Using the APIClarity trace analyzer for better API security testing

The APIClarity trace analyzer helps detect API security weaknesses in observed API traffic and provides a score for the severity of any detected weaknesses (low, medium, high). If you’re doing any kind of API security testing at all, you need the trace analyzer—not only because it’s a stellar feature, but because it serves multiple purposes. 

This functionality was described in detail in a previous blog, but for a quick refresher, the trace analyzer scans API traffic for: 

• Weak basic authentication 
• Weak JSON web tokens 
• Sensitive information (such as Personally Identifiable Information or PII) 
• Guessable object IDs 
• Broken Object-Level Authorization (BOLA) 

You can configure some things the trace analyzer scans for, such as dictionary matches and regex rules for matching sensitive PII. There’s also a way to ignore findings if desired. 

Let’s take APIClarity for a spin and see the trace analyzer in action! 

Behind the scenes of the APIClarity blog series

Throughout the APIClarity blog series, we’ve been using Sock Shop as our sample microservice application. See the APIClarity installation blog for specifics on setting up APIClarity with Sock Shop.

Now, Sock Shop is up and running, and I’m generating traffic to it using Locust, as described in the APIClarity installation piece. I’m using the default configuration for the trace analyzer. 

Getting the trace analyzer

Good news! The trace analyzer is always running when APIClarity is configured to observe API traffic. Once APIClarity records the API traffic, it is run through the trace analyzer to scan for any potential security weaknesses. 

You can see the API security testing results from the trace analyzer in the APIClarity UI either aggregated at the API endpoint level or at the API event level.   

To see it at the API endpoint level, go to the API Inventory tab on the left in the Dashboard UI (circled in green in Figure 1). 

In the API inventory list, select the one for your microservice application. In this case, we’ll select “catalogue.sock-shop” (circled in green in Figure 2). 

On the next screen, select the “Trace Analysis” tab. 

If there are any trace analyzer findings, you’ll see them listed, along with a risk level (low, medium, high). In Figure 4 below, APIClarity reports four findings for the catalogue API: two potential Broken Object-Level Authorization (BOLA) weaknesses and two matches on sensitive information, or PII. 

The Non-Learnt Identifier (NLID) finding is reporting a potential BOLA problem because an object ID was found in a request, but it was not retrieved first from the application. This could indicate a hacking attempt to guess the ID. 

You may recall from a previous blog that we saw a BOLA issue in the APIClarity spec difference listing for the catalogue API. That’s what the trace analyzer is reporting here (Figure 5). 

The “matching regular expression” findings (Figure 6) indicate that certain keywords and patterns were found in catalogue API calls. In this case, the matches were the words “IBAN” (International Bank Account Number), “telephone number”, and what was presumed to be a server name. These findings identify a potential PII data leak. 

To drill down on the details of a particular API call that is getting flagged for issues by the trace analyzer, take a look at the API Events listing (third tab on the left in the dashboard UI, Figure 7). 

In the “Alerts” column, you’ll see a red “TRACEANALYZER” alert if there are any findings (circled in green in Figure 8). I’ll click on one for the catalogue API.

In the event detail UI, click on the “Trace Analysis” tab (Figure 9).

The red triangle symbol indicates there was a relevant finding in the API security testing:

This will pull up details about the trace findings, similar to what we saw at the API endpoint level, but now for this specific call (Figure 10). 

Use the trace analyzer and improve your API security testing procedures

That’s the APIClarity trace analyzer in a nutshell. It will help you secure your cloud-native APIs by watching them in action and reporting potential problems. 

Next up in the blog series? Using the APIClarity BFLA detector!

Anne McCormick is a cloud architect and open-source advocate in Cisco’s Emerging Technology & Incubation organization, now Outshift by Cisco.