Products

Solutions

Resources

Akto Tests: Are your Private APIs exposed to the Public?

Akto now lets you conduct API Security testing based on the Access Type of an API Endpoint.

[Akto Tests] Are your Private APIs exposed to the Public?
[Akto Tests] Are your Private APIs exposed to the Public?
[Akto Tests] Are your Private APIs exposed to the Public?
Raaga Srinivas

Raaga Srinivas

5 mins

In API Security, Private APIs refer to the specific API endpoints that are used strictly internally.

These APIs are typically used by the other microservices and internal tools. For example, a /api/v1/send-welcome-email API endpoint to send email notifications to new users. This API is used by another microservice (register.company.io) to send a welcome message to new users.

Private APIs are NOT to be exposed to public networks.

As a developer, how do you ensure this API is not accessible to the public and is not revealing sensitive information?

For this, Akto has added a new test and filter to conduct API Security testing based on the ’access type’ of the API.

What are Access Types?

In API security, an access type refers to the level of permissions or access that an API provides. It determines what actions can be performed via the API and what data can be accessed. Akto tags public, private (or Internal), and partner APIs to ensure proper inventory management.

Public APIs: API endpoints that are exposed to the public network.

Private APIs: As mentioned earlier, these are API endpoints that are used strictly internally and are NOT exposed to public networks.

Partner APIs: Specific API endpoints that can be used by IPs outside your VPC, but the access is limited to a small set of IPs.

Check out our documentation on configuring these access types with Akto.

Now that you know the different access types of your APIs, you can conduct API security testing to check what vulnerabilities are revealed to users with different permissions. Let’s dig into how to do this with Akto.

Monthly product updates in your inbox. No spam.

Testing for Access Type vulnerabilities with Akto

There are 2 ways you can check your APIs for ‘access type’ based vulnerabilities on Akto:

  1. Use our Template: Improper Inventory Management Test by identifying Publicly Accessible APIs in a private environment

  2. Write a custom test with the filter

Akto’s Template for identifying Publicly Accessible APIs in a private environment

Akto provides a built-in, customizable YAML test template from our Test Library to identify which of your private APIs are accessible to the public and reveal sensitive data.

Here is how you can conduct this test on Akto’s Test Editor:

Write a custom test with the ‘Access Type’ filter

Akto also allows you to write your custom tests. You can either make edits to our existing templates or write one of your own from scratch.

To check for ‘access type’ based issues in your APIs, add the following filter to your test -

api_access_type

eq: private

Alternatively, you can test for vulnerabilities in your Partner APIs by replacing the above access type with partner.

You’re all set!

Final Thoughts

Akto thinks about your security team’s challenges from a 360-degree view.

Proper inventory management, which involves organizing your API inventory with tags and recognizing hidden APIs, is essential to improving your API security testing.

In this case, Akto ensures that not only are your APIs tagged as public, private, or partner APIs, but you can also test to see if they reveal sensitive information based on their access type.

With the API Security Testing now completely automated, your team can now focus on the important task of remediating vulnerabilities immediately.

To know more on how Akto proactively conducts API Security Testing, check out these resources:

Follow us for more updates

Follow us for more updates

Follow us for more updates

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Table of contents