clock icon

5 min read

Blog thumbnail
Published on 05/03/2023
Last updated on 02/05/2024

APIClarity: Using the Trace Analyzer

Share

APIClarity
https://www.apiclarity.io/

This blog is part of the APIClarity How-To Series. 

Using the Trace Analyzer

The APIClarity trace analyzer helps detect API security weaknesses in observed API traffic and provides a score for the severity of any detected weaknesses (low, medium, high). This functionality was described in detail in a previous blog, but for a quick refresher, the trace analyzer scans API traffic for: 

  • Weak basic authentication 
  • Weak JSON web tokens 
  • Sensitive information (such as Personally Identifiable Information or PII) 
  • Guessable object IDs 
  • Broken Object-Level Authorization (BOLA) 

You can configure some of the things that the trace analyzer scans for, such as dictionary matches and regex rules for matching sensitive PII. There’s also a way to ignore findings if desired. 

Let’s take APIClarity for a spin and see the trace analyzer in action! 

Behind the Scenes 

Throughout the APIClarity blog series, we’ve been using Sock Shop as our sample microservice application. See the installation blog for specifics on setting up APIClarity with Sock Shop.

For this blog, Sock Shop is up and running, and I’m generating traffic to it using Locust, as described here. I’m using the default configuration for the trace analyzer. 

Getting the Trace 

Good news – the trace analyzer is always running when APIClarity is configured to observe API traffic. Once APIClarity records the API traffic, it is run through the trace analyzer to scan for any potential security weaknesses. 

You can see the results from the trace analyzer in the APIClarity UI either aggregated at the API endpoint level or at the API event level.   

To see it at the API endpoint level, go to the API Inventory tab on the left in the Dashboard UI (circled in green in Figure 1). 

API Inventory from Dashboard
Figure 1: Select API Inventory from Dashboard

In the API inventory list, select the one for your microservice application. In this case, we’ll select “catalogue.sock-shop” (circled in green in Figure 2). 

catalogue.sock-shop in API Inventory
Figure 2: Select "catalogue.sock-shop" in API Inventory

On the next screen, select the “Trace Analysis” tab. 

API Inventory Trace Analysis
Figure 3: Select "Trace Analysis" Tab

If there are any trace analyzer findings, you’ll see them listed, along with a risk level (low, medium, high). In Figure 4 below, APIClarity reports four findings for the catalogue API: two potential Broken Object-Level Authorization (BOLA) weaknesses, and two matches on sensitive information, or PII. 

APIClarity catalogue.sock-shop Endpoint
Figure 4: Trace Analyzer Findings for "catalogue.sock-shop" Endpoint

The Non-Learnt Identifier (NLID) finding is reporting a potential BOLA problem because an object ID was found in a request, but it was not retrieved first from the application. This could indicate a hacking attempt to guess the ID. You may recall from a previous blog that we saw a BOLA issue in the APIClarity spec difference listing for the catalogue API. That’s what the trace analyzer is reporting here (Figure 5). 

APIClarity NLID Findings
Figure 5: NLID Findings

The “matching regular expression” findings (Figure 6) indicate that certain key words and patterns were found in catalogue API calls. In this case, the matches were the words “IBAN” (International Bank Account Number), “telephone number”, and what was presumed to be a server name. These findings are identifying a potential PII data leak. 

APIClarity Potential PII Data Leak
Figure 6: Potential PII Data Leak

To drill down on the details of a particular API call that is getting flagged for issues by the trace analyzer, take a look at the API Events listing (third tab on the left in the dashboard UI, Figure 7). 

API Events from Dashboard
Figure 7: Select API Events from Dashboard

In the “Alerts” column, you’ll see a red “TRACEANALYZER” alert if there are any findings (circled in green in Figure 8). I’ll click on one for the catalogue API.

API Events with Trace Analyzer Findings
Figure 8: API Events with Trace Analyzer Findings

In the event detail UI, click on the “Trace Analysis” tab (Figure 9).

APIClarity Trace Analysis Tab with Findings
Figure 9: Trace Analysis Tab with Findings

The red triangle symbol indicates there was a finding:

icon

This will pull up details about the trace findings, similar to what we saw at the API endpoint level, but now for this specific call (Figure 10). 

Trace Analyzer Findings for Catalogue API Event
Figure 10: Trace Analyzer Findings for Catalogue API Event

Conclusion

That’s the APIClarity trace analyzer in a nutshell. It will help you secure your cloud-native APIs by watching them in action and reporting potential problems. 

Next up in the blog series – using the APIClarity BFLA detector! 


Anne McCormick is a cloud architect and open-source advocate in Cisco’s Emerging Technology & Incubation organization. 

Subscribe card background
Subscribe
Subscribe to
the Shift!

Get emerging insights on emerging technology straight to your inbox.

Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach

Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.

thumbnail
I
Subscribe
Subscribe
 to
The Shift
!
Get
emerging insights
on innovative technology straight to your inbox.

The Shift is Outshift’s exclusive newsletter.

Get the latest news and updates on cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations shaping the future of technology.

Outshift Background