Today we’re announcing Metlo Testing, a quick and scalable way to test your API for security vulnerabilities. With Metlo Testing you can automatically write security tests for hundreds of API endpoints in hours, not weeks.
Why Metlo Testing?
At Metlo our goal is to be the most seamless way to make sure your APIs are secure. Our discovery tool makes it easy to create an inventory of all your endpoints.
This gives you a clear view of your attack surface and insight into the most vulnerable parts of your API. Once you have an inventory of your endpoints, the next obvious step is to test them for vulnerabilities! This is especially important for common vulnerabilities like Broken Authentication, BOLA, Misconfigured Headers and others in the OWASP Top 10. It's important to continuously test for these vulnerabilities from local development to production to make sure your API is secure!
Most engineers currently write tests using HTTP request editors like Postman. This approach has a few limitations:
- You have to manually write tests for every single endpoint. Its impossible to do if you have hundreds (or even thousands) of endpoints.
- Keeping up with APIs being added, removed or changed is a full time job.
- There's no way to enforce API standards across your entire endpoint inventory with one-off requests.
Finally, because of the lack of tooling, most APIs simply aren't regularly tested for common business logic vulnerabilities.
Introducing Metlo Testing
With Metlo Testing we're solving the API testing problem by automating all the busy work. Our goal is to make it possible to test all your endpoints for security vulnerabilities in hours rather than weeks.
Creating a Test
You can now create a new test in the tests tab for any API Endpoint. Just click on the new test button.
All tests are in a YAML format that contains a set of steps where each step contains a request and a set of assertions. Since Metlo already has an inventory of all your API endpoints and their schemas, the request will automatically be filled in with some defaults.
- name: userID
- name: CREDENTIALS
- name: X-API-KEY
- resp.status == 200
You can modify this config to write a test for your endpoint! We have a more detailed guide on writing tests in our docs.
Although its easy to write a test from scratch, Metlo also comes with a set of templates that automatically generate tests for common vulnerabilities. This makes it possible to create a test for an endpoint in seconds! You can click on the generate test button on the tests tab and select the template you want to use.
Currently Metlo supports Broken Authentication, SQL Injection, a few different types of BOLA vulnerabilities and security header misconfigurations. We'll be adding more templates over time!
You can make custom templates if you want to modify these templates to add or change requests specifically for your API . We have an in depth guide in our docs.
You can apply templates to endpoints in batch on the rules page. This allows you to make many tests all at once by specifying a template and a set of filters. For example, you can check all endpoints that start with
Broken Authentication or check all endpoints that have
user in them for
Whenever any new endpoints are created that match the filters in your rule, a new test will automatically be created by Metlo. This keeps your security testing suite up to date with the latest changes to your API.
With the combination of the right test templates and rules you can test thousands of endpoints at once for every type of vulnerability!
Running Tests Locally and in CI/CD
You can run the tests you define in Metlo at every step of the development cycle. To run tests locally you can use Metlo's CLI. After you setup the CLI tool simply run the following to run tests in your development environment:
metlo run test