Search Blog

PRODUCT

5 min read

by Anne McCormick

Published on 05/03/2023

Last updated on 06/18/2024

Published on 05/03/2023

Last updated on 06/18/2024

APIClarity: Using the Trace Analyzer

Subscribe to

the Shift!

Get emerging insights on innovative technology straight to your inbox.

This blog is part of the APIClarity How-To Series.

Using the APIClarity trace analyzer for better API security testing

The APIClarity trace analyzer helps detect API security weaknesses in observed API traffic and provides a score for the severity of any detected weaknesses (low, medium, high). If you’re doing any kind of API security testing at all, you need the trace analyzer—not only because it’s a stellar feature, but because it serves multiple purposes.

This functionality was described in detail in a previous blog, but for a quick refresher, the trace analyzer scans API traffic for:

Weak basic authentication
Weak JSON web tokens
Sensitive information (such as Personally Identifiable Information or PII)
Guessable object IDs
Broken Object-Level Authorization (BOLA)

You can configure some things the trace analyzer scans for, such as dictionary matches and regex rules for matching sensitive PII. There’s also a way to ignore findings if desired.

Let’s take APIClarity for a spin and see the trace analyzer in action!

Behind the scenes of the APIClarity blog series

Throughout the APIClarity blog series, we’ve been using Sock Shop as our sample microservice application. See the APIClarity installation blog for specifics on setting up APIClarity with Sock Shop.

Now, Sock Shop is up and running, and I’m generating traffic to it using Locust, as described in the APIClarity installation piece. I’m using the default configuration for the trace analyzer.

Getting the trace analyzer

Good news! The trace analyzer is always running when APIClarity is configured to observe API traffic. Once APIClarity records the API traffic, it is run through the trace analyzer to scan for any potential security weaknesses.

You can see the API security testing results from the trace analyzer in the APIClarity UI either aggregated at the API endpoint level or at the API event level.

To see it at the API endpoint level, go to the API Inventory tab on the left in the Dashboard UI (circled in green in Figure 1).

API Inventory from Dashboard — **Figure 1: Select** **API Inventory** **from Dashboard**

In the API inventory list, select the one for your microservice application. In this case, we’ll select “catalogue.sock-shop” (circled in green in Figure 2).

catalogue.sock-shop in API Inventory — **Figure 2: Select "catalogue.sock-shop" in** **API Inventory**

On the next screen, select the “Trace Analysis” tab.

API Inventory Trace Analysis — **Figure 3: Select "Trace Analysis" Tab**

If there are any trace analyzer findings, you’ll see them listed, along with a risk level (low, medium, high). In Figure 4 below, APIClarity reports four findings for the catalogue API: two potential Broken Object-Level Authorization (BOLA) weaknesses and two matches on sensitive information, or PII.

APIClarity catalogue.sock-shop Endpoint — **Figure 4: Trace Analyzer Findings for "catalogue.sock-shop" Endpoint**

The Non-Learnt Identifier (NLID) finding is reporting a potential BOLA problem because an object ID was found in a request, but it was not retrieved first from the application. This could indicate a hacking attempt to guess the ID.

You may recall from a previous blog that we saw a BOLA issue in the APIClarity spec difference listing for the catalogue API. That’s what the trace analyzer is reporting here (Figure 5).

APIClarity NLID Findings — **Figure 5: NLID Findings**

The “matching regular expression” findings (Figure 6) indicate that certain keywords and patterns were found in catalogue API calls. In this case, the matches were the words “IBAN” (International Bank Account Number), “telephone number”, and what was presumed to be a server name. These findings identify a potential PII data leak.

APIClarity Potential PII Data Leak — **Figure 6: Potential PII Data Leak**

To drill down on the details of a particular API call that is getting flagged for issues by the trace analyzer, take a look at the API Events listing (third tab on the left in the dashboard UI, Figure 7).

API Events from Dashboard — **Figure 7: Select** **API Events** **from Dashboard**

In the “Alerts” column, you’ll see a red “TRACEANALYZER” alert if there are any findings (circled in green in Figure 8). I’ll click on one for the catalogue API.

**Figure 8: API Events with Trace Analyzer Findings**

In the event detail UI, click on the “Trace Analysis” tab (Figure 9).

APIClarity Trace Analysis Tab with Findings — **Figure 9: Trace Analysis Tab with Findings**

The red triangle symbol indicates there was a relevant finding in the API security testing:

This will pull up details about the trace findings, similar to what we saw at the API endpoint level, but now for this specific call (Figure 10).

**Figure 10: Trace Analyzer Findings for Catalogue API Event**

Use the trace analyzer and improve your API security testing procedures

That’s the APIClarity trace analyzer in a nutshell. It will help you secure your cloud-native APIs by watching them in action and reporting potential problems.

Next up in the blog series? Using the APIClarity BFLA detector!

Anne McCormick is a cloud architect and open-source advocate in Cisco’s Emerging Technology & Incubation organization, now Outshift by Cisco.

Subscribe to

the Shift!

Get emerging insights on innovative technology straight to your inbox.

Twitter

Facebook

Published on 00/00/0000

Last updated on 00/00/0000

Published on 00/00/0000

Last updated on 00/00/0000

Twitter

Facebook

This blog is part of the APIClarity How-To Series.

Using the APIClarity trace analyzer for better API security testing

This functionality was described in detail in a previous blog, but for a quick refresher, the trace analyzer scans API traffic for:

Weak basic authentication
Weak JSON web tokens
Sensitive information (such as Personally Identifiable Information or PII)
Guessable object IDs
Broken Object-Level Authorization (BOLA)

You can configure some things the trace analyzer scans for, such as dictionary matches and regex rules for matching sensitive PII. There’s also a way to ignore findings if desired.

Let’s take APIClarity for a spin and see the trace analyzer in action!

Behind the scenes of the APIClarity blog series

Throughout the APIClarity blog series, we’ve been using Sock Shop as our sample microservice application. See the APIClarity installation blog for specifics on setting up APIClarity with Sock Shop.

Now, Sock Shop is up and running, and I’m generating traffic to it using Locust, as described in the APIClarity installation piece. I’m using the default configuration for the trace analyzer.

Getting the trace analyzer

You can see the API security testing results from the trace analyzer in the APIClarity UI either aggregated at the API endpoint level or at the API event level.

To see it at the API endpoint level, go to the API Inventory tab on the left in the Dashboard UI (circled in green in Figure 1).

In the API inventory list, select the one for your microservice application. In this case, we’ll select “catalogue.sock-shop” (circled in green in Figure 2).

On the next screen, select the “Trace Analysis” tab.

You may recall from a previous blog that we saw a BOLA issue in the APIClarity spec difference listing for the catalogue API. That’s what the trace analyzer is reporting here (Figure 5).

In the “Alerts” column, you’ll see a red “TRACEANALYZER” alert if there are any findings (circled in green in Figure 8). I’ll click on one for the catalogue API.

In the event detail UI, click on the “Trace Analysis” tab (Figure 9).

The red triangle symbol indicates there was a relevant finding in the API security testing:

This will pull up details about the trace findings, similar to what we saw at the API endpoint level, but now for this specific call (Figure 10).

Use the trace analyzer and improve your API security testing procedures

That’s the APIClarity trace analyzer in a nutshell. It will help you secure your cloud-native APIs by watching them in action and reporting potential problems.

Next up in the blog series? Using the APIClarity BFLA detector!

Anne McCormick is a cloud architect and open-source advocate in Cisco’s Emerging Technology & Incubation organization, now Outshift by Cisco.

Insights

Inside Outshift

Collaborations

Product

Categories

Search Blog

by Anne McCormick

Published on 05/03/2023

Last updated on 06/18/2024

Published on 05/03/2023

Last updated on 06/18/2024

APIClarity: Using the Trace Analyzer

Get emerging insights on innovative technology straight to your inbox.

Using the APIClarity trace analyzer for better API security testing

Behind the scenes of the APIClarity blog series

Getting the trace analyzer

Use the trace analyzer and improve your API security testing procedures

Published on 00/00/0000

Last updated on 00/00/0000

Published on 00/00/0000

Last updated on 00/00/0000

by Anne McCormick

Published on 05/03/2023

Last updated on 06/18/2024

Published on 05/03/2023

Last updated on 06/18/2024

APIClarity: Using the Trace Analyzer

Get emerging insights on innovative technology straight to your inbox.

Using the APIClarity trace analyzer for better API security testing

Behind the scenes of the APIClarity blog series

Getting the trace analyzer

Use the trace analyzer and improve your API security testing procedures

Driving productivity and improved outcomes with Generative AI-powered assistants

Related articles

Collaborations

How to contribute to the KubeClarity open source supply chain security project

Insights

KubeClarity: Implementing CIS Benchmarks for stronger software supply chain security

Insights

KubeClarity cloud security solution: Runti­­­me scanning

KubeClarity cloud security solution: Runtime scanning