Abstract: Various embodiments facilitate Application Programming Interface (APIs) testing. In some examples, an apparatus detects security vulnerabilities in an API. The apparatus comprises one or more computer-readable storage media, a processing system operatively coupled with the one or more computer-readable storage media, and program instructions stored on the one or more computer-readable storage media. When executed by the processing system, the program instructions direct the processing system to perform operations. The apparatus monitors API traffic and responsively generates contextual information that characterizes the operations of the API. The apparatus generates an API test based on the contextual information to detect the security vulnerabilities in the API. The apparatus executes the API test on the API. The apparatus generates test results that indicate detected security vulnerabilities in the API. The processing system exports the test results.

Abstract: Various embodiments facilitate uncovering an Application Programming Interface (API) attack surface for an organization. In some examples, an apparatus comprises storage media, a processing system, and program instructions stored on the storage media. The apparatus processes Domain Name System (DNS) data to determine a set of possible API servers. The apparatus determines a set of possible Uniform Resource Identifier (URI) paths that may lead to one or more actual API endpoints. The apparatus joins the set of possible API servers with the set of possible URI paths to generate a set of possible API Uniform Resource Locators (URLs). The apparatus performs an API-specific crawl of the set of possible API URLs by submitting API requests to the set of possible API URLs and analyzing responses to determine the one or more actual API endpoints and one or more actual API servers of the set of possible API servers.

Abstract: Techniques to facilitate prevention of malicious attacks on a web service are disclosed herein. In at least one implementation, web resources associated with the web service are crawled to obtain information about internal and external web assets associated with the web service. Responses from the internal and external web assets are intercepted and content security policy headers are dynamically injected into the responses to determine internal and external dependency data associated with the internal and external web assets. The internal and external dependency data is processed with script reputation and domain reputation data to generate enriched dependency graph data. The enriched dependency graph data is analyzed to dynamically generate content security policies for the web service, and the dynamically generated content security policies are deployed to protect the web service.