Experts are warning security professionals of the next big threat hitting the cyber world: Application Programming Interface (API) attacks. APIs work to make systems perform better by integrating other website’s services into your own. Popular APIs include Google Maps, YouTube, and Twitter; allowing for a website creator to embed Maps, YouTube clips, or Tweets onto their own webpages. As these tools have grown hackers have found ways to exploit them to commit fraud and steal data.
Top Ten OWASP API Risks
As hackers turn their attention to API hacking, they represent a risk to businesses using them in their websites. Our reliable friends at OWASP have codified the top security risks involved with APIs:
- Broken Object Level Authorization. An APIs sole purpose is to supply remote access to data. Accessed in some APIs permissions must be set to prevent one user from accessing another user’s data. This is done through Object Level Authorization. Make sure your APIs restrict access to the appropriate users to reduce this risk. For example, a simple e-commerce API may list store sales for your store. Object Level Authorization done properly prevents other store owners from querying your store sales.
- Broken User Authentication. Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising a system’s ability to identify the client/user compromises API security overall.
- Excessive Data Exposure. Developers often unintentionally expose API datasets. Employ the principle of least privilege to reduce the chance of exposure of confidential data. In our e-commerce example, allow store A only access to store A’s data and store B access to only store B’s data.
- Lack of Query Restrictions & Rate Limiting. APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also enables authentication attacks such as a brute force attack on credentials.
- Broken Function Level Authorization. Complex access control policies with different groups and roles, and a failure to separate administrative and regular functions correctly. These API mistakes are authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
- Mass Assignment. APIs by design expose the underlying data access functions to users. APIs must restrict all data requests to a specific set of function calls. This reduces the risk of inappropriate object modification or access simply by guessing object properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads.
- Security Misconfiguration. Security misconfiguration is commonly a result of insecure default, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin Resource Sharing (CORS), and verbose error messages containing sensitive information. For example, a web login failure must not reveal whether the username is present in the website.
- Injection. Injection flaws, such as SQL, NoSQL, command injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
- Improper Asset Management. APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Strong documentation of all API deployments and versions leads to valid inventories. When bugs or vulnerabilities are found in your API and fixed, your inventory helps ensure everything is kept up to date.
- Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response leads to many problems. This allows attackers to exploit systems, setup and maintain persistence, pivot to attack more systems, and extract or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
With an increase in API adoption comes an increase in hacker attacks targeting those APIs. Experts recommend that designers and developers employ the following security requirements when dealing with applications that involve APIs:
Knowledge is power is appropriate when it comes to API visibility. Application developers and users need to know which APIs are being published, how and when they are updated, who is accessing them, and how are they being accessed. Understanding the scope of one’s API usage is the first step toward securing them.
API access is often loosely controlled, leading to undesired exposure. Ensuring that the correct set of users has appropriate access permissions for each API is a critical security requirement that must be coordinated with Identity and Access Management (IAM) systems.
In some environments, as much as 90% of the respective application traffic (account login/registration, shopping cart checkout) is generated by automated bots. Understanding and managing traffic profiles, including differentiating good bots from bad ones, is necessary to prevent automated attacks without blocking legitimate traffic. Effective complementary measures include implementing whitelist, blacklist, rate-limiting policies, CAPTCHA, as well as geofencing specific to use-cases and corresponding API endpoints.
Vulnerability exploit prevention
APIs simplify attack processes by eliminating the web form or the mobile app, allowing a bad actor to more easily exploit a targeted vulnerability. Protecting API endpoints from business logic abuse and other vulnerability exploits is a key API security mitigation requirement.
Data loss prevention
Preventing data loss over exposed APIs for appropriately privileged users or otherwise, either due to programming errors or security control gaps, is also a critical security requirement. Many API attacks are designed specifically to gain access to critical data made available from back-end servers and systems.
It’s important to stay up to date with the tools and software you use often and ensure you are aware of all new vulnerabilities involved with the systems. Subscribing to a cybersecurity Newsletter can help you stay on top of these emerging security threats. Check out CyberHoot’s Newsletters and sign up for free monthly updates. Being aware of the security threats you face is the first step in securing your systems.
CyberHoot is a great company to partner with as we have hundreds of training programs including cybersecurity basics. CyberHoot can train users on anything from Cybersecurity Basics to OWASP Application Risks to Advanced Microsoft Excel training. Link up with us by contacting firstname.lastname@example.org, or set up a meeting at https://Calendly.com/CyberHoot.