its web app fuzzing engine to scan public-facing APIs for vulnerabilities. Earlier in the year, we released a new fuzzing engine, and it was developed with API scanning in mind. In Fall 2021, we will roll out open beta testing. You can register for Detectify API fuzzer updates and beta testing program.

We’ve interviewed Fredrik Nordberg Almroth and Tom Hudson, Senior Security Researchers at Detectify, to give us more insights on Detectify’s plans for API scanning with the fuzzing engine.

Content from the video has been edited for this blog post.

What’s the fuzz about APIs?

APIs allow businesses to integrate. Fredrik explains,  “You can have many different systems that can talk and interact, and that is how you develop modern web applications and mobile apps. You’re probably developing APIs yourself. We must look at APIs; that’s our natural progression.”

Building single-page applications or mobile apps? Then this is for you!

Modern single-page web applications (SPAs) and native applications running on mobile devices require APIs to function. 

As Tom Hudson, Security Research Tech Lead at Detectify explains,

“you have the separation between the code that’s running in the web browser or on a mobile device, and the code that’s running on servers. The API is necessary for those two systems to integrate.”

What is Detectify’s approach to API fuzzing?

We understand that every API is different, so it’s challenging to have a standardized approach to security testing on APIs. Our approach? We’re trying to take example usage of our customer’s APIs and modify those requests in a way that allows us to spot unique and previously unknown vulnerabilities.

The research team at Detectify looks at it in a different way than traditional web applications. Fredrik Nordberg Almroth, Sr Security Researcher and Co-founder, says,

“You don’t really have any client-side vulnerabilities, or you shouldn’t have them, in an API. Instead, there will be anomalies in how data is deserialized, and how data is passed between your public-facing API to microservices in your backend. “

Have APIs to secure? Sign up for the newsletter and get updates on Detectify API fuzzer updates and beta testing waitlist.

The fuzzer will focus on server-side vulnerabilities

Almroth states that Injection attacks are more prominent, and that’s what led the team to the conclusion that they need to focus more on server-side vulnerabilities. 

Fredrik says,

“To find server-side vulnerabilities, it’s a pretty tough job. There is a discrepancy between how computers traditionally look for server-side vulnerabilities and how actual penetration tests versus security engineers are finding them.”

The new fuzzer will instrument the API and see what works and what doesn’t work based on the intelligence received from the different parameters. This allows the Detectify scanning engine to attempt various vulnerabilities. 

The beta will scan REST APIs for:

Remote Code Execution (RCE)
SQL-injections
Server-Side Request-Forgery (SSRF)
Misconfigurations

Testing APIs was a natural next move

As Fredrik explains, expanding the fuzzing engine to cover APIs was a natural development: 

“We have already put in a lot of effort into scanning SPAs. It’s a front end that we crawl that, in turn, speaks to APIs in the background. For us to deliver results and find vulnerabilities, we must find vulnerabilities in APIs.” 

The future of Internet Security needs fuzzing

While the research and product development teams have a lot of experience looking for known vulnerabilities and CVEs and software, Tom Hudson says that this expansion to API fuzzing is at the leading edge of application security. 

“We know that if we want to drive the future of internet security, fuzzing is our best bet to to find vulnerabilities that are previously not known. New and unique vulnerabilities in APIs can’t be found if you don’t know what you’re looking for without fuzzing.”

Be the first to know about Detectify API fuzzer developments

If you’re curious about the Detectify API fuzzer and other developments, sign up for the updates about the beta program and news at www.detectify.com/api.

About Detectify

Detectify is building web app security solutions that are automated and crowd-based. By collaborating with ethical hackers, business critical security research is put into the hands of those who need it most to bring safer web apps to market. Curious to see what we will find in your live web apps? Start a free 2-week trial today and also get updates about the upcoming API fuzz testing.

Jocelyn Chan is the Content Manager at Detectify. She is a self-proclaimed hype-girl for automated web security powered by white hat hackers and believes that the future is in the crowd. She also would like to connect more women in tech and security together which is why she is co-leading the Women in Security – Stockholm Chapter. And yes she has seen Hackers, and believes that it's so good because it's so bad.