Panel Discussion: API Security in DevSecOps. Watch the Recording

Panel Discussion: API Security in DevSecOps. Watch the Recording

Panel Discussion: API Security in DevSecOps. Watch the Recording

New Feature: Detect Sensitive Data in URLs with Akto

Akto now simplifies the process of detecting sensitive data types in URLs in an automated way from our pre-existing repository of regular expressions so that your development teams can instantly resolve the vulnerabilities. See how!

Raaga Srinivas

Raaga Srinivas

8 mins

New Feature: Detect Sensitive Data in URLs with Akto
New Feature: Detect Sensitive Data in URLs with Akto
New Feature: Detect Sensitive Data in URLs with Akto

Introduction

In API security testing, sensitive data types can range from personal identifiers to confidential information that may be embedded within URLs in the form of strings or integers. It is crucial to identify these data types to prevent potential data leakage points.

Akto now simplifies this process by intelligently detecting sensitive data types in URLs in an automated way from our pre-existing repository of regular expressions so that your development teams can instantly resolve the vulnerabilities.

Importance of detecting sensitive data in URLs

In 2018, Marriott's Starwood guest reservation database was compromised, potentially exposing the personal information of approximately 500 million guests. One of the vulnerabilities exploited in this breach was related to sensitive data exposure through URLs.

When guests booked reservations through the Starwood reservation system, the confirmation email sent by Marriott contained a URL to manage their booking. This URL included the guest's reservation number and other sensitive information in the query parameters.

Attackers accessed and exploited this vulnerability by manipulating the URL parameters, accessing other guests' reservation details without proper authentication. This allowed unauthorized access to sensitive personal information, including names, addresses, passport numbers, email addresses, and payment card details.

The breach remained undetected for years, and the exposed data was potentially accessible to malicious actors, posing a significant risk to the affected individuals' privacy and security.

You can read more about the incident here.

To ensure such vulnerabilities are detected well in time, Akto’s new feature detects such sensitive information as you upload your traffic on to the dashboard in an automated way. Let’s dig in to see how!

Automated Sensitive Data Detection in URLs with Akto

Akto has 100+ regular expressions stored as Sensitive Data and can clock vulnerabilities in URLs the instant you connect to your traffic.

For example, an API endpoint with the URL v2/phone_number/+1-202-555-0175 would be immediately flagged as it reveals a user’s personal information.

Let’s see how Akto detects sensitive data in URLs:

For that, you’d first need to connect to your traffic data. There are many ways to connect your traffic data to Akto, check out our docs to learn how.

If you use a method that connects to your traffic in CI/CD, then your API collections will immediately appear on your Akto dashboard. Alternatively, you can create a custom collection.

In this example, we’re going to connect to traffic data by uploading a HAR file. So, you will first need to create an API collection.

Then follow the steps below:

Monthly product updates in your inbox. No spam.

Monthly product updates in your inbox. No spam.

Monthly product updates in your inbox. No spam.

You can see how Akto has completely automated sensitive data detection so your teams can focus on immediate remediation!

Automated URL merging with Akto

In addition, Akto merges specific integers in a URL as they belong to the same set of APIs. This makes the API Inventory easier to navigate and manage, thus reducing the chances of errors and oversights. For instance, for multiple users of your application, both

v2/phone_number/+1-202-555-0175 and v2/phone_number/+1-202-555-0147 would be merged into v2/phone_number/STRING because they belong to the same set of APIs.

Akto also gives you the option to customize your own sensitive data type according to your requirements.

Customizing a Sensitive Data Type in a URL with Akto

With this new functionality, you now have the ability to specify your own preferences and customize your own data type that’s deemed sensitive.

For example:

Let’s say that you’re the owner of an apparel store and you believe that order IDs are sensitive information that should not be revealed on URLs. On Akto, you can now create a custom sensitive data type to identify if this vulnerability exists in the URL.

You can first upload your traffic to see what it will look like on Akto

Step 1: Upload traffic data to Akto

Step 2: Create a Custom Data Type

Create a custom sensitive data type by following the steps below:

Given the volume of data and API endpoints that are being called using this URL, Akto also merges similar URLs with the specified sensitive data type.

For example:

When you connect your traffic to Akto, initially v2/store/order/order_1 and v2/store/order/order_2 would not be merged as you saw before.

But now, with the custom datatype titled ‘ORDER_DETAILS’ using the regular expression order_, Akto will not only recognize that the URL is revealing sensitive data but also that these two APIs are similar and merge them under v2/store/order/ORDER_DETAILS.

See how this happens in the next section.

Step 3: View Sensitive Data in URLs in API collections

For Continuous Traffic Mirroring

If you are running Akto on CI/CD, then Akto will have identified that order details have been revealed and have merged your URL based on the conditions you have specified in an automated manner. Head back to API Inventory > API Collections > Click on the specific collection and see how:

For Har file

You’ll have to re-upload your HAR files to see how Akto identifies the sensitive order details data and merges your URLs. You then see the same set of details as outlined above:

You’re all set to start testing with Akto!

If you ever want to switch around your preferences on some of the data types, Akto also provides you with the option to activate and de-activate them based on the requirement:

Deactivate Custom Data Type

See how to deactivate your custom data type below:

Final Thoughts

Detecting and managing sensitive data types in URLs is a crucial aspect of API security testing. Akto provides a powerful solution to this problem, clocking these vulnerabilities and allowing you to customize a sensitive data type as well in a completely automated way. Akto also merges similar URLs, ensuring you have a clean API inventory. By reducing the complexity of tracking and managing sensitive data, these tools free your time and resources to focus more on your primary task: Testing and securing your APIs.

If you’d like to know more about integrating API Security Testing with Akto into your pipeline, check out our resources:

Discover Related Topics

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Follow us for more updates

Experience enterprise-grade API Security solution