This is one part of a series of posts on how to prepare your API for a pentest. Here Is part two.
Similar to web applications, web APIs (Application Programming Interfaces) should undergo security testing to determine whether or not any vulnerabilities exist. However, an API may not be as straightforward to test as a web application. It may not be possible to provide a URL to a pentester and say test everything underneath this. As such, pentesters should ask for test data and the ability to access the API for security testing. In this post, we will focus on using the Insomnia program to provide data.
According to their website, Insomnia (and more specifically Insomnia Core) is a free “cross-platform desktop application that takes the pain out of interacting with HTTP-based APIs.” Developers can use Insomnia to share ‘workspaces’ of API calls to perform QA testing of their application. It supports REST APIs, along with importing Curl and Swagger files. It is often selected due to its free and open source nature.
Very simply, Insomnia is used to proxy pre-built and known good API calls into various Intercepting Proxy tools (such as Burp or OWASP ZAP). Using pre-built test data will greatly speed up the pentesting timeframe, often lowers the pentest project cost, and provides higher pentest report quality. From there, pentesters use the Intercepting Proxy to perform various active and manual testing by interacting with the API directly. Oftentimes Insomnia does not need to be used again after performing the initial API call.
If you already use Insomnia within your environment and want to provide the data for pentesting, please scroll down to the ‘Exporting Insomnia Workspaces’ section.
These instructions are the bare minimum sets of data in order to provide test data for a pentest. There are many more features within Insomnia if you want to dig into the documentation, but this will be what you need to get off the ground. We are going to go through some of the basic components and build a simple curl request for three REST API actions – one to fetch a ‘to do’ list, one to post a comment, and finally one to delete a comment. If you want to try curl out in your own environment, use https://jsonplaceholder.typicode.com as a practice API server.
After installing the Insomnia client for your operating system, start it up. There may be a welcome screen but feel free to close it, as all steps listed in this blog will bypass the welcome screen.
When you open Insomnia, you are dropped into a new blank ‘workspace’. This workspace will contain every method that can be called within an API endpoint (creating, modifying, and deleting data would count as three methods in this example). For the purposes of this blog post, we are going to use the default workspace that Insomnia generates.
We can start to add APIs to this workspace by clicking the ‘New Request’ button in the right column or by right-clicking the left column and clicking ‘New Request’.
In this example, we want to call the ToDo list within our API. Give the API request a name and select the HTTP Method associated with it (most often a GET, POST, PUT, or DELETE). In our example, we will select ‘GET’. Afterwards, click the ‘Create’ link.
Enter the https://jsonplaceholder.typicode.com/todos URL into the space next to the HTTP method (GET in this case).
After clicking the ‘Send’ button, you should be able to see the response in the ‘Preview’ window.
If you did not receive a response, click the timestamp in the upper right corner. This will provide a drop down that allows you to see what errors you might be receiving, such as authentication errors or misspellings in the URL.
As an owner of the application, we may know that multiple methods or additions can be added to our API to get specific data. For example, we can append /3 to request data attached to ID #3. With this, we may want to setup a folder for easy visual identification. In this example, we can right click the very left column and select ‘New Folder’.
Once you provide a name, click ‘Create’. You can click and drag your API requests to folders as you create them on the main Insomnia screen.
What do we do in order to build a POST request? For this next example, we are calling out our API to create some content on the site. Let’s start by right clicking the left column and selecting ‘New Request’. Provide a name for your API request. Select the first drop down to the right and click ‘POST. In the second drop down, select the format of the data you need to provide. For our example API, let’s select JSON. When done, click the ‘Create’ button.
Enter the URL at the top space next to the ‘POST’. In the JSON drop down, copy in the data you need to fully create the request. In this example below, we have a user to connect to, what post number to create, a title, and finally the body of the message. When done, click the Send button and try it out!
Finally, what can you do regarding authentication? In most cases, this just requires you to modify the ‘Auth’ section of your request. For example, we know that in order to delete a comment via the API, we are required to use the DELETE method and provide authentication.
To get started, let’s create an API request with the DELETE method and set our body content to the JSON format that we need. Follow the similar instructions to the POST setup.
If you know your header needs to be listed as ‘Authentication: Bearer [token]’, we can now click the ‘Auth’ dropdown and click ‘Bearer Token’.
Enter only the token value you need to use within the field. Insomnia will take care of formatting for the rest of the header automatically.
When you’ve entered all of your data, click Send. In our case, the API only responds with a 200 OK, but everything appears to work correctly.
Use the above steps to create as many examples of requests that you need to adequately represent the API footprint within your application.
Exporting Insomnia workspaces is a fairly simple process. To start, click the dropdown arrow in the purple box next to Insomnia and select ‘Import/Export’.
Click the ‘Export Data’ dropdown and click ‘Current Workspace’.
Select which (if not all) requests you’d like to export and click the ‘Export’ button.
Select ‘Insomnia v4 (JSON)’ and click ‘Done’.
You’ll be presented with a prompt to save a JSON file to your operating system. Once this file is downloaded, coordinate with your pentester to send the file. Alongside any updated credentials or session information (such as authorization tokens), this might be all that is needed to ensure a successful API pentest!