New Feature: Targeted API Security Testing with Dynamic Wordlists
Akto now uses dynamic wordlists to perform targeted API Security testing that significantly decreases test times and reduces false positives.
Raaga Srinivas
5 mins
What are Dynamic Wordlists?
Dynamic wordlists refer to a list of words that is continuously updated and used during automated security testing. These lists can include common or predicted API endpoints, parameters, and other potential vulnerabilities. They help identify potential security risks in an API and are essential in maintaining robust API security.
How does Akto use Dynamic Wordlists?
Let’s take an example to understand this.
Say you would like to perform a fuzzing test.
Fuzzing is a software testing technique that involves providing a set of predefined inputs (commonly known as "fuzz") to a system to find security vulnerabilities. These inputs can include common API endpoints, parameters, or potential vulnerabilities. Fuzzing aims to induce errors or unexpected behavior in a system, which could indicate potential security flaws.
When conducting a fuzzing test, Akto would previously make use of a static wordlist. A static wordlist is a predefined set of inputs used in software testing. These inputs can include common API endpoints, parameters, or potential vulnerabilities.
However, unlike dynamic wordlists, static lists do not adapt or change based on the specific APIs or the data they handle. This might result in less efficient testing and a higher rate of false positives.
Now, however, Akto uses Dynamic Wordlists based on specific regexes that can be completely customized to suit the vocabulary of your business. This feature is unique to Akto!
Targeting API Security Testing with Akto
Instead of blindly hitting APIs with hardcoded word lists for tests, Akto uses the advantages of a dynamic wordlist to ensure that the words being used are from the company’s vocabulary. Eg. While the word ‘Admin’ is used and stored in a static list, your company might call these individuals ‘Super Users’. With the Regex ‘UserID’ in a dynamic wordlist, Akto will automatically identify the term ‘Super User’ as a relevant input and use it in the subsequent tests.
This leads to fewer false positives and decreased testing time as the testing is completely targeted to your business.
Here’s how you use this feature with Akto:
To understand the dynamic wordlist, we’ll be exploring Akto’s Test Editor- Your playground for writing custom API security tests.
Monthly product updates in your inbox. No spam.
You can now assess the results of your tests and accordingly remediate your most pressing vulnerabilities.
Final Thoughts
This particular feature of Akto’s is unique to our Test Editor’s capabilities and we’re constantly thinking of new ways to improve the API security testing process. To know more, check out our resources:
Keep reading
News
7 mins
March Product News: 98 New Tests, Dynamic wordlists, and more
This edition of Akto’s newsletter is packed with new features and tests that will greatly decrease your API Security testing time and increase targeted testing.
Product updates
5 mins
Detailed Errors on Postman and Swagger File Import
Akto now replays APIs to automatically get data during an import of Postman and Swagger files and transparently displays reasons why each specific API couldn't be replayed in the case of an error.
Product updates
5 mins
Added 98 New API Security Tests across 5 OWASP categories
Akto has introduced new tests across several categories including BOLA, Broken Authentication, Unrestricted Resource Consumption, BFLA, and SSRF that you can explore with Akto’s Test Editor.