Audit API security based on their OpenAPI contract

Just as any security, API security is about layers. While there is no single silver bullet, ensuring proper API design and making its security audit part of your API development process is a huge step that every organization needs to take.

The challenges of API security

API use is on the rise. Akamai estimates that about 83% of web traffic is now API traffic. Web applications, mobile applications, internet of things (IoT), business integration projects – all have APIs enabling them.

The shift to microservices architectures takes API proliferation to the whole next level. Now individual containers and functions are also working with the rest of the system via APIs.

Many APIs start as simply an internal implementation detail. Developers strive to deliver the functionality that the business needs quickly and effectively.

Unfortunately, this means that security takes the back seat either because of:

time pressure
lack of understanding of what is involved in API security
disconnect between developers, operations, and security specialists.

Even though REST APIs are HTTP-based, companies that assume that their WAF (Web Application Firewall) can protect the API traffic are in for surprise. WAF simply has no idea of how to differentiate hacking API calls from legitimate API traffic.

Just read a few recent issues of the weekly API security newsletter and you will find plenty of examples of attackers circumventing APIs by sending unexpected payloads, contacting directly the APIs that were designed for backend use only, and so on.

Common Standard

Luckily for the industry, a common format has emerged that has become a widely adopted way of documenting APIs. Originally called Swagger, in 2016 the specification was renamed to OpenAPI Specification. The project is maintained by the OpenAPI Initiative, a Linux Foundation project with 35 corporate members including Google, Microsoft and many more.

The very existence of common standard with large tooling support is a big deal because it allows developers, operations, and security people across teams speak a common language. Instead of deducting API intent from its behavior or source code, they can use the standard contract.

One of the key functions that the standard contract can enable is API security.

API Contract Security Audit

So you have created your OpenAPI contract and perhaps even started working on its backend implementation. Now is the time to see if the contract itself is following the industry security best practices.

API Contract Security Audit tool at APISecurity.io is a quick free online resource that you have at your disposal.

In this tutorial, we will be using this tool to improve the security of petstore-expanded.json API specification from OpenAPI GitHub examples.

1. On the API Contract Security Audit page, we click the Browse & Upload button and browse to the petstore-expanded.json file.

2. Once the file is processed, the tool displays the report including the overall score and information about the areas covered:

While all the OpenAPI Format Requirements have been met, we can see that the overall score is just 40 out of 100. There are quite a few outstanding issues in the Security and Data validation sections.

3. We can click each section on the left-hand side to see the specific issues found. For example, in the Transport section, we got 5 issues related to unencrypted (HTTP) traffic accepted by the API and all its methods.

4. Let’s click the first one (API accepts HTTP requests in the clear) and see the details. The report shows the exact problematic place in the contract, information on the potential exploit scenario, and recommendations on how to fix the issue:

5. We follow the report’s recommendation and change (in your editor of choice):

"schemes": [
    "http"
  ],

"schemes": [
    "https"
  ],

6. Now let’s save the file. And back in the API Contract Security Audit tool, click Audit another API button at the top right and re-upload the file.

While multiple other issues still remain, we can see that the Transport section is now good. We can go after the other sections one by one and fix the remaining items.