New Feature: Detect Sensitive Data in URLs with Akto
Akto now simplifies the process of detecting sensitive data types in URLs in an automated way from our pre-existing repository of regular expressions so that your development teams can instantly resolve the vulnerabilities. See how!
Raaga Srinivas
8 mins
Introduction
In API security testing, sensitive data types can range from personal identifiers to confidential information that may be embedded within URLs in the form of strings or integers. It is crucial to identify these data types to prevent potential data leakage points.
Akto now simplifies this process by intelligently detecting sensitive data types in URLs in an automated way from our pre-existing repository of regular expressions so that your development teams can instantly resolve the vulnerabilities.
Importance of detecting sensitive data in URLs
In 2018, Marriott's Starwood guest reservation database was compromised, potentially exposing the personal information of approximately 500 million guests. One of the vulnerabilities exploited in this breach was related to sensitive data exposure through URLs.
When guests booked reservations through the Starwood reservation system, the confirmation email sent by Marriott contained a URL to manage their booking. This URL included the guest's reservation number and other sensitive information in the query parameters.
Attackers accessed and exploited this vulnerability by manipulating the URL parameters, accessing other guests' reservation details without proper authentication. This allowed unauthorized access to sensitive personal information, including names, addresses, passport numbers, email addresses, and payment card details.
The breach remained undetected for years, and the exposed data was potentially accessible to malicious actors, posing a significant risk to the affected individuals' privacy and security.
You can read more about the incident here.
To ensure such vulnerabilities are detected well in time, Akto’s new feature detects such sensitive information as you upload your traffic on to the dashboard in an automated way. Let’s dig in to see how!
Automated Sensitive Data Detection in URLs with Akto
Akto has 100+ regular expressions stored as Sensitive Data and can clock vulnerabilities in URLs the instant you connect to your traffic.
For example, an API endpoint with the URL v2/phone_number/+1-202-555-0175 would be immediately flagged as it reveals a user’s personal information.
Let’s see how Akto detects sensitive data in URLs:
For that, you’d first need to connect to your traffic data. There are many ways to connect your traffic data to Akto, check out our docs to learn how.
If you use a method that connects to your traffic in CI/CD, then your API collections will immediately appear on your Akto dashboard. Alternatively, you can create a custom collection.
In this example, we’re going to connect to traffic data by uploading a HAR file. So, you will first need to create an API collection.
Then follow the steps below:
Monthly product updates in your inbox. No spam.
You can see how Akto has completely automated sensitive data detection so your teams can focus on immediate remediation!
Automated URL merging with Akto
In addition, Akto merges specific integers in a URL as they belong to the same set of APIs. This makes the API Inventory easier to navigate and manage, thus reducing the chances of errors and oversights. For instance, for multiple users of your application, both
v2/phone_number/+1-202-555-0175 and v2/phone_number/+1-202-555-0147 would be merged into v2/phone_number/STRING because they belong to the same set of APIs.
Akto also gives you the option to customize your own sensitive data type according to your requirements.
Customizing a Sensitive Data Type in a URL with Akto
With this new functionality, you now have the ability to specify your own preferences and customize your own data type that’s deemed sensitive.
For example:
Let’s say that you’re the owner of an apparel store and you believe that order IDs are sensitive information that should not be revealed on URLs. On Akto, you can now create a custom sensitive data type to identify if this vulnerability exists in the URL.
You can first upload your traffic to see what it will look like on Akto
Step 1: Upload traffic data to Akto
Step 2: Create a Custom Data Type
Create a custom sensitive data type by following the steps below:
Given the volume of data and API endpoints that are being called using this URL, Akto also merges similar URLs with the specified sensitive data type.
For example:
When you connect your traffic to Akto, initially v2/store/order/order_1 and v2/store/order/order_2 would not be merged as you saw before.
But now, with the custom datatype titled ‘ORDER_DETAILS’ using the regular expression order_, Akto will not only recognize that the URL is revealing sensitive data but also that these two APIs are similar and merge them under v2/store/order/ORDER_DETAILS.
See how this happens in the next section.
Step 3: View Sensitive Data in URLs in API collections
For Continuous Traffic Mirroring
If you are running Akto on CI/CD, then Akto will have identified that order details have been revealed and have merged your URL based on the conditions you have specified in an automated manner. Head back to API Inventory > API Collections > Click on the specific collection and see how:
For Har file
You’ll have to re-upload your HAR files to see how Akto identifies the sensitive order details data and merges your URLs. You then see the same set of details as outlined above:
You’re all set to start testing with Akto!
If you ever want to switch around your preferences on some of the data types, Akto also provides you with the option to activate and de-activate them based on the requirement:
Deactivate Custom Data Type
See how to deactivate your custom data type below:
Final Thoughts
Detecting and managing sensitive data types in URLs is a crucial aspect of API security testing. Akto provides a powerful solution to this problem, clocking these vulnerabilities and allowing you to customize a sensitive data type as well in a completely automated way. Akto also merges similar URLs, ensuring you have a cleanAPI inventory. By reducing the complexity of tracking and managing sensitive data, these tools free your time and resources to focus more on your primary task: Testing and securing your APIs.
If you’d like to know more about integrating API Security Testing with Akto into your pipeline, check out our resources:
Keep reading
News
7 mins
March Product News: 98 New Tests, Dynamic wordlists, and more
This edition of Akto’s newsletter is packed with new features and tests that will greatly decrease your API Security testing time and increase targeted testing.
Product updates
5 mins
Detailed Errors on Postman and Swagger File Import
Akto now replays APIs to automatically get data during an import of Postman and Swagger files and transparently displays reasons why each specific API couldn't be replayed in the case of an error.
Product updates
5 mins
Added 98 New API Security Tests across 5 OWASP categories
Akto has introduced new tests across several categories including BOLA, Broken Authentication, Unrestricted Resource Consumption, BFLA, and SSRF that you can explore with Akto’s Test Editor.