API Exploitation: Leading Cause to Modern Day Data Breaches

Background

I live in Kenya and every month, there is a new mobile application being released or a web portal with virtual wallets being developed. Many well-funded startups creating new applications at a very fast rate to close gaps in the market and enterprise organizations are trying to improve their already existing products with 3rd party integration for efficiency and less dependencies.

As usual, Cyber Security is an after thought in so many domains but today I shall be focusing on insecure application developed by many which leads to being compromised easily.

There is always an integration of one business to another using an API which play a significant role in the current digital transformation and 84.5% agree with this according to a survey conducted by POSTMAN in 2020 about the state of API.

However, APIs have also become the leading cause of Application security breaches in the recent past and many businesses are losing the battle to this. In numerous testing that I have contacted, the exploitation is becoming easier than expected and only takes a few hours when one gets to understand the apps (most of which are very similar).

Case Study 1:

A loan app with your personal details recorded during registration will allow you to borrow ksh5000 after various verification. Abusing the API permits for ksh45,000 to be borrowed but for a different phone number that is not even registered on the system of the lending company.

Due to the poorly written API, the server and payment processing organization (usually a third-party gateway) processes any transaction as true depleting the FLOAT of the lending company.

This attack is often noticed in almost every application that I get to test with my colleague which makes me wonder if DevSecOps is being taken seriously among most developers.

Case Study 2:

An insurance mobile application allows one to view details of his/her cover with amounts they have left to use. An exploitation of the API leads to ability to view details of other users and even manipulate the cover details in a more sophisticated attack.

The two cases above are results of many security gaps such as session token manipulation which allows one session key of a user to be re-used a number of times for various activities or manipulation of traffic during a transaction and API connection from one entity to the other.

Hackers have access to numerous open-source tools that allows them to perform these actions with ease by replaying attacks over and over again without being locked out or being detected.

APIs today and can choose from older protocols like SOAP, which are based on XML format to current API standards like REST, which utilizes lightweight JSON format. Over the last few years, newer protocols like GraphQL (built by Facebook) and gRPC (built by Google) have been introduced thus requires constant knowledge update on their security implementation.

What is the Way Forward????

There are various API security tools and organizations out there assisting in automating the processes but can be very costly to implement. Below are some of the basics to consider when thinking around OWASP Top 10 for Web and Mobile security.

Monitoring and Stop Gaps Implementation

Many organizations do not monitor activities on their servers or put stop gaps in their applications to avoid certain types of exploitations. For Example, having a loan application that allows one to borrow ksh5000 should have a stop gap of not allowing the user or mobile device process any other amount within a very short period of time. Such transactions should be flagged, and details logged alert sent for investigation.

Rogue/Shadow APIs

Software developers are now able to push new services and applications in a matter of minutes without the hustle of worrying about infrastructure or resource allocation due to the rise of cloud platforms such as Amazon AWS, Microsoft Azure and Google Cloud Platform.

“shadow APIs” being created often works outside the enterprise security and are a major source of increasing the threat attack surface. Numerous traditional API security tools are being bypassed very easily on levels of unavailability of proper authentication and weak data traffic encryption.

Traffic Encryption and Perimeter Security

End-to-end traffic tracing and better encryption implementation is needed when implementation is being done. Outdated TLS encryption should not be an exploitation point for hackers as the more traffic they can read easily, the easier the manipulation.

Perimeter protection needs to be enforced at all times as there is hardly ever a point of protection for the modern architectures being used. These includes microservices, hybrid clouds ?that have to work together in exchange of data.

With the large amounts of changes that has to be made every now and then, approval levels are always needed in the change management process of API manual configurations. There is usually a splintered gap between DevOps and Security which has led to untraceable complications.

Software Encoding Algorithms and Obfuscation

Majority of applications lack implementation of proper encoding algorithm or basic obfuscation on their application which makes it again easy for hackers to read data very easily and know exactly what part to focus on in terms abuse. Research on what works for your application and employ them with adequate testing.

Conclusion: Go Back to Basics

Adversaries are going to stop at nothing to attack your applications. So far as you register and market a product, you have become their number target in the market.

You need to go back to BASICS. Re-strategize your operations, DevSecOps, scrutinize all areas of focus and most importantly, do involve an external expert if you are not sure of what you doing.

Below is a checklist from Datatheorem for key summarized look