What Are APIs and How to Protect API Vulnerabilities?

Protect API Vulnerabilities

What is an Application Programming Interface (API)?

Most people are familiar with the term “user interface (UI)”, which describes all the visible functions and features shown on the frontend that shape a user’s interaction with a software application. But when it comes to application programming interface (API), most find it difficult to depict a clear picture of what it does. This isn’t surprising because the end-user of the application only sees the UI and does not see the API. In fact, the main purpose of the API  is to hide the internal details of how a program works from the end-user.

Just as how the UI acts as an intermediary between the end-user and the application, the API serves as an intermediary between different applications. It is the code that determines the functions and procedures that enable one software application to communicate with another. APIs can be readily incorporated into application development, saving a lot of time and energy for developers.

With increasingly sophisticated functions and features, it is very inefficient to incorporate all functions into one complete application. This is because every time a part of the application needs changes, the entire program must be rewritten to link all requests to the server again. Such single-application programs are said to have a monolithic architecture.

Most applications we use today are built with a microservices architecture, where a typical application consists of hundreds of small applications that deliver microservices. In other words, an application is, in reality, a network of applications connected by APIs. For instance, imagine shopping on an e-commerce platform with millions of items from different sellers. A lot of small applications are built within the website to enable different features. The search console may be served by one application, whereas the recommendation feature is served by another. One of the most crucial applications is the login form, where the API processes the user credentials and retrieves corresponding private data from the database. In a nutshell, the API is the bridge that holds the entire application together, with its primary goal being to retrieve and transfer data between the UI and different applications.


What Are API Attacks?

In API-based web applications, user requests are processed by hundreds of small applications, and data are drawn from their respective microservers. Since every server is an endpoint, there are now hundreds of endpoints to secure. Security administrators must make sure every server is well updated and protected.

Most importantly, the API itself can be exploited by hackers for targeted attacks. One API vulnerability is enough to compromise a network of servers and databases. Given its crucial role in processing data, the API is an appealing entry point for those seeking unauthorized access to sensitive personal and financial information. We explain below some of the most common API vulnerabilities and how attackers can exploit them.


API Injection:

Ranked as the No. 1 threat on the OWASP Top 10 Vulnerabilities list and No. 8 on the OWASP API Security Top 10 list, injection attacks remain the greatest risk to websites and APIs. The most common types of injection include SQL injection (SQLi) and cross-site scripting (XSS).

SQL injection is when the attacker exploits vulnerabilities in the API by injecting an invalid SQL statement into the application query, resulting in the execution of malicious commands on the database. Depending on the severity of the vulnerability, the attacker could gain the privilege to view, modify, or even extract private data.

Similarly, cross-site scripting is when the attacker exploits vulnerabilities to inject malicious JavaScripts into the database. When the data is requested by the query, the JavaScripts would be executed by the web browser, revealing session information. The attacker can then use the session information to gain access to admin accounts.


Hijacks IPDistributed Denial-of-Service (DDoS):

DDoS attacks are one of the most straightforward attacks carried out against web applications and APIs. The attacker hijacks a large number of IP addresses to send a bombardment of requests to the API, overwhelming the server and preventing it from processing legitimate requests. Similarly, brute force attacks can be carried out in a similar manner to overload the API and potentially breakthrough authentication. In severe cases, a continuous DDoS attack could bring down an application for days to weeks.


Privilege Escalation:

Privilege escalation is a common intrusion method where the attacker gains access to accounts and resources with limited access by escalating their account privilege. This can also be done at API endpoints, where hackers use exploited credentials of admin accounts to gain access to the API. This commonly occurs after API updates, as endpoint access is sometimes not taken care of during the updates.


Unsecured API Keys:

APIs are secured by keys that are only granted to the developer or admin user. Since each API key is unique, they prevent unauthorized users from tampering with the application program by modifying the API. However, it is not uncommon for developers to accidentally expose their API keys by saving them in insecure server environments. In some cases, API credentials get carelessly copied and pasted on GitHub.


Improper Assets Management:

Rated as a common API vulnerability on the OWASP API Security Top 10, attackers constantly search the web for beta and testing versions of APIs that tend to be forgotten in unsecured servers. These unprotected versions could still share endpoints that allow attackers to gain access to the production API. Similar to unsecured API keys, older versions of APIs should be either kept secure or safely retired. At the same time, access to production APIs should be separated from access to non-production versions.


Insufficient Logging and Monitoring:

Every organization should have a set of logging and monitoring systems in place so that it can be alerted when abnormal activities are detected. Instead of manual monitoring, automated monitoring systems help track failed login attempts, access denials, or suspicious traffic on a real-time basis, allowing security administrators to identify issues before they spread through the network and cause greater damage.


Cloudbric WAF+

A cloud WAF is ideal for enterprises that have limited resources for management or who would like their engineers to focus on building internal services. This WAF is particularly appropriate for data centers and hosting providers who use cloud-based web and application servers.

Cloudbric provides a fully managed cloud-based web application firewall as a form of SECaaS (Security-as-a-Service). It is an integration of WAF capabilities, DDoS protection, and Content Delivery Network (CDN) which improves security and user convenience. The intuitive dashboard of Cloudbric WAF offers easy security insights on settings and maintenance regardless of your environment and provides best-in-class customer service.


Source : https://www.pentasecurity.com/blog/