[BlackHat Europe tool] Automatic API Attack Tool

by do son · Published December 15, 2019 · Updated December 14, 2019

Automatic API Attack Tool

Imperva’s customizable API attack tool takes an API specification as an input and generates and runs attacks that are based on it as an output.

The tool is able to parse an API specification and create fuzzing attack scenarios based on what is defined in the API specification. Each endpoint is injected with cleverly generated values within the boundaries defined by the specification, and outside of it, the appropriate requests are sent and their success or failure is reported in a detailed manner. You may also extend it to run various security attack vectors, such as illegal resource access, XSS, SQLi and RFI, that are targeted at the existing endpoints, or even at non-existing ones. No human intervention is needed. Simply run the tool and get the results.

The tool can be easily extended to adapt to meet the various needs, such as for a developer who wants to test their API or an organization that wants to run regular vulnerability or positive security scans on its public API. It is built with CI/CD in mind.

Supported Check Scenarios

We will use the term endpoint here, as the endpoint URL and Method tuple.

Positive Scenarios

For each endpoint, creates a request with generated values for all of its parameters. These are generated randomly, but obey the rules that are defined in the API specification.
For each endpoint, creates a request with only the required parameters, with values generated as described above.

Negative Scenarios

For each endpoint, creates multiple requests, each which checks a different parameter. The tool does this by injecting a random bad input value in the checked parameter and filling the rest with “positive” values which are generated in the same manner as described in the positive scenarios.