REST API Security: Testing and Analysis
Kajavalta, Lasse (2022)
Kajavalta, Lasse
2022
Tietotekniikan DI-ohjelma - Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2022-05-24
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202205044353
https://urn.fi/URN:NBN:fi:tuni-202205044353
Tiivistelmä
Application programming interfaces (API) are components that facilitate communication between other applications. APIs are used in various software systems but perhaps most commonly they are found in modern web applications. Web applications and the APIs they utilize are both attractive and easily accessible targets to malicious attackers. Therefore, security of these applications is paramount.
A lot of research is done on trying to map and combat common vulnerabilities in regarding web applications, but API implementations also have their own vulnerabilities. In this master's thesis, one of the primary goals was to find common API vulnerabilities by researching existing literature on the subject and performing in-depth security testing to figure out the level of protection M-Files Cloud Management API provides against these previously recognized vulnerabilities. The research questions of this thesis were to find the most significant vulnerabilities related to the security of API implementations, how these vulnerabilities apply to the M-Files API solution, and how the development process could be improved to ensure security in the future.
The API implementation tested during this thesis is that of M-Files Manage, a customer-facing web application that allows customers to manage their own M-Files Cloud environments and subscriptions. In this thesis, the system was tested against 9 well-known and commonly appearing vulnerabilities of API implementations. For each vulnerability, appropriate security testing was done. Depending on the type of vulnerability and how it can be tested for, testing was done manually, utilizing security testing tools, and by developing new test automation coverage for the code project.
During the testing, 10 security-related issues were found within the API. These issues were reported to the development team of the system and fixed within the API as a result. New improvement ideas for the API and its continuing development were presented, and as a result of this thesis the existing level of security for the API was examined and improved upon. Existing test automation coverage was also greatly improved to take into account many different security aspects.
A lot of research is done on trying to map and combat common vulnerabilities in regarding web applications, but API implementations also have their own vulnerabilities. In this master's thesis, one of the primary goals was to find common API vulnerabilities by researching existing literature on the subject and performing in-depth security testing to figure out the level of protection M-Files Cloud Management API provides against these previously recognized vulnerabilities. The research questions of this thesis were to find the most significant vulnerabilities related to the security of API implementations, how these vulnerabilities apply to the M-Files API solution, and how the development process could be improved to ensure security in the future.
The API implementation tested during this thesis is that of M-Files Manage, a customer-facing web application that allows customers to manage their own M-Files Cloud environments and subscriptions. In this thesis, the system was tested against 9 well-known and commonly appearing vulnerabilities of API implementations. For each vulnerability, appropriate security testing was done. Depending on the type of vulnerability and how it can be tested for, testing was done manually, utilizing security testing tools, and by developing new test automation coverage for the code project.
During the testing, 10 security-related issues were found within the API. These issues were reported to the development team of the system and fixed within the API as a result. New improvement ideas for the API and its continuing development were presented, and as a result of this thesis the existing level of security for the API was examined and improved upon. Existing test automation coverage was also greatly improved to take into account many different security aspects.