API fuzzing: What it is and why it’s important

By Ali Cameron

API security is rapidly becoming a priority for many organisations — and so it should be. While they are key enablers for agility and growth, APIs have also become the largest threat vector for companies around the world. 

In the last year alone, the average number of APIs per business grew 82%. But when it comes to securing these important technologies, many teams are lagging. This gap is due in large part to the fact that traditional security systems — like API gateways, identity, and access management, and web application firewalls — weren’t designed to protect the complexities of APIs. 

APIs exist in a constantly changing landscape, and it’s hard for companies to keep up. Every API is unique, so cyber criminals tend to use low-and-slow attacks, compromising the unique vulnerabilities of a given API. Lastly, shift-left tactics don’t account for potential business logic gaps. Together, these elements create a perfect storm of vulnerabilities that cyber attackers are only too happy to exploit. 

So, how can companies stay ahead of these threats? It’s not enough to have security models and structures in place. Instead, teams should have a robust and in-depth API security framework in place. The two most critical pillars of this strategy are API discovery and API attack detection and prevention. Together, these two elements provide the most robust API security. However, companies should also look to identify security gaps — in pre-production and beyond — that a bad actor might leverage. This is where API fuzzing comes in. 

An automated approach to testing, fuzzing is ideal for identifying exploitable code within an API and helps teams spot issues quickly so that they can be addressed in a timely manner. In this piece, we’ll take a closer look at API fuzzing and why it’s important as organizations build out their API security strategies.

What is API fuzzing?

To understand API fuzzing, we can first start by defining what fuzz testing is. Fuzz testing is a method of automated testing that injects invalid or unexpected inputs into a system in an attempt to “break” it and find vulnerabilities. It allows developers to get a better sense of the behaviour and vulnerability of an application or piece of software. A fuzzing tool or fuzzer will conduct these tests automatically, and then monitor the code for a negative reaction. 

This process typically has three components: 

• The poet, which is responsible for creating the test cases or inputs that are injected into the code. These test cases can be random, template evolutionary — where the test cases evolve based on feedback from the ones already run — or generational. Generational test cases are created based on an understanding of the rules within which the software operates, to identify systemic issues.
• The courier, which delivers the test cases to the software. This will vary depending on the item being tested. 
• The oracle, which indicates whether a test case has passed or failed. Ideally, the oracle is set up to identify why a test case has failed, so that engineers can act on remedying the gap quickly. 

These three components facilitate the six steps in fuzzing: 

1. Identifying the target system
2. Determining inputs
3. Generating fuzzed data
4. Executing tests with fuzzed data
5. Analysing system behaviour
6. Logging issues

When it comes to API fuzzing, this methodology is used to generate test inputs and request sequences to the target API, via API calls (the courier). The fuzzer then takes note of the API response and documents whether a bug or security vulnerability has been detected. 

Why should API fuzzing be part of your testing strategy?

As mentioned above, traditional security tools and methods don’t do enough to protect APIs and uncover all of their vulnerabilities. Those that do rely on the same technology and approaches that they use for their web applications can’t possibly get a full sense of their threat exposure, thus falling into a false sense of security. 

As such, when it comes to APIs, fuzz testing is an important addition to the security tool belt, complementing existing programs, such as pentesting, and providing a more thorough understanding of an API’s vulnerabilities. This is important for any team that wants to be proactive with their API security in order to avoid the cost, reputational damage, and labour required to recover from a cyber attack.

Plus, since malicious hackers are already using this technique to get into corporate systems, using fuzzing can help security teams stay a step ahead and reduce the threat of an attack.

API fuzzing can also be beneficial in the following ways: 

• It offers a comprehensive view of the API’s security posture and robustness. 
• It doesn’t cost a lot of time or money. Once a fuzzing tool has the first test cases set up, it can run on its own, without manual support. 
• It uncovers bugs and vulnerabilities that can’t be identified through manual audits. This includes missing data encryption, broken algorithms, and lack of input validation, among others.
• A robust fuzzing tool can deliver a detailed report on how a hacker could exploit a vulnerability. 

Leveraging API fuzzing to stay ahead

Today’s cyber security landscape is full of threats. Organisations that want to protect their assets, people, and customers need to be equipped with best practices that cover all their bases. When it comes to securing their ever-growing pool of APIs, security teams need to go even further, adopting tools and methodologies that account for all the variables that make APIs so hard to protect. 

Along with the critical elements of API discovery and runtime protection, companies should also incorporate shift-left practices. For that aspect, API fuzzing is a great place to start.

About the Author: Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space. She is also a regular writer for Bora.