Application programming interface (APIs) allows different applications to communicate with each other, exchange data, and react to set commands. They open up applications' to external third-party developers, making them easy to integrate, excellent when it comes to automation, and allowing the application to leverage another app's data and functionality.
Yet, APIs can quickly turn from a convenient asset to a liability, posing API vulnerabilities to your business.
From Alexa and Google Assistant to Spotify and Salesforce, APIs have seen a Compound annual growth rate of 32.9% and show no sign of slowing down. Global Internet traffic now totals 7.7 exabytes per day---over 7 billion gigabytes. APIs account for up to 83% of this traffic.
With APIs distributed throughout multi-cloud IT infrastructures, organizations face the difficult task of adequately securing these interfaces.
From sensitive data breaches, web scraping, account takeovers, and more, APIs can quickly turn from a convenient asset to a liability, posing vulnerabilities to your business.
How API security works?
Since APIs are often accessible via the Internet and can be reverse-engineered, it's crucial to take their security seriously. Important network and application security concepts are just as relevant for APIs as they are for applications and internal network traffic. Among these critical security considerations are strong access controls, data governance, rate limiting, input validation, and threat detection.
Malicious actors are likely to find and exploit shortfalls in any aspect of API security. High-profile attacks in recent years have shown that APIs are firmly in the sights of cybercriminals; two examples include:
Ride-sharing app Uber was found to have two critical security flaws in an API endpoint that exposed personal data belonging to drivers and users.
Social networking platform LinkedIn saw 92% of its 800 million+ users have their data scraped through a public API with insufficient security controls.
Top 5 API Vulnerabilities
Much of the effort to secure APIs should concentrate on the most common vulnerabilities that consistently lead to breaches, stolen data, and other adverse outcomes, including financial costs to your business. Let's look at the top five API vulnerabilities, their implications, real-world examples, and mitigation tips.
1. Weak Authentication
Authentication verifies that users or devices are who they claim to be. In some cases, weak authentication means that there is no authentication mechanism in place at all.
In the more common scenarios, there are misconfigurations or improper settings that weaken authentication, including
weak password complexity
high account lockout thresholds
relying on API keys as the only way to authenticate.
The potential outcomes of exploiting weak authentication are that outsiders can control user accounts/sessions, steal their data, or engage in fraudulent transactions. A relevant example was the 2021 Experian incident, where a security researcher identified weak authentication that used publicly available information to authenticate users. Hackers could've easily used this information to masquerade as legitimate users and get their credit scores through API calls.
Mitigation recommendations:
Enforce strong passwords
Don't rely on API keys to authenticate users
Consider multi-factor authentication to strengthen against the possibility of account takeover
2. Security Misconfiguration
The API ecosystem is a complex interplay of virtual machines, containers, on-premise, and cloud infrastructure. From the specification of each API to its associated infrastructure, there is a wide scope for security misconfigurations within each layer.
Misconfigurations include:
Missing security patches
Forgetting to encrypt data in motion
Overly detailed error messages
Leaving cloud storage buckets open and unsecured
Security misconfigurations can pose a diverse range of threats, such as sensitive data leaks or compromises of internal systems. In a recent example from 2022, threat actors began targeting misconfigured Docker APIs to run a crypto-mining botnet.
Mitigation recommendations:
Shift security left to ensure APIs are tested for vulnerabilities coinciding with DevOps workflows, not at later stages.
Set controls over request volumes (rate limiting) so that you can limit DDoS attacks
Periodically assess and review API security configurations, ideally using an accurate and up-to-date inventory of all your APIs
3. Excessive Data Exposure
Excessive data exposure occurs when the API responses provide too much information to the client application. This reliance on the client-side can lead to excessive information being presented to end users.
Unfortunately, threat actors are privy to these data exposures and can attempt to circumvent the client or analyze traffic to intercept API responses containing excessive information.
Excessive data exposure could compromise sensitive user information, particularly the kind of personal data protected by compliance regulations for which harsh fines apply.
In 2019, a computer science student accessed sensitive transactions carried out on the services of digital wallet company Venmo. The student found a public API endpoint that was returning transaction data. He quickly compiled a Python script of simple GET requests to download over 100,000 transactions per day without even being authorized.
Mitigation tips:
Filter response data at the API level rather than the client level
Only provide information in API responses that are strictly necessary for meeting a client's request
Carefully control the use cases for transmitting sensitive personal information
4. Broken Object Level Authorization (BOLA)
[
BOLA is a simple API vulnerability in that it happens when outsiders tweak the IDs of objects that are listed in API requests. There is no check in place to determine ownership of those objects. By simply changing the ID in a request, the malicious actors get access to information they shouldn't have.
The consequences of BOLA include:
Unwanted disclosure of information
The ability to modify or delete information
Account takeover
In the 2019 Uber API breach, one of the critical API security flaws was BOLA; client requests weren't validated, so simply changing a user ID provided access to that user's details.
Mitigation tips:
Combine identifiers with a check that the current user can access that resource.
Use random and unpredictable values for IDs rather than easily guessable values.
Consider obfuscating resource identifiers altogether.
5. Injections
[
Injection vulnerabilities allow hackers to send malicious data or commands to an API through user input fields, passing them as parameters or file uploads.
Attackers use a range of injections, including Javascript, SQL, NoSQL, and OS command lines. When there are injection flaws in the code, such as directly linking client-supplied data to SQL/NoSQL, Javascript queries, or OS commands, the API's interpreter bypasses any security and executes the malicious commands.
Mitigation tips:
Use a library to validate data so that the API only allows valid values.
Implement JavaScript dependency injection
Use automated security solutions that identify anomalous client-side behavior, including unexpected scripts, parameters, or other code injections.
API Vulnerabilities and Security Failures: What To Do Instead
Breaches and other serious cyber incidents continue to highlight API security flaws. Despite increasingly widespread recognition of the top API vulnerabilities, the same issues are still causing problems. Part of the reason is that modern CI/CD pipelines and DevOps processes still emphasize development agility over security.
Another cause is the overreliance on legacy perimeter-based security approaches. Unfortunately, these aren't sufficient in infrastructures with highly distributed APIs, cloud services, and containerization.
To proactively strengthen API security, consider the following approaches:
Implement a zero-trust strategy that removes any implicit trust for users, clients, devices, or services. This strategy requires authentication, authorization, and monitoring at all times.
Decouple user identity from the API's design through an abstraction method that can facilitate declarative authorization policy and authentication scopes as code.
Top comments (0)