API security can be daunting, but we’re here to help. Introducing Metlo, the API Security Platform that helps you secure your API without the need to buy expensive software or having to reinvent the wheel every time.
Metlo is an API security platform that provides vulnerability discovery, attack detection, and context. The platform can be used to test any API, including public APIs, private APIs, and internal APIs.
Metlo delivers an unparalleled level of visibility into API’s security posture with a single integrated solution for assessing both external and internal APIs. With Metlo you can quickly identify vulnerabilities in systems before hackers do!
Attack context is the ability to understand how an attack is being performed and where it’s coming from. The more information you have about the attacker, the better you can protect your API.
One way to gather that information could be through the user-agent field in a request header as per the following example:
This header tells us that this request came from a Mac running macOS Mojave with Safari loaded as its browser of choice (the number in parentheses after Mozilla tells us which version). Because we know what kind of browser made this request, we can apply rules based on it in order to mitigate certain kinds of vulnerabilities or attacks against our API users’ machines—for instance, if someone tries performing a cross-site scripting attack against users who are on macOS Mojave with Safari as their default browser, we’ll let them proceed because they’re not at risk for any kind of breach via this particular vulnerability type!
What can we do with this?
With this data we can perform a powerful set of tests against our APIs and even give Metlo Open API specifications to help it map out our API sets and give us a clear visualisation of our APIs.
On top of this we can ask Metlo to hunt for data that we consider to be sensitive such as PII and write tests to ensure that nothing escapes.
Even more interestingly, we can apply a layer of governance to ensure that the API is running the correct specification as per the Spec we gave to Metlo and we can alert if things fall out of sync.
The potential within this tool to be used with CI/CD systems is almost infinite!
Metlo is a powerful API security platform that helps organisations protect their APIs. It protects against all types of attacks, including data exfiltration, zero-day vulnerabilities and denial of service attacks. The platform is designed with built-in protections that don’t require any coding or integrations to work seamlessly with existing systems.
So head on over to Github to clone yourself a copy and give it a try on one of your own APIs.
Paul Hardy is a Principal Systems Developer at Cloudreach with a passion for Offensive Security. Having worked with Cloudreach for almost a decade he has built up expertise over a wide range of technologies often finding new and creative ways to improve Cloudreach’s clients Security Posture during engagements.