Implementing or integrating a new API for your digital platform is an exciting step. API allows developers to integrate the application and deliver services rapidly. The rise of the API-driven economy has also given rise to API-borne threats.
APIs are responsible for carrying out critical functions such as making payments to transfer sensitive data. It is therefore essential to protect them from any cyberattack. Most API attacks occur due to the lack of proper awareness of API security and misconfiguration during the integration and deployment phase.
APIs have emerged as a primary attack vector, with catastrophic financial consequences since their use has increased to deliver critical services in an automated manner. According to Gartner, API abuse will be the most frequent attack vector in 2022, with a 348% rise in API attacks compared to 2021.
API vulnerabilities can be found in various categories, including data exposure, excessive access, denial of service, authorization vulnerabilities, security misconfigurations, and more. Open Web Application Security Project (OWASP) releases the Top 10 API vulnerabilities and advisory for securing the API from malicious attacks, and some of them are covered in this blog.
- API1:2019 — Broken object-level authorization
- API2:2019 — Broken authentication
- API3:2019 — Excessive data exposure
- API4:2019 — Lack of resources and rate-limiting
- API5:2019 — Broken function-level authorization
- API6:2019 — Mass assignment
- API7:2019 — Security misconfiguration
- API8:2019 — Injection
- API9:2019 — Improper assets management
- API10:2019 — Insufficient logging and monitoring
Application Programming Interface (API) plays a vital role in the modern digital economy. You may have heard terms like an “API-driven economy” which essentially refers to businesses and consumers interacting with platforms driven by APIs in the backend.
Implementing or integrating a new API for your digital platform is an exciting step. API allows developers to integrate the application and deliver services rapidly. The rise of the API-driven economy has also given rise to API-borne threats.
APIs are responsible for carrying out critical functions such as making payments to transfer sensitive data. It is therefore essential to protect them from any cyberattack. Most API attacks occur due to the lack of proper awareness of API security and misconfiguration during the integration and deployment phase.
APIs have emerged as a primary attack vector, with catastrophic financial consequences since their use has increased to deliver critical services in an automated manner. According to Gartner, API abuse will be the most frequent attack vector in 2022, with a 348% rise in API attacks compared to 2021.
API vulnerabilities can be found in various categories, including data exposure, excessive access, denial of service, authorization vulnerabilities, security misconfigurations, and more. Open Web Application Security Project (OWASP) releases the Top 10 API vulnerabilities and advisory for securing the API from malicious attacks, and some of them are covered in this blog.
- API1:2019 — Broken object-level authorization
- API2:2019 — Broken authentication
- API3:2019 — Excessive data exposure
- API4:2019 — Lack of resources and rate-limiting
- API5:2019 — Broken function-level authorization
- API6:2019 — Mass assignment
- API7:2019 — Security misconfiguration
- API8:2019 — Injection
- API9:2019 — Improper assets management
- API10:2019 — Insufficient logging and monitoring
Why is API Security important?
Why is API Security important?
What are the common API Attacks?
Vulnerable APIs cause significant breaches. They are easily exploitable and provide hackers access to critical medical, financial, and personal information. Some examples of attacks can occur if an API is not adequately secured.
Broken Object Level Authorization
The most prevalent and damaging API attack is Broken Object Level Authorization. Attackers replace the ID of their resource in the API call with the ID of another user’s resource. They then access the given resource due to a lack of proper authorization checks. IDOR is another name for this attack (Insecure Direct Object Reference).
By changing the ID of an object delivered within the request, attackers can exploit API endpoints subject to broken object-level permission. This might result in unauthorized access to sensitive data.
This problem is widespread in API-based applications since the server component typically does not entirely maintain the client’s status and instead depends on parameters such as object IDs given by the client to determine which objects to access. Unauthorized access can lead to data exposure to unauthorized individuals, data loss, or data tampering. Unauthorized access to objects can also result in a complete account takeover.
Broken Authentication
Unprotected APIs with no authentication poses a significant risk to the organization. Other vulnerabilities related to broken authentication are weak API keys that are not rotated, weak authentication that can be brute-forced, exposing the credential and keys within the API endpoints, and lack of access token digital signature and validation.
API Injection Attack
This attack occurs on an application that runs poorly developed and updated code. To obtain access to your application, the hacker injects harmful code into it, such as SQLi (SQL injection) and XSS (cross-site scripting). APIs with vulnerabilities in authentication and validation are also vulnerable to code injection, which occurs when an attacker sends a script to an application’s server via an API request. This script is designed to disclose or destroy data, plant fake information, and cause damage to the application’s infrastructure.
API Parameter Tampering
API endpoints can be fuzzed and tampered with if the proper input validation is not performed. Parameter tampering is a web-based cyber-attack in which URL parameters / API endpoints variables are modified without server-side knowledge. In some cases, data provided by a user into a form field on a webpage may be updated without the user’s permission.
Excessive Data Exposure
Excessive data exposure occurs when an application delivers more information than is required for a user to accomplish a given activity via an API response. When web and mobile applications rely on API calls that provide more information to the user than is required, the responses reveal unfiltered data that an attacker might exploit by sniffing the network from APIs using Man in the Middle attack to get sensitive information. When sensitive data is exposed in this manner, it can have a severe business impact depending on what data is disclosed, but owing to the nature of the sensitive data, it nearly always has a significant effect.
Denial-of-Service Attack
This is most likely the most prevalent type of attack and is frequently mentioned in the news. A Distributed Denial of Service (DDoS) attack is one in which multiple systems overwhelm the bandwidth of the target system. A DDoS attack against a web API seeks to overrun its memory by simultaneously flooding it with thousands of connections. Hackers can also do this by delivering a massive and heavy quantity of data in each request where no rate-limiting restrictions are applied.
The objective of DoS attacks is not to change, erase, or steal data. The goal is to disrupt the operation of an online service or the reputation of a firm that provides such services. The attackers direct a bot to the API and send a series of high-frequency requests to an endpoint for a set time. The tolerance of requests exceeds the target’s capacity to reply, making it inaccessible to genuine users.
Insufficient Logging and Monitoring
Another major issue with how APIs are designed and developed to generate suitable security-related logs. Most APIs have insufficient logging capabilities; to add to that, real-time security monitoring of APIs is also not performed by many organizations.
Without sufficient API logging and monitoring, attackers can exploit API vulnerabilities with zero knowledge from the organization.
Man-in-the-Middle Attack
A MITM attack is precisely what it sounds like: an attacker stealthily transmits, modifies, and intercepts communications, messages, and requests between two parties to get sensitive information. A hacker can act as a man in the middle for a session token issuing API to an HTTP header and a user. If the hacker intercepts the session token, he will get access to the user’s account, potentially revealing sensitive and personal information.
When a hacker intercepts an API request or response between an end-user and an API, this is known as a man-in-the-middle (MITM) attack. They may steal sensitive communication contents (e.g., account login passwords or payment information) or change the request/response.
What are the common API Attacks?
Vulnerable APIs cause significant breaches. They are easily exploitable and provide hackers access to critical medical, financial, and personal information. Some examples of attacks can occur if an API is not adequately secured.
Broken Object Level Authorization
The most prevalent and damaging API attack is Broken Object Level Authorization. Attackers replace the ID of their resource in the API call with the ID of another user’s resource. They then access the given resource due to a lack of proper authorization checks. IDOR is another name for this attack (Insecure Direct Object Reference).
By changing the ID of an object delivered within the request, attackers can exploit API endpoints subject to broken object-level permission. This might result in unauthorized access to sensitive data.
This problem is widespread in API-based applications since the server component typically does not entirely maintain the client’s status and instead depends on parameters such as object IDs given by the client to determine which objects to access. Unauthorized access can lead to data exposure to unauthorized individuals, data loss, or data tampering. Unauthorized access to objects can also result in a complete account takeover.
Broken Authentication
Unprotected APIs with no authentication poses a significant risk to the organization. Other vulnerabilities related to broken authentication are weak API keys that are not rotated, weak authentication that can be brute-forced, exposing the credential and keys within the API endpoints, and lack of access token digital signature and validation.
API Injection Attack
This attack occurs on an application that runs poorly developed and updated code. To obtain access to your application, the hacker injects harmful code into it, such as SQLi (SQL injection) and XSS (cross-site scripting). APIs with vulnerabilities in authentication and validation are also vulnerable to code injection, which occurs when an attacker sends a script to an application’s server via an API request. This script is designed to disclose or destroy data, plant fake information, and cause damage to the application’s infrastructure.
API Parameter Tampering
API endpoints can be fuzzed and tampered with if the proper input validation is not performed. Parameter tampering is a web-based cyber-attack in which URL parameters / API endpoints variables are modified without server-side knowledge. In some cases, data provided by a user into a form field on a webpage may be updated without the user’s permission.
Excessive Data Exposure
Excessive data exposure occurs when an application delivers more information than is required for a user to accomplish a given activity via an API response. When web and mobile applications rely on API calls that provide more information to the user than is required, the responses reveal unfiltered data that an attacker might exploit by sniffing the network from APIs using Man in the Middle attack to get sensitive information. When sensitive data is exposed in this manner, it can have a severe business impact depending on what data is disclosed, but owing to the nature of the sensitive data, it nearly always has a significant effect.
Denial-of-Service Attack
This is most likely the most prevalent type of attack and is frequently mentioned in the news. A Distributed Denial of Service (DDoS) attack is one in which multiple systems overwhelm the bandwidth of the target system. A DDoS attack against a web API seeks to overrun its memory by simultaneously flooding it with thousands of connections. Hackers can also do this by delivering a massive and heavy quantity of data in each request where no rate-limiting restrictions are applied.
The objective of DoS attacks is not to change, erase, or steal data. The goal is to disrupt the operation of an online service or the reputation of a firm that provides such services. The attackers direct a bot to the API and send a series of high-frequency requests to an endpoint for a set time. The tolerance of requests exceeds the target’s capacity to reply, making it inaccessible to genuine users.
Insufficient Logging and Monitoring
Another major issue with how APIs are designed and developed to generate suitable security-related logs. Most APIs have insufficient logging capabilities; to add to that, real-time security monitoring of APIs is also not performed by many organizations.
Without sufficient API logging and monitoring, attackers can exploit API vulnerabilities with zero knowledge from the organization.
Man-in-the-Middle Attack
A MITM attack is precisely what it sounds like: an attacker stealthily transmits, modifies, and intercepts communications, messages, and requests between two parties to get sensitive information. A hacker can act as a man in the middle for a session token issuing API to an HTTP header and a user. If the hacker intercepts the session token, he will get access to the user’s account, potentially revealing sensitive and personal information.
When a hacker intercepts an API request or response between an end-user and an API, this is known as a man-in-the-middle (MITM) attack. They may steal sensitive communication contents (e.g., account login passwords or payment information) or change the request/response.
How to prevent API Attacks
Implementing API Firewall
API firewall main features are to secure REST API endpoints by preventing malicious requests and API-related data breaches by blocking incorrect API responses. API firewall acts as a reverse proxy, validating whether requests and responses match the specification’s template. API firewall helps in monitoring and discovering the shadow APIs and undocumented endpoints. Modern API firewalls continuously monitor requests and responses and block the malicious requests that do not match the Open API 3.0 specification, which will stop data breaches and sensitive data exposure. API firewalls are also valuable for use cases where source IP whitelisting needs to be applied for permissioned access.
Use API Gateway
The API should always be put behind a gateway. The API gateway is equivalent to a gatekeeper who protects the underlying data. API gateways concentrate traffic parameters and apply them to every API request. API gateways implement security standards that govern authentication, authorization, and traffic management. Security standards are rules designed to secure the underlying services, determining the API’s behavior. API gateway protects against many security threats and attacks in the API environment, including excessive data exposure, broken object-level authorization, and broken user authentication.
API Logging and Continuous Monitoring
Ensure API endpoints generate the relevant contextual security-related logs for auditing and visibility purposes. Continuous monitoring is critical in an organization’s cybersecurity ecosystem. Just like visibility is an essential domain in cybersecurity, all API endpoints, and their access, authorization, and access should be logged and monitored. Integrating API endpoint logging with a SIEM/XDR or Application Performance Monitoring platform is always recommended to facilitate real-time security monitoring of APIs.
General API Security Checklist
- Implement authorization checks on API endpoints
- Do not rely on IDs that the client sends and use IDs stored in the session object instead.
- Authorization for each API request to access the database
- Ensure randomness of IDs that cannot be guessed (UUIDs)
- Authenticate all APIs
- Secure your API token generation process.
- Use short-lived access tokens and ensure session management
- Authenticate and permission your connected API apps
- Use stricter rate-limiting for API methods, authentication, and data access
- Limit payload sizes for API queries and responses to prevent bulk execution abuse
- Implement lockout policies once the threshold is violated
- Never rely on the client to filter data – always filter on the API-server side
- Review all API responses and adapt they are no more than what the API consumers needs
- Document and carefully define schemas for all the API responses
- Appropriate error responses to not expose sensitive information and define proper schemas
- Identify all confidential, sensitive, and PII data and ensure API authorization is in place
- Ensure API endpoints enforce restricted admin access to only approved users/groups.
- Do not automatically bind incoming data and internal objects
- Explicitly define all the parameters and payloads the API is expecting
- Use the readOnly property set to true in object schemas for all properties that can be retrieved through APIs but should never be modified
- Precisely define the data schemas, types, and patterns you will accept in requests at design time and enforce them at runtime
- Disable unnecessary API features
- Never trust your API consumers/client, even if they are internal
- Keep an up-to-date inventory of all API endpoints
- Limit access to anything that should not be public with source IP whitelisting
- Implement strict authentication, redirects, CORS, and so on
- Define and enforce all outputs as logs, with enough detail to identify attackers
- Log failed attempts, denied access, input validation failures, or any failures in security policy checks
- Ensure that logs are formatted so that other tools can consume them as well
- Integrate with SIEM / APM and different dashboards, monitoring, and alerting tools
- Protect logs like the highly sensitive information
- Avoid having sensitive data in logs. If you need the information for debugging purposes, redact it partially.
How to prevent API Attacks
Implementing API Firewall
API firewall main features are to secure REST API endpoints by preventing malicious requests and API-related data breaches by blocking incorrect API responses. API firewall acts as a reverse proxy, validating whether requests and responses match the specification’s template. API firewall helps in monitoring and discovering the shadow APIs and undocumented endpoints. Modern API firewalls continuously monitor requests and responses and block the malicious requests that do not match the Open API 3.0 specification, which will stop data breaches and sensitive data exposure. API firewalls are also valuable for use cases where source IP whitelisting needs to be applied for permissioned access.
Use API Gateway
The API should always be put behind a gateway. The API gateway is equivalent to a gatekeeper who protects the underlying data. API gateways concentrate traffic parameters and apply them to every API request. API gateways implement security standards that govern authentication, authorization, and traffic management. Security standards are rules designed to secure the underlying services, determining the API’s behavior. API gateway protects against many security threats and attacks in the API environment, including excessive data exposure, broken object-level authorization, and broken user authentication.
API Logging and Continuous Monitoring
Ensure API endpoints generate the relevant contextual security-related logs for auditing and visibility purposes. Continuous monitoring is critical in an organization’s cybersecurity ecosystem. Just like visibility is an essential domain in cybersecurity, all API endpoints, and their access, authorization, and access should be logged and monitored. Integrating API endpoint logging with a SIEM/XDR or Application Performance Monitoring platform is always recommended to facilitate real-time security monitoring of APIs.
General API Security Checklist
- Implement authorization checks on API endpoints
- Do not rely on IDs that the client sends and use IDs stored in the session object instead.
- Authorization for each API request to access the database
- Ensure randomness of IDs that cannot be guessed (UUIDs)
- Authenticate all APIs
- Secure your API token generation process.
- Use short-lived access tokens and ensure session management
- Authenticate and permission your connected API apps
- Use stricter rate-limiting for API methods, authentication, and data access
- Limit payload sizes for API queries and responses to prevent bulk execution abuse
- Implement lockout policies once the threshold is violated
- Never rely on the client to filter data – always filter on the API-server side
- Review all API responses and adapt they are no more than what the API consumers needs
- Document and carefully define schemas for all the API responses
- Appropriate error responses to not expose sensitive information and define proper schemas
- Identify all confidential, sensitive, and PII data and ensure API authorization is in place
- Ensure API endpoints enforce restricted admin access to only approved users/groups.
- Do not automatically bind incoming data and internal objects
- Explicitly define all the parameters and payloads the API is expecting
- Use the readOnly property set to true in object schemas for all properties that can be retrieved through APIs but should never be modified
- Precisely define the data schemas, types, and patterns you will accept in requests at design time and enforce them at runtime
- Disable unnecessary API features
- Never trust your API consumers/client, even if they are internal
- Keep an up-to-date inventory of all API endpoints
- Limit access to anything that should not be public with source IP whitelisting
- Implement strict authentication, redirects, CORS, and so on
- Define and enforce all outputs as logs, with enough detail to identify attackers
- Log failed attempts, denied access, input validation failures, or any failures in security policy checks
- Ensure that logs are formatted so that other tools can consume them as well
- Integrate with SIEM / APM and different dashboards, monitoring, and alerting tools
- Protect logs like the highly sensitive information
- Avoid having sensitive data in logs. If you need the information for debugging purposes, redact it partially.