Research performed by Cybersecurity firm, Sophos, showed that web apps and APIs published onto the internet are attacked by bots controlled by Cybercriminals within a couple of hours and sometimes in less than a minute! That's the bad news, that malicious software is constantly probing for weaknesses in your apps and APIs. The good news? You can use the same techniques leveraged by attackers to detect and fix security holes before criminals find them.
Most malicious bots use a technique called "fuzzing" to detect and exploit weaknesses in web apps or APIs.
The potency of fuzzing for identifying security and quality bugs that are missed by other manual or code-based analysis techniques makes it, and the tool we'll cover, Mayhem, a great addition to the security arsenal for every SaaS company. Let's see why.
What is Fuzzing?
As we described in our earlier post, "How To Automate Software Security Testing"... Fuzzing is the process of using automation to supply unexpected, crafted, or bad inputs to a software interface, to verify and improve the robustness of the software when handling incorrect inputs.
Software corporations like Google, Microsoft, and Intel have used fuzzing for well over a decade to weed out security defects, that are often missed by other manual or specialized security testing techniques. Newer fuzzers like Mayhem make this technique more accessible to modern startups.
What is Mayhem?
Mayhem for API is a fuzzing tool that automates APIs testing at scale. The solution...
Understands how API requests are formed and can be tuned specifically to API response codes and outputs to find issues in an application’s API infrastructure.
Applies fuzzing techniques to the parameters in a request to test the quality and resiliency of the APIs quickly through rapid iterations of requests designed to find the boundaries where errors most frequently occur.
Is designed to fit seamlessly into a continuous integration / continuous deployment environment where Mayhem for API can be invoked as part of integration testing of the application.
... Yep, it's time for Nerd-Mode! 🤓 😊
How to Use Mayhem
First, we create an account on Mayhem for API (this account will be needed to retrieve an authentication token that will verify our login before a fuzz test can be executed).
For this example, I am using a Linux Distro called Debian. Mayhem for API can be installed on any Linux distro.
Then we install the Mayhem for API fuzzer using the commands below:
curl -Lo mapi https://mayhem4api.forallsecure.com/downloads/cli/latest/linux-musl/mapi \ && chmod +x mapi
Add the Mayhem API to your executable path with the commands:
sudo mkdir -p /usr/local/bin/
sudo install mapi /usr/local/bin/
To confirm that the fuzzer works, run:
To begin testing, you will need to log into the Mayhem for API account you created earlier to retrieve your authentication token. You can access or create a token from your profile page. Here's a screenshot from my test profile:
Next, you need to use that token to authenticate your fuzzer. Run the command below and paste your token when prompted (note that this token will not appear on your terminal as it is hidden, so do not paste twice else it will return an error):
You will be prompted to save the token locally:
To run Mayhem against an API:
mapi run < project/target name > < run time > < specification > --url < target url >
Vulnerability Hunting with Mayhem
Target 1: Pet Store
(A Vulnerable API provided by the Mayhem creators, ForAllSecure)
mapi run \ petstore 30sec "https://demo-api.mayhem4api.forallsecure.com/api/v3/openapi.json" --url "https://demo-api.mayhem4api.forallsecure.com/api/v3/" --interactive
As you'll notice, we set this fuzzer to run for 30 seconds. The longer the job is run, the more edge cases will be uncovered.
Once the run completes, visit your MayHem for API Dashboard to see the results!
In this case, we had 6 errors, 6 warnings; each with its CWE ( a Common Weakness Enumeration category that provides you with more public information about the vulnerabilities found).
It also shows the breakdown of each error and the specific vulnerabilities observed as seen in the screenshot below.
Target 2: vAPI
(A vulnerable Python API)
vAPI is an API written specifically to illustrate common API vulnerabilities. It is implemented using Python Flask + Connexion and consists of a user database and a token database. This is a perfect target for tools that focuses on API vulnerabilities.
To install vAPI you would only need to have virtualenv on your machine in order to run. Follow these steps:
1. git clone <https://github.com/jorritfolmer/vulnerable-api.git>
2. virtualenv venv
3. source venv/bin/activate
4. pip install -r requirements
5. python ./vAPI.py -p <port>
Afterwards, you should be able to access the server as shown below:
Here's how to run Mayhem on vAPI:
To break down this command:
“mapionvapie“ is my project/target name that will be shown later on the results.
“900“ is the runtime of how long mapi will run on my target.
“vAPI.yaml“ is the yaml file of API Specifications for vAPI so that the tool can run the endpoint’s requests and also have expected responses as well.
“http://localhost:8080/“ is my URL target which is where I configure and ran my vAPI on my machine. You can simply change the values above depending on the specifics for your API.
Here's a view of the output:
In this post, we didn't get to dive into the CI/CD functionality of Mayhem for API. But you can check these resources: