Panel Discussion: API Security in DevSecOps. Watch the Recording

Panel Discussion: API Security in DevSecOps. Watch the Recording

Panel Discussion: API Security in DevSecOps. Watch the Recording

Introducing Test Roles for Authorization Testing with Akto

In API security, authorization tests involve checking if the access control measures in place are working effectively. So it’s important for you to test for the eventuality of this vulnerability by using the authorization tokens of different ‘roles’, and you can do this with Akto.

Raaga Srinivas

Raaga Srinivas

10 mins

Introducing Test Roles for Authorization Testing with Akto
Introducing Test Roles for Authorization Testing with Akto
Introducing Test Roles for Authorization Testing with Akto

Introduction

In API security, authorization tests involve checking if the access control measures in place are working effectively. This includes verifying if API endpoints are correctly granting or denying access based on the authorization token provided. These tests ensure that users can only access data and perform actions that their specific role allows, preventing unauthorized access and protecting sensitive information, and avoid cases like how there were IDOR vulnerabilities found in Microsoft Teams.

For example, a generic user of your application should not be able operate administrator, manager or staff functions. So it’s important for you to test for the eventuality of this vulnerability by using the authorization tokens of different ‘roles’, and you can do this with Akto.

What are ‘Roles’ in Authorization Testing?

'Test Roles' in authorization tests refer to the different types of users that a system may recognize. These roles often come with different levels of access and privileges. For example, in a retail system, the roles might include 'admin', 'staff', and 'customer'. An 'admin' might have full access to all system functions, while 'staff' might only have access to a subset of these functions. A 'customer', on the other hand, will typically have the most restricted access, limited to only those functions necessary for making purchases.

Examples of test roles

By testing with different roles, you can ensure that the application correctly enforces these access restrictions.

Authorization Testing with Roles in Akto

Authenticated Scanning

Authenticated scanning involves testing the application while logged in as a user. When testing as an 'admin' role, this allows you to access and test all parts of the system. This is crucial as it allows for a comprehensive assessment of the system's security, including areas that may not be accessible to lower-level roles. It helps identify vulnerabilities that could be exploited if an attacker managed to gain 'admin' level access. However, it's important to also test other roles to ensure that they don't have more access than they should, and you can do it with Akto!

Privilege Escalation

Privilege escalation is a type of security vulnerability where a user gains access to resources or performs actions outside of their designated privileges. It often occurs when a system fails to properly authenticate a user's permissions, allowing them to gain a higher level of access than intended, like Toyota’s API Security breach for example.

In the context of securing your APIs, you can use different 'roles', such as 'admin', 'customer', etc., to check for privilege escalation issues. For instance:

  1. You could perform tests using the authorization token of a 'customer' role to try accessing resources or performing actions that should only be available to an 'admin' role.

  2. If the 'customer' role can successfully perform these 'admin' actions, then a privilege escalation issue is present.

Other examples of vulnerable cases -

  1. Customer could operate manager or staff functions (Or administrator functions as seen above)

  2. Staff user could operate manager or administrator functions;

  3. Manager could operate administrator functions.

This type of testing is crucial to ensure that proper access control measures are enforced and that users cannot exceed their intended privileges. You can use Akto to scan for all these types of privilege escalation issues!

Automated Auth Token creation with Akto

Auth tokens can have varying expiry times depending on the API security measures in place. Some tokens may only last for a short duration like 15 days, while others might be set to expire in 6 months. This variability can pose a challenge when conducting regular API security testing, as outdated tokens can disrupt the testing process.

However, Akto provides a solution to this problem by allowing you to automate your auth token generation. This means you can always have a valid token ready for your API security testing, regardless of the original token's expiry date, making the process more efficient and hassle-free.

Create a User Role in Akto for Testing

Akto allows you to check for authorization vulnerabilities through the following steps:

Step 1: Create a Test Role

Go to the Test Roles tab under Testing in the left navigation.

Monthly product updates in your inbox. No spam.

Monthly product updates in your inbox. No spam.

Monthly product updates in your inbox. No spam.

Step 2: Choose Auth Token Configuration

You can generate an auth token in 2 different ways:

  1. Hard-coded token : Manually adding details

  2. Automated token: Akto will generate a token for you

Akto allows you to fill in an API header as well that can be used instead of you auth keys in certain conditions.

For example, say you use Slack for your business communication with multiple channels, one of them being OWASP.

You can include a Header key and Value for OWASP that would be used in applicable testing cased as opposed to the generated attacker auth token.

Hard-Coded token

Akto gives you the option to add your manually generated token. Enter the name of the header which contains your auth token. This field is case insensitive. Eg. Authorization under the Auth header key.

Automated token

Akto will generate a token for you by replicating your login flow and extracting the token from the response. Follow these steps to generate your token.

  1. Automated: Login Step Builder

You’ll need to get the details to fill in to Akto. Let’s understand this with an example using OWASP Juiceshop.

Step 1: Open the OWASP Juiceshop login page

Open the OWASP Juiceshop login page

Click on Log In and Inspect the element.

You will see your Login details under Network > Name > Login

OWASP login details under Network > Name > Login

Click on Login

Open console for login flow details

Step 2: Find all details to copy into Akto

  1. URL: Under Headers> General, copy the Request URL

  2. Method: Similarly, copy Request Method

Find URL and Method details to copy into Akto
  1. Body: Click on Payload > View Source

Find Password and Email ID details to copy into Akto

Use the information you find under ‘view source’ to enter the ‘body’ details in the next section.

Copy E-mail ID and password details

Step 3: Copy login flow details to Akto.

  1. URL: Under Headers> General, copy the Request URL and enter into Akto under Call API > Url

  2. Method: Similarly, copy Request Method and paste to Method in Akto.

  3. Query Params and headers: Include any params or headers that exist

  4. Body: Click on Payload > View Source > copy email and password > Paste it in Akto under Body

Step 4: Run test

Step 5: Extract Token

You need to fill these 3 sections:

  1. Header/Body: Where the Auth token will be in subsequent API calls made during testing

  2. Key: The key under which the auth token will be found in subsequent API tests

  3. Value: The exact location of the key that is being extracted from the login flow test that was run just before this.

Value: Manually enter the location of the token from login flow.

Code for this will be: ${x1.response.body.authentication.token}

Auth Token

Key: To find this, navigate to API Inventory>API collections> Select a collection > Choose an API endpoint, you’ll find it under Request > Header. In this case, Authorization is the key for APIs.

Key for Extracting Token

Copy the Value and Key details to Akto’s dashboard:

  1. Automated: JSON Recording

You can also create a Role on Akto by using a JSON recording. Follow the steps outlined in the video:

Step 3: Run Authorization Tests with Akto

From Test Editor

You can now run authorization tests with Akto to check for vulnerabilities. See below:

From API Collections

You can also run tests and choose the specific role by going to your API Inventory > API collections. See below:

Step 4: Assess Results

As you can see, Akto generated a modified auth token that simulates an ‘attacker’ token in the API request.

The response showed a 401 error, indicating that the attack did not work

In this case, no vulnerability was detected in the OWASP Juiceshop login.

Assess Results

In the event that the vulnerability is detected, Akto will highlight the same and the development team should be notified for action. You can also create a Jira ticket to flag the concern within your pipeline.

You’re all set! You can now start authentication testing with Akto now with this guide.

Final Thoughts

Akto streamlines the authentication testing process, simplifying the generation and automation of auth tokens and enabling efficient and effective authentication testing of your API's security measures. By introducing test roles and implementing secure API security testing practices, you can significantly enhance the security of your application and take actionable steps against unauthorized access by covering all your bases.

If you’d like to know more about Authorization Testing, check out our resources:

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Follow us for more updates

Experience enterprise-grade API Security solution