With the attack surface for APIs continually increasing, Debbie Walkowski outlines the potential risks and best practices for keeping APIs secure.
APIs (application programming interfaces) provide a way for app developers to “call” information from outside sources into the applications they build. This is important for app developers, as it simplifies the coding process and grants access to a wealth of previously inaccessible data and resources. APIs are also a boon for service providers through creating new revenue streams by making valuable data and services available to developers. APIs also benefit end users/customers, who appreciate – and drive demand for – innovative, feature-rich, interactive apps.
Understanding the Potential Risks of APIs
With APIs becoming foundational to modern app development, the attack surface is continually increasing. Gartner estimates that by 2022, API abuses will become “the most frequent attack vector, resulting in data breaches for enterprise web applications.”
The downside of publicly available web APIs is that they can potentially result in risk. By design, APIs give outsiders access to your data. Behind every API, there is an endpoint – the server (and its supporting databases) that responds to requests. The endpoints, and associated risks, are similar to any internet-facing web server. The difference is that many websites usually employ some form of access control. APIs less so.
In the worst case, it’s not just data that is potentially at risk but also your infrastructure. Vulnerable APIs are a great launchpad for a variety of network hijacking attacks. The right tactic – often a multi-level attack – can potentially lead to sensitive data being compromised, whether it’s personally identifiable information (PII) or intellectual property (IP).
Common Attacks Against Web APIs
APIs are susceptible to many of the same network and web-based apps attacks. The most common attacks and mitigations include:
- Injection occurs when an attacker inserts malicious code or commands into a programme, usually where ordinary user input (such as a username or password) is expected. SQL injectionis a specific type of injection attack that enables an attacker to gain control of an SQL database.
Mitigation: Validate input. Use character escaping and filtering.
- Distributed Denial-of-Service (DDoS) attacks make a network, system, or website unavailable to intended users, typically by flooding it with more traffic than it can handle. API endpoints are among the growing list of DDoS targets.
Mitigation: Use rate limiting and limit payload size.
- Man-in-the-Middle (MitM) attacks occur when an attacker intercepts traffic between two communicating systems and impersonates each to the other, acting as an invisible proxy. With APIs, MitM attacks can occur between the client (app) and the API, or between the API and its endpoint.
Mitigation: Encrypt traffic in transit.
- Credential Stuffingis the use of stolen credentials on API authentication endpoints to gain unauthorised access.
Mitigation: Use an intelligence feed to identify credential stuffing and implement rate limits to control brute force attacks.
Best Practices for Securing APIs
In addition to employing the mitigations outlined above, it’s critical that organisations adhere to some basic security best practices and employ well-established security controls if they intend to share their APIs publicly. These include:
- Prioritising security. API security shouldn’t be an afterthought. Make security a priority and build it into your APIs as they’re being developed.
- Maintaining an inventory and managing your APIs. Conduct perimeter scans to discover and inventory your APIs, and then work with DevOps teams to manage them.
- Using a strong authentication and authorisation solution. Poor or non-existent authentication and authorisation are major issues. Broken authentication occurs when APIs do not enforce authentication (as is often the case with private APIs, which are meant for internal use only), or when an authentication factor (something the client knows, has, or is) can be broken into easily. Since APIs provide an entry point to an organisation’s databases, it’s critical that the organisation strictly controls access. When feasible, use solutions based on solid, proven authentication and authorisation mechanisms such as OAuth2.0 and OpenID Connect
- Practice the principle of least privilege. Subjects (users, processes, programmes, systems, devices) should be granted only the minimum necessary access to complete a stated function.
- Encrypt traffic using TLS. TLS encryption is essential for organisations with APIs that routinely exchange sensitive data (such as login credentials, credit card, social security, banking information, health information).
- Remove information that’s not meant to be shared.APIs are essentially a developer’s tool, so they often contain keys, passwords, and other information that should be removed before they’re made publicly available. Sometimes this step is overlooked. Organisations should incorporate scanning tools into their DevSecOps processes to limit accidental exposure of secret information
- Don’t expose more data than necessary.Ensure that APIs only return as much information as is necessary to fulfil their function. It is also important to enforce data access controls at the API level, monitor data, and obfuscate if the response contains confidential data.
- Validate input. Never pass input from an API through to the endpoint without validating it first.
- Use rate limiting. Setting a threshold above which subsequent requests will be rejected (for example, 10,000 requests per day per account) can prevent denial-of-service attacks.
- Use a web application firewall and ensure that it is able to understand API payloads.
APIs are fast becoming the preferred method for building modern applications, especially for mobile and Internet of Things (IoT) devices. At the same time, constantly evolving app development methods, combined with the pressure to innovate, means that some organisations haven’t fully grasped the potential risks involved in making their APIs publicly available.
The good news is that most already have measures in place to combat well-known attacks like cross-site scripting, injection, and distributed denial-of-service. If you’re not sure where to begin, start at the top of the list and work your way down.
No matter how many APIs your organisation chooses to share publicly, the goal should always be to establish solid security policies early on and manage them proactively over time.
By Debbie Walkowski, Security Threat Researcher, F5 Labs