Introducing AktoGPT to secure APIs
This blog is about the launch of AktoGPT launch, how AktoGPT unleashes the power of GPT to secure APIs!
Apr 10, 2023
4 min read
At Akto, we are passionate about securing APIs. As an early stage fast development team, we are always looking out for fastest and innovative ways to serve our customers better. In the last few months, the world has seen crazy power of the GPT model. Our team had been chatting about this beast and had been so wanting to unleash the capabilities of GPT to secure APIs better. When we started experimenting with GPT models on our API data, we knew we are onto something. The results were impressive. We knew we had to share these capabilities with our users. Hence, today we are super excited to announce the launch of AktoGPT to the world to help prioritize your APIs for better security.
We are thrilled to share that Akto is the first API security company to integrate OpenAI's GPT. ✨
AktoGPT is only the beginning of our journey with AI. Our team is exploring the full potential of GPT models to help secure APIs and improve the user experience of our customers. We will bring even more exciting features and tools in the near future. Try now.
What is AktoGPT?
AktoGPT is a new feature that uses the power of GPT model with Akto to solve these three use cases:
Logically group APIs
Find sensitive params in APIs
I will explain these uses cases below.
AktoGPT to prioritize APIs
Typically, the API inventory page has a list of 500-10,000s of APIs and a lot of rich metadata around them. Security teams struggle to prioritize their APIs for security testing. It’s very hard to test all the APIs every week especially if you are doing a manual pentest. If you use simple filters with certain keywords like ‘auth’ or ‘login’ you will only be able to filter APIs which have ‘auth’ in URL. Enters AktoGPT! With AktoGPT, you will be able to find all the APIs based on a few keywords. You simply have to tell AktoGPT to ‘tell me all APIs related to auth’ and it will find all the APIs which are related to auth for you. This is super cool and we have tested in it multiple apps. GPT doesn’t just rely on developer adding auth in the URL. It know APIs so well that it can figure what all APIs might be related to auth and give those APIs. See below example of product APIs through AktoGPT prompt.👇
AktoGPT to logically group APIs
We have has so many customers asking us to group APIs according to their functional teams, according to API types and various other criteria. Well, we couldn’t have found a better way to group these APIs. On the inventory page, you can click on AktoGPT button and ask it to group APIs. It will auto group your APIs based on functionality. In the next release, we plan to ask users to auto create collections based on logical groups found by GPT. See below how AktoGPT groups APIs👇
AktoGPT to detect sensitive params in APIs
Finally, while Akto as a product detects sensitive param in APIs, it still needs a lot of definite patterns to detect sensitive APIs. Using ChatGPT, you don’t have to just rely on adding patters to Akto. ChatGPT can use its “intuition” to find out any sensitive params. Say, you see a new API that devs have introduced. You can open it up in Akto and simply ask AktoGPT to find out if it has any sensitive or PII parameters in its payloads. This will again use intuition of ChatGPT to find if any keys or values seems sensitive or private information. See below 👇
How we built it?
We have been experimenting and exploring ChatGPT for some time now for API Security cases. We have found ChatGPT’s “intuition” and “information” can empower users in quite a few ways -
What does this API do?
What are other similar APIs? Can you please tell me all APIs which handle order and deliveries?
What APIs are called before or after this API?
What tests should I run on this API? Does SSRF testing makes sense on this API?
If yes, can you please help me write an AWS Metadata SSRF test config for this API?
Being impressed with ChatGPT’s answers, we decided to serve it to our users. Thu(Apr 6, 2023) evening we decided to start with 3 simple use cases and put it in the next release - Mon (Apr 10, 2023). Simple timeline -
Thu - Initiation: Decide 3 most simple and obvious use cases for AktoGPT
Fri - Design: Start designing the interface. At the same time, start designing backend arch
Sat - Action: Get all of UI ready based on the design. Infra up and running using AWS
Sun - Fine tune: Improve UI, improve GPT prompts, handle edge cases & large input etc.
Mon - Deploy! LFG!: Docs ✅ Demo video ✅ Website update ✅ Blog ✅ Release testing ✅ Social media ✅
We are writing a tech blog about it soon to help those who want to introduce GPT in their product or otherwise.
We would love your suggestions here. Any accepted suggestion will get you an Akto swag:
Be part of AktoGPT discussions!
To contribute or get the latest on AktoGPT, join our community on Discord, Twitter, LinkedIn and GitHub.
10 mins read
Demystifying SQL Injection: A Comprehensive Guide to Understanding SQL Injection Risks
SQL Injection (SQLi) is a type of attack where an attacker injects malicious SQL code into a vulnerable application's database query.
Customer case studies
8 mins read
Akto as an API Security Automation Case Study
"And then one day you find ten years have got behind you” - Pink Floyd
API security tests
6 mins read
How To Test BOLA by Parameter Pollution Using Akto
In 2016, a security researcher discovered a vulnerability that allowed attackers to bypass Uber's two-factor authentication system and take over accounts by exploiting BOLA via parameter pollution.