Outshift | APIClarity: Using the Trace Analyzer

Search Blog

Twitter

Facebook

Published on 00/00/0000

Last updated on 00/00/0000

Published on 00/00/0000

Last updated on 00/00/0000

Twitter

Facebook

This blog is part of the APIClarity How-To Series.

Using the Trace Analyzer

The APIClarity trace analyzer helps detect API security weaknesses in observed API traffic and provides a score for the severity of any detected weaknesses (low, medium, high). This functionality was described in detail in a previous blog, but for a quick refresher, the trace analyzer scans API traffic for:

Weak basic authentication
Weak JSON web tokens
Sensitive information (such as Personally Identifiable Information or PII)
Guessable object IDs
Broken Object-Level Authorization (BOLA)

You can configure some of the things that the trace analyzer scans for, such as dictionary matches and regex rules for matching sensitive PII. There’s also a way to ignore findings if desired.

Let’s take APIClarity for a spin and see the trace analyzer in action!

Behind the Scenes

Throughout the APIClarity blog series, we’ve been using Sock Shop as our sample microservice application. See the installation blog for specifics on setting up APIClarity with Sock Shop.

For this blog, Sock Shop is up and running, and I’m generating traffic to it using Locust, as described here. I’m using the default configuration for the trace analyzer.

Getting the Trace

Good news – the trace analyzer is always running when APIClarity is configured to observe API traffic. Once APIClarity records the API traffic, it is run through the trace analyzer to scan for any potential security weaknesses.

You can see the results from the trace analyzer in the APIClarity UI either aggregated at the API endpoint level or at the API event level.

To see it at the API endpoint level, go to the API Inventory tab on the left in the Dashboard UI (circled in green in Figure 1).

API Inventory from Dashboard — **Figure 1: Select *API Inventory* from Dashboard**

In the API inventory list, select the one for your microservice application. In this case, we’ll select “catalogue.sock-shop” (circled in green in Figure 2).

catalogue.sock-shop in API Inventory — Figure 2: Select "catalogue.sock-shop" in *API Inventory*

On the next screen, select the “Trace Analysis” tab.

API Inventory Trace Analysis — **Figure 3: Select "Trace Analysis" Tab**

If there are any trace analyzer findings, you’ll see them listed, along with a risk level (low, medium, high). In Figure 4 below, APIClarity reports four findings for the catalogue API: two potential Broken Object-Level Authorization (BOLA) weaknesses, and two matches on sensitive information, or PII.

APIClarity catalogue.sock-shop Endpoint — **Figure 4: Trace Analyzer Findings for "catalogue.sock-shop" Endpoint**

The Non-Learnt Identifier (NLID) finding is reporting a potential BOLA problem because an object ID was found in a request, but it was not retrieved first from the application. This could indicate a hacking attempt to guess the ID. You may recall from a previous blog that we saw a BOLA issue in the APIClarity spec difference listing for the catalogue API. That’s what the trace analyzer is reporting here (Figure 5).

APIClarity NLID Findings — **Figure 5: NLID Findings**

The “matching regular expression” findings (Figure 6) indicate that certain key words and patterns were found in catalogue API calls. In this case, the matches were the words “IBAN” (International Bank Account Number), “telephone number”, and what was presumed to be a server name. These findings are identifying a potential PII data leak.

APIClarity Potential PII Data Leak — **Figure 6: Potential PII Data Leak**

To drill down on the details of a particular API call that is getting flagged for issues by the trace analyzer, take a look at the API Events listing (third tab on the left in the dashboard UI, Figure 7).

API Events from Dashboard — **Figure 7: Select *API Events* from Dashboard**

In the “Alerts” column, you’ll see a red “TRACEANALYZER” alert if there are any findings (circled in green in Figure 8). I’ll click on one for the catalogue API.

**Figure 8: API Events with Trace Analyzer Findings**

In the event detail UI, click on the “Trace Analysis” tab (Figure 9).

APIClarity Trace Analysis Tab with Findings — **Figure 9: Trace Analysis Tab with Findings**

The red triangle symbol indicates there was a finding:

This will pull up details about the trace findings, similar to what we saw at the API endpoint level, but now for this specific call (Figure 10).

**Figure 10: Trace Analyzer Findings for Catalogue API Event**

Conclusion

That’s the APIClarity trace analyzer in a nutshell. It will help you secure your cloud-native APIs by watching them in action and reporting potential problems.

Next up in the blog series – using the APIClarity BFLA detector!

Anne McCormick is a cloud architect and open-source advocate in Cisco’s Emerging Technology & Incubation organization.

Collaborations

Inside Outshift

Insights

Product

Categories

Search Blog

Published on 00/00/0000

Last updated on 00/00/0000

Published on 00/00/0000

Last updated on 00/00/0000

Programs

Events

Sales

Cloud Security

Artificial Intelligence

Company

Careers

Connect

Showcase

Blog Categories

by Anne McCormick

Published on 05/03/2023

Last updated on 02/05/2024

Published on 05/03/2023

Last updated on 02/05/2024

APIClarity: Using the Trace Analyzer

Get emerging insights on emerging technology straight to your inbox.

Using the Trace Analyzer

Behind the Scenes

Getting the Trace

Conclusion

Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach

Related articles

Inside Outshift

From SRE to platform engineering: Paving the way for innovation and scalability at Outshift

Inside Outshift

Machine learning techniques: From zero-shot visionaries to supervised specialists to craft a workforce ensemble

Inside Outshift

Continuous learning shapes a product management career path: Insights from Alex Jauch