Application programming interfaces or APIs are essential to product development. The use of APIs reduced the development time by leveraging existing application libraries and connectors. APIs are used today in both on premise and cloud based application development. These APIs could include access control, APU gateway, and rest API security components. Companies architect their applications based on the availability of APIs from proven software companies like Salesforce.com, Microsoft, Cisco Systems, and Oracle. The time and cost investment required for companies to develop their APIs are both too time consuming and expensive. Companies that work with the global technology firms expect these APIs to be secure and follow protocol and stack standards. The greatest security breaches happen when hackers develop threat vector tools to exploit known insecure APIs. Vendors will release application notes on how to use the APIs. Inside of these releases, most vendors will disclose known security issues. While APIs help with application development and time to market, common attacks against the APIs are all too common. Enterprise-grade security is often an afterthought during the application development lifecycle. Security tests like a pen test have become a common worksteam early on the agile development cycle.
The Risks of APIs
APIs give outsiders access to your data: behind every API, there is an endpoint the server that responds to API requests. A vulnerability is an inherent weakness in a system that an attacker can potentially exploit. Vulnerabilities exist in every system; “zero-day” vulnerabilities are those that have not yet been discovered. Even with aggressive patch management workflows and built-in security capabilities like authentication and TLS encryption, APIs still very much can have a vulnerability. Trust relationships with an application company and their client’s expempofy the criticalness of cybersecurity security.
As an example, Oracle releases a secured API gateway within their cloud platforms. Clients choose to access the Oracle cloud to leverage applications and libraries via API. 100’s of companies leverage these APIs everyday. If, for a moment, that API is exposed, several companies’ security posture is completely compromised and their user data becomes at risk. Yet, even with that risk, the business decision most is to trust a global leader like Oracle to maintain the highest standards of basic security to protect critical API security risks from impacting their clients. With APIs becoming foundational to modern app development, the attack surface Attack surface refers to all entry points through which an attacker could potentially gain unauthorized access to a network or system to extract or enter data or to carry out other malicious activities. is continually increasing. Gartner estimates that “by 2022, API abuses will move from infrequent to the most frequent attack vector The path available and means by which an attacker can gain unauthorized access to a network, system, program, application, or device for malicious purposes. , resulting in data breaches for enterprise web applications.”
Common Attacks Against Web APIs
APIs are susceptible to many of the same kinds of attacks defenders have been fighting in their networks and web-based apps for years. None of the following attacks are new but can easily be used against APIs.
Injection occurs when an attacker is able to insert malicious code or commands into a program, usually where ordinary user input (such as a username or password) is expected.
- SQL injection is a specific type of injection attack, enabling an attacker to gain control of an SQL database. A GET or POST call via API can be made in order to connect into the SQL database. This attack vector continues to be a challenge for application teams and SECOPS. SQL databases are the most common platform in the world for midsize to large commercial clients. Many SQL databases are not patched frequently enough due to production outage window restrictions.Looking at SQL injection, which affects server-side code, Veracode found that Java, representing 56% of web applications, showed a 16% improvement in SQL injection, while .Net, representing 28% of web applications, showed a 25% improvement in SQL injection.
- Cross-site scripting (XSS) is a type of injection attack that occurs when a vulnerability enables an attacker to insert a malicious script (often JavaScript) into the code of a web app or webpage. XXS can be exploited through the REST API by sending XML script requests from a known system. Even with patching to the latest JAVA code, hackers continue to automate their scripts in seconds to take advantage of zero-day windows. JAVA continues to be one of the most vulnerable application stacks in the world.
- Distributed denial-of-service (DDoS) attacks make a network, system, or website unavailable to intended users, typically by flooding it with more traffic than it can handle. API endpoints are among the growing list of DDoS targets. DDOS attacks include both port level attacks along with brute force attacks against the authentication layer. An application firewall does very little to prevent DDOS attack. Border routers along with intrusion prevention technology with carrier supported rate limiting are the best defense against a DDOS attack.
- Control for Authentication is still paramount for organizations to deal with. Hackers use various scripts and exploit kits to attempt a hijack of the authentication server along with stealing credentials on API authentication systems. Credential stuffing is a common threat vector facing application developers. API credentials are a frequent target as well.
- Man-in-the-middle (MitM) attacks occur when an attacker intercepts traffic between two communicating systems and impersonates each to the other, acting as an invisible proxy between the two. With APIs, MitM attacks can occur between the client (app) and the API, or between the API and its endpoint.
API Firewalling and Traffic Management
Deploying a firewall within any infrastructure is a necessity. Application firewalls, network firewalls, and personal firewalls on the endpoint are common. API firewalls or gateways have proven security lockdown capabilities as routers and network firewalls. These traditional layer 4 devices leverage access controls (ACL’s) to manage communication between source and destination IP’s and their respective communication ports.
API firewalls act in a similar way. If its API is making an external call to a third party company using SOAP or REST API, the firewall can limit the one-way or two communication. The API firewall will leverage authentication and authorization checks to ensure proper credentials are passed prior to data exchange.
Using the Oracle cloud example, Oracle leverages a series of API firewalls and sets permissions on a per client basis on who can access the various libraries and cloud based applications.
Oracle deploys a series of security countermeasures to prevent API attacks. When a client makes an API request, that request first needs to connect to the API gateway hosted by Oracle. Oracle will use various methods of secure authentication including Oauth, OpenID, SAML, and multi-factor authentication. Oracle leverages a complex authorization logic with every incoming request to block all invalid requests. Oracle will enable SOAP API Security, microservice-based applications, and techniques for enforcement for API traffic.
Best Practices for Securing APIs
API security shouldn’t be an afterthought or considered “someone else’s problem.”Inventory and manage your APIs. Whether an organization has a dozen or hundreds of publicly available APIs, it must first be aware of them in order to secure and manage them.
- Use a strong authentication authorization solution. Poor or non-existent authentication and authorization are major issues with many publicly available APIs. Broken authentication occurs when APIs do not enforce authentication Since APIs provide an entry point to an organization’s databases, it’s critical that the organization strictly controls access to them. When feasible, use solutions based on solid, proven authentication and authorization mechanisms such as OAuth 2.0 and OpenID Connect.
- Encrypt traffic using TLS. Some organizations may choose not to encrypt API payload data that is considered non-sensitive . TLS encryption should be considered essential.
- Remove information that’s not meant to be shared. Because APIs are essentially a developer’s tool, they often contain keys, passwords, and other information that should be removed before they’re made publicly available.
- Ensure that APIs only return as much information as is necessary to fulfill their function. In addition, enforce data access controls at the API level, monitor data, and obfuscate if the response contains confidential data.
The role of pen testing and vulnerability scanning of APIs
APPSEC or application security is a well defined framework under AST or Application security testing marketplace. APPSEC companies like Veracode develop tools to test applications during the product life cycle. Pen testing and vulnerability is a critical component of APPSEC. When companies enable APIs for the clients to access, the pen testers will come into the environment and run a series of exploits including:
- Code injection attacks
- Cross-site request forgery
- Zero port attacks
- Buffer overflow exploits
- Malicious sources attack
- API user authentication
Conclusion
APIs are susceptible to many of the same kinds of attacks defenders have been fighting in their networks and web-based apps for years. None of the following attacks are new but can easily be used against APIs.
Don’t wait until an actual attack to begin to enable your application security plan. Allow ample time for security testing and remediation. Testing isn’t a one-and-done process. With every change to the API, scanning and pen testing should be part of the agile work sprint, not an afterthought.