Businesses use APIs to connect services and share data over the internet across many different applications and platforms. They constantly come under attacks and are exploited for vulnerabilities. It’s important to protect and secure them from all possible threats.
In general, APIs are mainly attacked on many vectors such as Authentication, Authorization, Data manipulation / Injection, and many more. Testing of the above requires writing way too much bespoke test code and takes time away from shipping production-ready software to customers. Testing often requires OpenAPI specs to drive the test harness.
The Amazon API Gateway provides rich capabilities to create RESTful APIs and WebSocket APIs that enable real-time communication between applications.
Levo is a codeless API security testing solution that empowers you to release secure and resilient APIs provisioned via the AWS API Gateway.
This blog describes how we can address the above challenges in under 5 minutes using Levo for AWS API Gateway APIs. We will accomplish this in three key steps:
1. Export your API Schema from API Gateway using OpenAPISpec
2. Import the API Schema into Levo and auto-generate a security Test Plan
3. Execute your security Test Plan using Levo CLI to identify API vulnerabilities
In this section we will look at how to export your API schemas REST API and HTTP API hosted in AWS API gateway. Let’s begin with REST API’s
1. Login to your AWS Console, locate your AWS API dashboard and click on the API name that you would like to export the schema. You can also use API Gateway Export API or command line tools. In this case, I will be exporting from AWS Console.
2. Navigate to the Stages tab under Resources in the left sidebar. Depending on your application lifecycle, you may have multiple stages. Choose the stage you would like to export the schema and test (dev, test, prod, etc.).
3. Your invoke URL should appear along with several other tabs underneath it. Navigate to the Export tab on this page.
4. In the export tab, you can choose to export as OpenAPI3 Specification and export the schema in either JSON or YAML format. Save the file it creates to your local desktop.
5. If you are working with an HTTP API, your dashboard will have an Export option on the left sidebar. Click on “Export.”
6. HTTP APIs, by default, only supports exporting with OpenAPI3 Definition. Choose the source based on which stage you would like to export. Then choose the output format JSON or YAML. Finally, click download to download the schema to your local desktop.
In this step, we will walk you through how to import the exported JSON file into the Levo test harness. Set up a Levo account if you do not have an account.
7. Navigate to Levo.ai and log into your account. In your account, go to the API Catalog tab and click the “Import New Schema” button in the top right corner.
8. Create the name for your application/service, select whether it is an Application or Service, provide a description if you’d like, and upload the schema file. You may add metadata to conduct authorization tests or other advanced tests. Finally, click save in the bottom right corner.
9. After your upload has been saved, you will be directed to the API catalog page showing your API endpoint details. You can then browse through your API endpoints and methods.
10. Next, go to the Test Plan tab on the left sidebar of your Levo account. Click the “New Test Plan” button on the right side to create a new test plan.
11. Choose the type of test plan you want to use. I will be continuing with a Data-Driven Testing plan. If you’re unsure which test plan to use, refer to Test Plan Documentation.
12. Name your test plan, add a description, and select the API Asset. Your API asset name will be what you saved in the API Catalog when you uploaded your schema. I am also choosing to auto-populate API parameters with my test plan. This is optional; by configuring parameter data, end users can control what data is sent when making API calls. To learn more about parameter data and test fixtures, refer to this link. Finally, click on the “Generate Test Plan.”
In this step, we will use command line tools to launch Levo docker containers and Execute Test Plan. Follow the instructions here to install Levo CLI and authenticate it with Levo SaaS. Levo CLI is the test runner that will execute the test plan against your running instance of crAPI. You can log back into the console to view your API Test results and drill down to identify security vulnerabilities and contract non-conformance.
Levo is the only purpose-built security solution for APIs & microservices that provides comprehensive detection of both business logic and OWASP Top 10 vulnerabilities. Levo supports all popular CI/CD environments.
Continue testing your APIs referring to the Levo Docs to explore all of our available features. If you have more questions about exporting HTTP APIs or REST APIs from the AWS API Gateway, please contact info@levo.ai.
Best,
Bhavya Garlapati
Cyber Security Intern