What is API Security
As you might know, API stands for Application Programming Interface. An API is a software interface or an intermediary that allows two applications to interact with each other without any user intervention. In basic terms, APIs are a set of functions and procedures that allow for a creation of applications. Web APIs connect between applications and other services or platforms.
Why do we need APIs?
- APIs help two different applications to communicate and exchange data with each other, helping organisations of any size to embed the content from any site or application way more efficiently.
- APIs help streamline the way your organisation works by allowing you to easily test features and functionality. In addition, APIs help you validate your value props more efficiently.
- With the help of APIs, your development team can reuse the software components so that developers don’t have to repeat the work that’s already been completed. This can help your development team focus on innovation, offering more value to your end users.
- Software keeps on changing over time, APIs help to anticipate that change.
API Security: Protecting A Larger Attack Surface
Most businesses use APIs to easily connect services and to transfer data. As always, with efficiency, simplicity and flexibility come security risks.
The use of APIs creates a larger attack surface by increasing the number of entry points in comparison to a traditional application environment. APIs often self-document information such as the internal structure and the API endpoint implementation, which can be used as reconnaissance data by a threat actor.
As a result, there is an increasing need to protect API endpoints with the help of API security solutions.
API Security OWASP Top 10 Vulnerabilities Explained
API1:2019 Broken Object Level Authorization
Broken object level authorization (BOLA) is an attack where cyber criminals substitute the identifier of their own resource in the API call with an identifier of a resource belonging to another user. When there are no proper authorization checks, this allows attackers to access the specified resource.
API2:2019 Broken User Authentication
Broken user authentication exists as a vulnerability when an API should have an authentication system but does not in practice, or there is an authentication system but it fails, allowing attackers to impersonate an authenticated user. In simple terms, a broken user authentication vulnerability is a lack of or poorly implemented API authentication system that allows attackers to assume other user’s identities.
API3:2019 Excessive Data Exposure
When an API endpoint returns more than the required data to the front-end client.
API4:2019 Lack of Resources and Rate Limiting
When an API has no protection against an excessive number of calls or massive payload sizes. Attackers can use this for Denial of Service (DoS) and brute force attacks leading to authentication failure. This type of vulnerability often leads to affecting the availability of a service or leads to affecting the integrity of user accounts.
API5:2019 Broken Function Level Authorization
Modern day applications have complex user hierarchies and access control policies. The access controls are applied to user roles, groups and so on. At times, there is an unclear separation between administrative and regular functions, which often leads to authorization flaws. By exploiting these vulnerabilities, attackers can gain access to privileged functions like admin function or any higher-privilege function.
API6:2019 Mass Assignment
Attackers can try to guess object properties or provide additional object properties. In certain requests, attackers can read the documentation or analyse responses of different API endpoints in search of clues, and then use this to add additional object properties in request payloads. This allows attackers to modify object properties on a data object that is stored somewhere in the backend.
API7:2019 Security Misconfiguration
This vulnerability is usually the result of poor default configurations or incomplete configurations that lead to certain attacks. Missing or outdated packages that lead to certain vulnerabilities is a good example of the security misconfiguration vulnerability.
Injection attacks occur when untrusted data is sent in the API request body as part of a command or query. This can lead to the execution of unintended commands, or accessing privileged data without authorization. There are several injection attacks such as SQLi, NoSQLi, OS injection and more.
API9:2019 Improper Assets Management
Attackers can find older versions of an API or testing and staging versions of the API which do not have protection like the production version. They can then attack these non-protected versions of API. Plenty of times old or non-production API endpoint versions are not properly protected while still having access to production data. This makes improper asset management a potentially critical threat.
API10:2019 Insufficient Logging and Monitoring
Insufficient logging and monitoring mixed with ineffective incident response can allow an attacker to perform more attacks on the system as well as maintain access, extract or destroy more data, depending on the intent. This is why it’s important to have proper logging and monitoring mechanisms in place.
API Security Best Practices
You can avoid the vulnerabilities mentioned above by following a few best practices:
Many vulnerabilities in API security have one thing in common and that is “Authorization”. Lack of proper authorization leads to attacks like Broken Object Level Authorization, Broken Function Level Authorization and Excessive Data Exposure. This is why it is important to determine the resources an identified user can access. All API endpoints should be tested to prevent unauthorized access to operations outside of the predefined user role. For example, a read-only user should not be able to perform write operations or gain access to admin functionality. Relying on GUID instead of numbers and on IDs from JWT tokens is a good practice to avoid authorization vulnerabilities.
Authentication is the process of identifying and verifying a user. Authentication is accomplished by providing a valid set of credentials which is mostly a username and password to an API, which then checks a database of valid usernames and passwords, and grants or denies access accordingly. Only the authenticated users should be able to access data using an API endpoint. When it comes to authentication, you can implement basic authentication using the TLS protocol, however OAuth2 is definitely a more secure alternative.
- Use Rate limiting:
Rate limiting is the process of controlling or limiting the network traffic. This restricts the number of times a user can send requests to a particular service within a given period of time. Rate limiting helps avoid stress on the service and prevents malicious activities like brute force attacks and Denial of Service.
- API Gateway:
An API gateway acts as a middleman between the client and the backend services. It is a required point of enforcement for API traffic. An API gateway will help your team to authenticate the traffic as well as control and analyse how the APIs are used.
With the increasing use of APIs and expansion of APIs to microservices, the APIs have become the new attack frontier.
A new report from IBM Security X-Force has found that two-thirds of cloud breaches can be traced to misconfigured application programming interfaces. This is just one report, there are several other reports which trace the cause of several severe attacks to the underlying vulnerabilities in the APIs.
While APIs are pretty secure by design, the volume of API deployments has created a much larger attack surface. As a result of this, there is an increasing need to follow the best practices for API security and protect your APIs with a dynamic API security solutions.