The number of Application Programming Interfaces (APIs) deployed within organizations is multiplying. According to this survey, 26% of businesses use at least twice as many APIs as they did a year ago, increasing the attacks on APIs. APIs are integral to any application, making them a prime target for attacks. The Open Web Application Security Project (OWASP) has published the Top 10 API security attacks associated with API vulnerabilities which this blog will discuss..
Common API Attacks
Broken Access Control
This is the most common API attack due to little to no access control policy. An access control policy is implemented to ensure users only have access to permitted information and the privilege to perform allowed tasks. Simply put, access control ensures users cannot act outside granted permissions. Failure to implement an access control policy leads to data theft, modification, and destruction. Regarding APIs, exploitation of privilege by an unauthorized user can result in a successful attack by a threat actor.
APIs can be subject to injection flaws that involve an attacker sending malicious data to an interpreter from an untrusted source through a command or query. This interpreter can execute these dangerous commands, which allows the attacker to access unauthorized data. Injection attacks are a fast-growing threat for APIs with flaws like SQL injection, command injection, NoSQL injection, and others.
A Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack occurs when an attacker attempts to make a service, network, or system unavailable to legitimate users. A DDoS attack makes an API endpoint unreachable when an attacker gains control of multiple systems to send suspicious requests to overwhelm the APIs' memory. For online commerce systems, this opens them up to Inventory Denial attacks (IDA).
Man in the Middle (MITM) Attack
MitM attackers involve an attacker intercepting communication between an API endpoint and a client. This action results in the theft and/or alteration of confidential data. The attacker can act as a MitM between a session token issuing API, an HTTP header, and a user. This action grants the attacker access to the user's account and all related data about the user.
Broken User Authentication
Broken authentication is simply a weakness in improper session and credential management. When a user authentication method is broken, attackers can use stolen authentication tokens, credential surfing, and brute-force attacks to gain unauthorized access to applications. API authentication identifies and authorized users trying to gain access to applications. Where authentication is compromised, API security is compromised.
Where an application is not adequately protected with appropriate security measures, data can be exposed. However, developers rely on client-side filtering, which results in data exposure. When an API does not filter response, data is exposed on the server for anyone (attackers) to access.
Security misconfigurations impact API security negatively and lead to vulnerabilities. These misconfigurations allow attackers to gain information about the application during the reconnaissance stage of an attack. Attackers exploit security misconfigurations when attacking APIs and gain unauthorized access to an application and data.
Failure to encrypt data exchanged between client and server can result in a man-in-the-middle attack; therefore, transport layer security (TLS) should be used to protect APIs and promote secure communication between applications.
Improper Asset Management
The existence of more than one version of an API and the failure to delete the old version by a developer can lead to improper asset management. APIs expose more endpoints than web applications. Thus, they should be appropriately documented and tracked. Exposed debug endpoints and outdated API versions increase the attack surface for API attacks which can be mitigated by proper configuration and keeping an API inventory.
Best Practices to Prevent API Attacks
Implement Multi-factor Authentication
Multi-factor authentication (MFA) is an added layer of security used to authenticate users before they are authorized to access an application or data through an authentication device. Attackers might not get access to a user's authentication device; therefore, implementing MFA is an effective practice for promoting API security.
Keep an inventory of all APIs deployed within your organization for documentation, review, testing, and protection of these APIs.
Periodic Security Testing
Use security tools to periodically carry out tests to identify and discover misconfigurations and vulnerabilities in your APIs. These tests should be done in runtime to discover exploitable code.
Reduce Access to Sensitive Data
Access to data should be controlled, and only the server should be allowed to filter responses to prevent data exposure and unauthorized access.
Promote Secure API Design and Development
When developing and configuring APIs, the OWASP Application Security Verification Standard (ASVS) is an excellent resource for building and integrating APIs.
Logging and Monitoring
APIs should be logged and monitored regularly to discover any abnormalities in the performance of the API.
Common API Attacks
The API attack surface is dynamic and evolving, with new threats discovered daily. It is essential to understand the common API attack types and be prepared by implementing security best practices to secure your APIs and organization.
About the Author
Mosopefoluwa is a certified Cybersecurity Analyst and Technical writer. She has experience working as a Security Operations Center (SOC) Analyst with a history of creating relevant cybersecurity content for organizations and spreading security awareness. She volunteers as an Opportunities and Resources Writer with a Nigerian based NGO where she curated weekly opportunities for women. She is also a regular writer at Bora.
Her other interests are law, volunteering and women’s rights. In her free time, she enjoys spending time at the beach, watching movies or burying herself in a book.
Connect with her on LinkedIn and Instagram
Want to learn more about cyber-security solutions for your business?