Akto Tests: Are your Private APIs exposed to the Public?
Akto now lets you conduct API Security testing based on the Access Type of an API Endpoint.
Raaga Srinivas
5 mins
In API Security, Private APIs refer to the specific API endpoints that are used strictly internally.
These APIs are typically used by the other microservices and internal tools. For example, a /api/v1/send-welcome-email
API endpoint to send email notifications to new users. This API is used by another microservice (register.company.io
) to send a welcome message to new users.
Private APIs are NOT to be exposed to public networks.
As a developer, how do you ensure this API is not accessible to the public and is not revealing sensitive information?
For this, Akto has added a new test and filter to conduct API Security testing based on the ’access type’ of the API.
What are Access Types?
In API security, an access type refers to the level of permissions or access that an API provides. It determines what actions can be performed via the API and what data can be accessed. Akto tags public, private (or Internal), and partner APIs to ensure proper inventory management.
Public APIs: API endpoints that are exposed to the public network.
Private APIs: As mentioned earlier, these are API endpoints that are used strictly internally and are NOT exposed to public networks.
Partner APIs: Specific API endpoints that can be used by IPs outside your VPC, but the access is limited to a small set of IPs.
Check out our documentation on configuring these access types with Akto.
Now that you know the different access types of your APIs, you can conduct API security testing to check what vulnerabilities are revealed to users with different permissions. Let’s dig into how to do this with Akto.
Testing for Access Type vulnerabilities with Akto
There are 2 ways you can check your APIs for ‘access type’ based vulnerabilities on Akto:
Use our Template: Improper Inventory Management Test by identifying Publicly Accessible APIs in a private environment
Write a custom test with the filter
Akto’s Template for identifying Publicly Accessible APIs in a private environment
Akto provides a built-in, customizable YAML test template from our Test Library to identify which of your private APIs are accessible to the public and reveal sensitive data.
Here is how you can conduct this test on Akto’s Test Editor:
Write a custom test with the ‘Access Type’ filter
Akto also allows you to write your custom tests. You can either make edits to our existing templates or write one of your own from scratch.
To check for ‘access type’ based issues in your APIs, add the following filter to your test -
api_access_type
eq: private
Alternatively, you can test for vulnerabilities in your Partner APIs by replacing the above access type with partner
.
You’re all set!
Final Thoughts
Akto thinks about your security team’s challenges from a 360-degree view.
Proper inventory management, which involves organizing your API inventory with tags and recognizing hidden APIs, is essential to improving your API security testing.
In this case, Akto ensures that not only are your APIs tagged as public, private, or partner APIs, but you can also test to see if they reveal sensitive information based on their access type.
With the API Security Testing now completely automated, your team can now focus on the important task of remediating vulnerabilities immediately.
To know more on how Akto proactively conducts API Security Testing, check out these resources:
Keep reading
API Security
3 minutes
What is API Discovery?
API Discovery helps identify, map, and manage APIs within an organization, ensuring security, performance, and seamless integration across systems.
API Security
5 minutes
Top 10 DAST Tools in 2024
DAST tools secure web apps by identifying vulnerabilities through automated security testing.
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
Experience enterprise-grade API Security solution