Optimal Strategies for Enhancing API Security
Consequences – API Leaking Data
What happens when an API's security is weak? Here are a few examples:
2. Google To Shut Down Google+ As Social Network Bug Exposed Private Data
3. ?
4.
Lets understand the causes of the API breaches
API Security Categorie
Let's take a look at the diagram to understand the key categories for API security
Most Commonly known API Vulnerabilities
DISTRIBUTED DENIAL OF SERVICES
API DDoS attack are executed to overload an API service. Since each hacker sends normal traffic volumes, these attacks are difficult to detect.
SQL INJECTION & DATA ATTACKS
Hackers or insiders with credentials can access systems or data, leading to extraction, deletion, manipulation, injection, or code injection.
MOST EXPLOITED API VULNERABILITIES?
RBAC & ABAC VULNERABILITIES
Granting precise resource access may create numerous RBAC roles or ABAC rules, prone to exploitation if inadequately tested. Detecting privilege escalation (RBAC) and unauthorized resource access (ABAC) is challenging. Such vulnerabilities fuel major API attacks, risking hefty regulatory fines for companies.
BUSINESS LOGIC FLAWS
Coding errors lead to technical vulnerabilities like SQL injections. Conversely, business logic vulnerabilities stem from application functionality mistakes. APIs are prime targets for exploiting these vulnerabilities. Traditional security tools can't detect business logic vulnerabilities.
ROLE BASED ACCESS CONTROL
What is RBAC?
Limitations of RBAC
Here is an example of breach RBAC from Google+
GOOGLE+ PRIVILEGE ESCALATION VULNERABILITY USER DATA FROM 52.5 MILLION ACCOUNTS EXPOSED
How was this hack perpetrated?
What won't work in stopping these kinds of attacks
Static application security testing (SAST) and dynamic application security testing (DAST) are two ways to find security problems in apps. SAST checks the app's inner workings and code to spot issues, like a detective inspecting a crime scene. Meanwhile, DAST tests the app from the outside, like a guard patrolling the perimeter, searching for weaknesses that could be exploited by intruders. SAST pores over the source code, while DAST scans the running app as it operates.
ATTRIBUTE BASED ACCESS CONTROL
What is ABAC?
Limitation of ABAC
Here is an example of breach ABAC from CITI
CITI ABAC Vulnerability - Exposing Financial Data of 360,000 Customers
How was this breach executed?
What measures won't be effective in preventing such attacks?
SAST & DAST scanning solutions are ineffective in detecting these exploits as they primarily target injection and fuzzing attacks, rather than unauthorized access to API resources.?
Things to keep in Mind
Be Smarter about Data
API Security Pitfalls
Allowing access to your API over HTTP
APIs are accessed from code, so there is no need to support a redirect from HTTP to HTTPS. Lock your API further down by enabling HSTS.
Use HTTPS, otherwise no use of any other mechanism
§? There is no valid excuse to not use HTTPS anymore
§? APIs are accessed directly from within an application
§? Network-based attacks can still attempt a fallback to HTTP
Strict-Transport-Security: max-age=31536000
"The max-age attribute in the HTTP Strict Transport Security (HSTS) policy should be set to 31536000 seconds, or one year. This attribute tells user agents that a host is a known HSTS host for one year after receiving the Strict-Transport-Security header field"
Unlimited access to an API is a bad idea
§? Unlimited access to an API can have dangerous consequences
§? Many rate-limiting strategies can be used
PAGINATION LIMITS TO PREVENT DDOS ATTACKS
Implementing pagination limits is essential for preventing DDoS attacks. When endpoints return lists of entities, pagination helps manage traffic effectively by limiting the number of search results displayed at once. This strategy helps prevent overwhelming network loads caused by excessive search queries.
Offset Pagination:
Offset pagination is one of the most straightforward paging methods. It gained popularity particularly among applications utilizing SQL databases, as LIMIT and OFFSET are already integrated into the SQL SELECT Syntax. Implementing limit/offset paging requires minimal business logic.
Here's how it works:
1.????? The client initiates a request for the most recent items: GET /items?limit=20
2.????? Upon scrolling or navigating to the next page, the client sends a second request: GET /items?limit=20&offset=20
领英推荐
Insecure direct object references
Always set a basic authentication check with applicable authorization checks (e.g. ownership of a resource)
§? Predictable identifiers enable the enumeration of resources.
§? The only correct mitigation is implementing accurate authorization checks
§? The use of non-predictable identifiers is a complementary approach.
The Properties of cookies
§? Cookies are a mess, but they are compatible with the web
§? Securing cookie-based mechanisms requires a lot of effort
§? Cookies are a nightmare to support in non-web applications
The properties of custom headers
Cookies are often frowned upon in an API world, and custom headers are preferred. Both have vastly different security properties, so make sure you understand them fully.
§? Custom headers are straightforward, but can be hard to use
§? Securing header-based mechanisms is also surprisingly difficult
§? Custom headers are a breeze to use in non-web applications.
?
Cross-Site request forgery
"Cross-site request forgery (CSRF), also known as one-click attack or session riding, is a type of cyber attack that tricks a user into performing actions on a web application that they are authenticated to. CSRF attacks exploit the trust a web application has in an authenticated user. For example, a CSRF attack can trick a user into transferring funds, changing their email address, or making a purchase. A successful attack against an administrative account can compromise an entire server, potentially resulting in complete takeover of a web application."
Here is a exacmple to explain Cross-site request forgery (CSRF)
CROSS-SITE REQUEST FORGERY
§? CSRF exists because the browser handles cookies very liberally.
§? Many APIs are unaware that any context can send requests
§? A traditional CSRF defense is using hidden form tokens
?
Underestimating the importance of CSRF
CSRF attacks exist when cookies are used for keeping session state. Verify if you're vulnerable and implement appropriate defences.
If you do not use cookies, you do not need to worry about CSRF
?
THE RELATION BETWEEN CSRF AND CORS
§? Cross-origin HTTP requests have always existed in the web
§? CSRF matters in an API supporting “traditional" HTTP requests
§? APIs using "non-traditional" HTTP requests fall under the protection of CORS
?
COMMON CORS MISCONFIGURATIONS
Origin: https://www.example.com
§? Allowing partial matching against the Origin header
§? Allowing the null origin
§? Only checking the domain, and not the entire origin
§? Reflecting back the value from the Origin header
?
Insecure CORS configuration / implementation
CORS policies are crucial to prevent a malicious site from accessing your API in a legitimate user's name. Do not allow more access than necessary, and verify your implementation.
?
UNDERESTIMATING THE IMPACT OF XSS
"Cross-site scripting (XSS) is a security vulnerability that allows attackers to inject malicious code into web pages. This code is executed by the victim, allowing the attacker to bypass access controls and impersonate users. Attackers often use XSS by sending a malicious link to a user and tricking them into clicking it. If the app or website doesn't have proper data sanitization, the malicious link will execute the attacker's code on the user's system. As a result, the attacker can steal the user's active session cookie."
Stealing data from localStorage is only a single consequence of XSS.
XSS means game over. You lost.
INPUT VALIDATION IS AN IMPORTANT FIRST LINE OF DEFENSE
§? Limiting the number of valid inputs reduces the attack surface
§? Best practices for input validation
?
Lack of input validation
A lack of input validation is the enabler for various other attacks. Ensure that input validation is as strict as possible without triggering false positives
?
However, checking the input can only take you part of the way
§? Input validation targets symptoms, not the root cause of the issue
§? Once the data is complex enough, validation bypasses will exist
§? And sometimes, it's just not the API's responsibility
?
Relying on input validation
Even though input validation is a good first line of defence, it will fail as the only defence. Do not rely on input validation alone.
Summary
In conclusion, the consequences of weak API security can be severe. Understanding the causes of these breaches, such as vulnerabilities in Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), is crucial. While measures like input validation are important, they only address part of the issue. Proper security measures, including HTTPS implementation, rate limiting, and effective CORS policies, are essential to mitigate risks. Ultimately, a multi-layered approach is necessary to safeguard against API vulnerabilities effectively.
Fullstack Senior Developer to Build Scalable and Secure Web Experiences | Solution Architect | Angular | Typescript | React | NestJS | Code Review Expert | Clean Code Expert
11 个月Very well explained.
Software Engineer 2 at Microsoft
11 个月Very useful...
Gen AI engineer and leader | LLM | RAG | NLP
11 个月This is a good article on the importance of API security!
Full Stack Developer, Ninja in .NET, Angular, Node.js, SQL
11 个月Nice read, good to see mentioning of impact when having leaky APIs ??
Sr. Project/Program Manager at Nagarro
11 个月With increased usage of APIs widely across industry, everyone must adhere to the best security standards