API Security - Threats & Best Practices

An API is an interface that allows other software programs to access and execute software programs. Software programs exchange data and communicate via this code.

Communicating between products and services without requiring users to understand how they work. Social networks, games, database systems, and devices use web APIs to connect with applications.

APIs are also used by IoT applications and devices to collect data and even to control other devices when they contribute to the Internet of Things (IoT).

For say, Software updates are sent via APIs by automotive companies such as Tesla. APIs are used by others to unlock car data for a variety of purposes.

Table of Contents

  1. What is an API?
  2. What is web API security?
  3. How important is API security?
  4. Security threats associated with APIs
  5. Best Practices In WebAPI Security
  6. REST vs SOAP

What is an API?

An API protocol helps in building and integrating application software (i.e) Applications communicate with each other through Application Programming Interfaces (APIs).

Developers can build software applications using routines, protocols, and tools, while data can be easily extracted and shared.

In ‌APIs, the word application refers to any software with a distinct function. The interface can be thought of as a contract of service between two applications.

This contract defines how the two communicate with each other using requests and responses. Their API documentation contains information on how developers are to structure those requests and responses.

APIs define the ‌types of requests that can be made, how they can be made, and what data formats they must support.

A developer would use an API to perform a variety of different operations. It would also describe what each operation does.

An operating system, for instance, doesn't ‌ require the developer to understand how the Save dialog box is built and presented. Just inform them that their app can use it.

Developers can take advantage of APIs to save time by taking advantage of the nitty-gritty implementation in platforms.

By doing this, developers can create less code, and apps on the same platform will be more consistent. Resource access can be controlled through APIs.

What is web API security?

There is a Web API or Web Service API that connects a web server to a web browser for the purposes of processing applications.

A web service can be an API. Unfortunately, not all APIs are web services. APIs that use the standard architectural style is known as REST APIs.

Because APIs were created before the world wide web, different terms like Java API or service API exist. It is common to use the terms REST APIs and web APIs interchangeably in modern times.

APIs are not exempt from security being an integral part of any software development process. Controlling who will be able to access your API is a normal business practice, even for an API that is available to the public.

The security context of Web APIs cannot be tied to server sessions, since they are stateless in nature.Whenever an API request is submitted, credentials must be attached to the request, which must then be validated on the server before it can be processed.

Imagine that you wanted your website to display a map or a list of your most delinquent tweets. Google Maps and Twitter cannot be accessed directly, as their code is hosted on the servers of the companies, so you can't directly access them. Their APIs enable authorized users to access those platforms' data.

Among the most widely used API, examples are Google Maps API and Twitter API, but many software-as-a-service (SaaS) providers provide APIs that allow developers to post and retrieve data from their sites.

How important is API security?

Using APIs, businesses can connect the services they use and transfer data. There has been a significant number of data breaches caused by damaged, hacked, or vulnerable APIs.

Public access is provided to sensitive personal information, such as medical data, financial information, and financial information.

It should be noted, however, that not all data is the same nor should all data be protected equally. Depending on the type of data being transferred, API security will vary.

Understanding how a third-party application funnels information back to you is crucial if your API connects to one.

Organisations rely on web APIs to manage their databases. Public APIs come with risks for API providers due to their public availability.

An application programming interface is a method of getting access to a server's database and its endpoints from a third-party outsider.

Many websites lack strong access control mechanisms, and in some cases, none at all. Organisations use access control mechanisms, such as authentication of the logged-in users.

APIs are proving to be critical in the development of modern apps, but they are also causing an increase in cyber-crime. As a matter of fact, the infrastructure can also be compromised, as well as the data.

After successfully securing your data in one way, an intruder may embark on other attacks to obtain your organization's sensitive data.

API attacks have resulted in large companies like Google, Facebook, T-Mobile, Verizon, and others losing data. For this reason, all organizations, regardless of size, should ensure their APIs are secure, especially public ones.

Security threats associated with APIs

As APIs are built to be self-documenting, hackers can access and analyse the information about how they are implemented and structured.

Aside from these vulnerabilities, APIs also have other weaknesses that make them vulnerable to attacks. Business logic problems, insecure endpoints, and weak authentication are some of the issues. The following attacks are vulnerable to APIs;

1. Man–in–the–Middle attack

An attacker can intercept data transmissions to act as an invisible intermediary between the sender and the recipient. Interception is possible for API endpoints, client applications, and APIs.

To prevent from this type of attack you can:

  • avoid using public networks
  • implement two-factor authentication.
  • secure connections with HTTPS.
  • use latest version of chrome, firefox, safari and other secure web browsers.
  • regularly audit and monitor your networks.

2. Denial of Service(DOS)

By overloading a network, system, or web server with too much traffic, an attacker makes it unavailable to the intended audience through high-volume traffic injection.

Avoid DOS attack by:

  • Monitor and analyze your network traffic consistently.
  • Leverage cloud services such as cloudflare.
  • Create a DOS attack response plan.
  • Limit network broadcasting.

3. Cross-site scripting (XSS)

An application is vulnerable to cross-site scripting (XSS) attacks in which malicious code is injected.

A unique feature of XSS is that it does not target the application directly (e.g., SQL injection), unlike other web attacks. The web application's users are at risk, not the application itself.

Cross-site Scripting

The reputation of an online business and its relationship with its customers can be severely damaged by a successful cross-site scripting attack.

Some of these attacks can be prevented through effective use of CSRF tokens.

https://insecure-website.com/status?message=<script>/*+Bad+stuff+here…+*/</script>

Suppose if the function includes a csrf token, the URL would look like this:

https://insecure-website.com/status?csrf-token=TbcGBEYzpzTfbAWmKmLLBUNqwa&message=<script>/*+Bad+stuff+here...+*/</script>

Server validates the token and rejects the request if you do not have a valid CSRF token.

To know more about CSRF attack and how to add CSRF token in your website check our blog Cross-Site Request Forgery - Threat To Open Web Applications.

4. Injection

Attacks occur when an attacker inserts malicious data into a system, especially when an individual enters private information, such as a password or credit card number.

SQL Injection

In the case of SQL injections (SQLi), attacker places the malicious code in the SQL statements through web page input.

5. Credential stuffing

An attacker can commit this attack by stealing credential information related to an API and accessing unauthorized data with it.

Best Practices In WebAPI Security

The following should be considered when securing your API against these attacks:

1. Make security a priority

It's vital to ensure API security from the beginning, so don't let it slide by as an afterthought. Organizations have a lot to lose if their APIs are insecure, so make it a priority during the design phase.

2. TLS should be used to encrypt traffic

TLS encryption is critical for organizations whose APIs routinely exchange sensitive data (such as credentials, credit cards, social security numbers, banking information, and health information). Certain organizations may choose not to encrypt API payload data that is considered non-sensitive (such as weather service data).

3. API management and inventory

Regardless of the number of APIs an organization has available publicly, it must first understand them to secure and manage them. Most aren't, which is surprising. Manage your APIs with DevOps teams after conducting perimeter scans to discover and inventory them.

4. Authentication and Authorization

Authentication-An end user's identity can be determined. Implementing basic authentication using the TLS protocol in a REST API is possible, but it is more secure to use open authentication protocols like OAuth 2. It is common to discuss authentication and authorization simultaneously.

Authorization-A user's access rights to resources are determined. Users shouldn't be able to access API functions or operations outside their predefined roles unless an API has been built and tested to prevent this from occurring. For instance, Admin functionality shouldn't be accessible by a read-only API client.

REST vs SOAP

REST API and SOAP are two different approaches to communicate between web applications.

Check out this blog if you're interested in learning more about REST and SOAP -https://www.atatus.com/blog/soap-vs-rest-whats-the-difference/.

Concerning SOAP APIs and REST APIs, there is no direct comparison. These two web services have some differences, so you should choose based on them. The following are;

1. Abbreviation

REST is an acronym for Representational State Transfer. SOAP‌ is an acronym for Simple Object Access Protocol,

2. Security

REST has SSL and HTTPS for security. SOAP has SSL( Secure Socket Layer) and WS-security which in the cases like Bank Account passwords, Card Numbers, etc. SOAP is preferred over REST.

3. Implementation

REST is easier to implement than SOAP and requires less bandwidth than SOAP, which is challenging and requires more bandwidth.

Because it is an architectural style, Rest API is implemented without any official standard at all. In contrast, SOAP API is a protocol and has an official standard.

4. Interchange

SOAP is an underlying protocol for web services that can be used by REST since it is‌ an architectural pattern that allows web services to be shared. Because SOAP is a protocol without any architectural pattern, it cannot take advantage of REST.

5. Internal communication

When using REST, the implementer can choose which Media-Type to use, such as XML, JSON, Plain-text, in exchange for information. SOAP uses only XML to exchange information, but REST does not use XML for exchanging information. Also, REST is compatible with SOAP, but SOAP cannot be used with REST.

As APIs are built to be self-documenting, hackers can access and analyse the information about how they are implemented and structured.

Aside from these vulnerabilities, APIs also have other weaknesses that make them vulnerable to attacks. Business logic problems, insecure endpoints, and weak authentication are some of the issues. The following attacks are vulnerable to APIs:

Wind-Up

It is no doubt that web APIs are becoming the preferred method for creating and consuming web services in modern applications.

It may seem daunting to some organizations to make their APIs available to the public and secure them; however, it is quite straightforward and we encourage developers to do so.

To combat cyber-security attacks like Denial of Service attacks, malicious injection attacks, cross-site scripting attacks, and so on, there are already so many organizations doing it.

An organization should implement solid security mechanisms and manage them continuously no matter how many APIs it chooses to make publicly available.


API risk mitigation with Atatus

With Atatus’s API Analytics, you can continuously monitor your REST APIs and resolve issues before they negatively affect your end users.

Ensure that all API gateway endpoints and instances are monitored. You can gain insight into your API calls using API Analytics so you can see how, where, and who is using your endpoints.

Identify and optimize critical API issues that could mean the difference between success or failure for your business by analyzing API metrics.

API Insights

Accelerate the broken REST and GraphQL API by diagnosing the API-related issues. Monitoring API status codes, latency, throughput, response time, and other key metrics is possible with API analytics for full-stack observability. By inspecting the API requests, you can make sure the content in the request and response is what is intended.

You can also obtain insights into each transaction, including the status code, duration, IP address, user, request header, response header, request body, response body, host, device type, and more.

Integrate API metrics into your favourite channels like Slack, Email, PagerDuty, VictorOps and more to notify your team instantly about the issue.

Build bug free and faster APIs with your 14-day free trial of Atatus!