Introducing Test Roles for Authorization Testing with Akto
In API security, authorization tests involve checking if the access control measures in place are working effectively. So it’s important for you to test for the eventuality of this vulnerability by using the authorization tokens of different ‘roles’, and you can do this with Akto.
Raaga Srinivas
10 mins
Introduction
In API security, authorization tests involve checking if the access control measures in place are working effectively. This includes verifying if API endpoints are correctly granting or denying access based on the authorization token provided. These tests ensure that users can only access data and perform actions that their specific role allows, preventing unauthorized access and protecting sensitive information, and avoid cases like how there were IDOR vulnerabilities found in Microsoft Teams.
For example, a generic user of your application should not be able operate administrator, manager or staff functions. So it’s important for you to test for the eventuality of this vulnerability by using the authorization tokens of different ‘roles’, and you can do this with Akto.
What are ‘Roles’ in Authorization Testing?
'Test Roles' in authorization tests refer to the different types of users that a system may recognize. These roles often come with different levels of access and privileges. For example, in a retail system, the roles might include 'admin', 'staff', and 'customer'. An 'admin' might have full access to all system functions, while 'staff' might only have access to a subset of these functions. A 'customer', on the other hand, will typically have the most restricted access, limited to only those functions necessary for making purchases.
By testing with different roles, you can ensure that the application correctly enforces these access restrictions.
Authorization Testing with Roles in Akto
Authenticated Scanning
Authenticated scanning involves testing the application while logged in as a user. When testing as an 'admin' role, this allows you to access and test all parts of the system. This is crucial as it allows for a comprehensive assessment of the system's security, including areas that may not be accessible to lower-level roles. It helps identify vulnerabilities that could be exploited if an attacker managed to gain 'admin' level access. However, it's important to also test other roles to ensure that they don't have more access than they should, and you can do it with Akto!
Privilege Escalation
Privilege escalation is a type of security vulnerability where a user gains access to resources or performs actions outside of their designated privileges. It often occurs when a system fails to properly authenticate a user's permissions, allowing them to gain a higher level of access than intended, like Toyota’s API Security breach for example.
In the context of securing your APIs, you can use different 'roles', such as 'admin', 'customer', etc., to check for privilege escalation issues. For instance:
You could perform tests using the authorization token of a 'customer' role to try accessing resources or performing actions that should only be available to an 'admin' role.
If the 'customer' role can successfully perform these 'admin' actions, then a privilege escalation issue is present.
Other examples of vulnerable cases -
Customer could operate manager or staff functions (Or administrator functions as seen above)
Staff user could operate manager or administrator functions;
Manager could operate administrator functions.
This type of testing is crucial to ensure that proper access control measures are enforced and that users cannot exceed their intended privileges. You can use Akto to scan for all these types of privilege escalation issues!
Automated Auth Token creation with Akto
Auth tokens can have varying expiry times depending on the API security measures in place. Some tokens may only last for a short duration like 15 days, while others might be set to expire in 6 months. This variability can pose a challenge when conducting regular API security testing, as outdated tokens can disrupt the testing process.
However, Akto provides a solution to this problem by allowing you to automate your auth token generation. This means you can always have a valid token ready for your API security testing, regardless of the original token's expiry date, making the process more efficient and hassle-free.
Create a User Role in Akto for Testing
Akto allows you to check for authorization vulnerabilities through the following steps:
Step 1: Create a Test Role
Go to the Test Roles tab under Testing in the left navigation.
Monthly product updates in your inbox. No spam.
Step 2: Choose Auth Token Configuration
You can generate an auth token in 2 different ways:
Hard-coded token: Manually adding detailsAutomated token: Akto will generate a token for you
Akto allows you to fill in an API header as well that can be used instead of you auth keys in certain conditions.
For example, say you use Slack for your business communication with multiple channels, one of them being OWASP.
You can include a Header key and Value for OWASP that would be used in applicable testing cased as opposed to the generated attacker auth token.
Hard-Coded token
Akto gives you the option to add your manually generated token. Enter the name of the header which contains your auth token. This field is case insensitive. Eg. Authorization under the Auth header key.
Automated token
Akto will generate a token for you by replicating your login flow and extracting the token from the response. Follow these steps to generate your token.
Automated: Login Step Builder
You’ll need to get the details to fill in to Akto. Let’s understand this with an example using OWASP Juiceshop.
Step 1: Open the OWASP Juiceshop login page
Click on Log In and Inspect the element.
You will see your Login details under Network > Name > Login
Click on Login
Step 2: Find all details to copy into Akto
URL: Under Headers> General, copy the
Request URLMethod: Similarly, copy
Request Method
Body: Click on Payload > View Source
Use the information you find under ‘view source’ to enter the ‘body’ details in the next section.
Step 3: Copy login flow details to Akto.
URL: Under Headers> General, copy the
Request URLand enter into Akto under Call API >UrlMethod: Similarly, copy
Request Methodand paste toMethodin Akto.Query Params and headers: Include any params or headers that exist
Body: Click on Payload > View Source > copy email and password > Paste it in Akto under
Body
Step 4: Run test
Step 5: Extract Token
You need to fill these 3 sections:
Header/Body: Where the Auth token will be in subsequent API calls made during testing
Key: The key under which the auth token will be found in subsequent API tests
Value: The exact location of the key that is being extracted from the login flow test that was run just before this.
Value: Manually enter the location of the token from login flow.
Code for this will be: ${x1.response.body.authentication.token}
Key: To find this, navigate to API Inventory>API collections> Select a collection > Choose an API endpoint, you’ll find it under Request > Header. In this case, Authorization is the key for APIs.
Copy the Value and Key details to Akto’s dashboard:
Automated: JSON Recording
You can also create a Role on Akto by using a JSON recording. Follow the steps outlined in the video:
Step 3: Run Authorization Tests with Akto
From Test Editor
You can now run authorization tests with Akto to check for vulnerabilities. See below:
From API Collections
You can also run tests and choose the specific role by going to your API Inventory > API collections. See below:
Step 4: Assess Results
As you can see, Akto generated a modified auth token that simulates an ‘attacker’ token in the API request.
The response showed a 401 error, indicating that the attack did not work
In this case, no vulnerability was detected in the OWASP Juiceshop login.
In the event that the vulnerability is detected, Akto will highlight the same and the development team should be notified for action. You can also create a Jira ticket to flag the concern within your pipeline.
You’re all set! You can now start authentication testing with Akto now with this guide.
Final Thoughts
Akto streamlines the authentication testing process, simplifying the generation and automation of auth tokens and enabling efficient and effective authentication testing of your API's security measures. By introducing test roles and implementing secure API security testing practices, you can significantly enhance the security of your application and take actionable steps against unauthorized access by covering all your bases.
If you’d like to know more about Authorization Testing, check out our resources:
Keep reading
News
7 mins
March Product News: 98 New Tests, Dynamic wordlists, and more
This edition of Akto’s newsletter is packed with new features and tests that will greatly decrease your API Security testing time and increase targeted testing.
Product updates
5 mins
Detailed Errors on Postman and Swagger File Import
Akto now replays APIs to automatically get data during an import of Postman and Swagger files and transparently displays reasons why each specific API couldn't be replayed in the case of an error.
Product updates
5 mins
Added 98 New API Security Tests across 5 OWASP categories
Akto has introduced new tests across several categories including BOLA, Broken Authentication, Unrestricted Resource Consumption, BFLA, and SSRF that you can explore with Akto’s Test Editor.