Six months ago, we began our journey with security testing. Since then, we have worked with hundreds of security teams across the world. Our focus has been on automating the testing of APIs to make it as easy as possible for security teams to test them before each release. We covered hundreds of test cases and automated them from end to end, trying to cover all possible scenarios. However, we encountered a massive hurdle in doing so. We realized that every developer has a unique way of writing APIs, and the problem becomes even more complicated with multiple developers contributing to code at a massive speed. For example, for one API, the error status code may be 200 OK, for another, it may be 4xx, and for a third one, it could be 200 OK with a status of "error". Finally, we came to the following conclusion:

Every API is unique. Your API testing should be too.

This changed the way we thought about testing at Akto. It's not easy to cover all test cases with all possible logics for your unique APIs. We realized the need for personalized and scalable API security testing.

Today, we are going beyond automated testing with Akto’s new test editor.

Introducing World’s first personalized security testing

Security teams often find themselves performing manual grunt work before every release. Traditional API security testing products are becoming increasingly restrictive for three reasons.

Firstly, these products only cover a fraction of critical vulnerability tests. As more new vulnerabilities are found, it becomes harder for users to find tests for new vulnerabilities in these traditional tools. Secondly, users have no ability to customize tests based on their business requirements. They manually test for critical and business logic vulnerabilities that traditional tools do not cover. This painful process slows down users and negatively impacts the complete and deep security of the application. Thirdly, users want to understand how their APIs are being tested. Today's testing tools lack visibility completely.

Akto's test editor is the world's first personalized API security testing tool. It is a simple, fast and scalable way to test APIs for security vulnerabilities. It allows user to write easy YAML templates in under 10 mins, test them on sample APIs and add to their API Security test library for continuous testing. Test Editor supports tests for both JSON and graphQL APIs. It comes with built in 100 templates for users to play around with and edit as per business need. The best part is, since you already have your API inventory in Akto, you can automate all your custom tests on all your APIs after writing them in the test editor.

We chose YAML as the test language because it is the easiest language for security teams to write tests in.

Our beta customers have been able to write 10 or more custom tests for their unique API behaviors in just a few hours, compared to the weeks it would take for each test previously. Here is an example of a YAML template written in Akto.

id: ADD_USER_ID
info:
  name: "IDOR by adding user id in query params"
  description: "Attacker can access resources of any user by adding user_id in URL."
  details: >
    "The endpoint appears to be vulnerable to broken object level authorization attack. The original request was replayed by adding other user's user id in query params.
    The server responded with 2XX success codes and less than <b>{{percentageMatch}}%</b> of the response body matched with original response body. <br>"
    "<b>Background:</b> Object level authorization is an access control mechanism that is usually implemented at the code level to validate that one user can only access objects that they should have access to."
  impact: "Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. Unauthorized access to objects can also lead to full account takeover."
  category:
    name: BOLA
    shortName: BOLA
    displayName: Broken Object Level Authorization (BOLA)
  subCategory: ADD_USER_ID
  severity: HIGH
  tags:
    - Business logic
    - OWASP top 10
    - HackerOne top 10
  references:
    - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint"
    - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola"
    - "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa1-broken-object-level-authorization.md"
    - "https://cwe.mitre.org/data/definitions/284.html"
    - "https://cwe.mitre.org/data/definitions/285.html"
    - "https://cwe.mitre.org/data/definitions/639.html"
auth:
  authenticated: true
api_selection_filters:
  response_code:
    gte: 200
    lt: 300
  param_context:
    param: user|customer
    extract: user_context
execute:
  type: single
  requests:
    - req:
        - add_query_param:
            user_context.key: ${user_context.value}
validate:
  response_code:
    gte: 200
    lt: 300
  response_payload:
    percentage_match:
      lt: 50
    length:
      gt: 0

Three components of Test Editor:

1. Akto's Test Library: Akto's default test library includes 100+ tests and continues to grow as we cover more cases from OWASP Top 10 of APIs, business logic tests, and more.
2. YAML Test Editor: The editable YAML file consists of five blocks- id, info, API filters, execute, and validation. This is where you will write your test.
3. Sample API to Test: This is a sample API that you can select and run your test on to see how it works. You can use Akto's default API for testing purposes.

Example test case

Let’s say you want to write a test on checking broken authentication by removing CSRF token. Watch this video for a step by step guide on how to write this test in test editor. Demo video

In the above demo, we created a custom template using test editor and tested our API fro vulnerability. As a security engineer, you can add as many custom templates as you want and automate your complete API testing.

For example, one of the customers was able to add privilege escalation test by writing rules to filter APIs based on url criteria and validation based on the error they expect. These custom tests are running in their CI/CD for all the new and old APIs.

Start writing API Security Tests

We are excited to see what you write with the endless possibilities with test editor. Test editor is now available for beta across self hosted and cloud plans starting today. Start writing tests by signing up on Akto account or read more details in docs.

Your testing playground

We understand that you may want to take the test editor for a spin before fully integrating it. With that in mind, we've created a dedicated interactive sandbox environment just for you. Go test your APIs in your playground.