Massive API Growth
APIs serve as the building blocks of modern application architectures and system design, and most of the traffic on the web today goes through them. A system often requires an API to access its resources. Almost every line of code uses an API call, which helps programmers build their product on top of previous efforts.
Using APIs can speed up and lower the cost of app development, enable flexibility, simplify design, administration, and use, and allow for innovation when creating new tools and products or managing current ones.
The widespread use of APIs has made API security a key concern. The Gartner report How to Build an Effective API Security Strategy states that “by 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications.” To protect against API attacks, Gartner recommends adopting “a continuous approach to API security across the API development and delivery cycle, designing security [directly] into APIs.”
These changes in the security landscape have prompted OWASP recently to launch an API-specific list: the OWASP API Security Top 10 vulnerabilities.
OWASP Top 10 API Security Threats
API1: Broken Object Level Authorization
API6: Mass Assignment
API2: Broken Authentication
API7: Security Misconfiguration
API3: Excessive Data Exposure
API4: Lack of Resource & Rate Limiting
API9: Improper Asset Management
API5: Broken Function Level Auth
API10: Insufficient Logging & Monitoring
In addition to the OWASP top 10, there are other API security issues to monitor:
- Hackers who are also users
Using sophisticated access control rules, a hacker might be an insider or have used a false email address or social media account to sign up for the app.
- Valid accounts and credentials
Credential stuffing and dark web purchases are two of the many ways attackers can obtain valid credentials. Hackers can take over legitimate accounts by bypassing the first layer of access control rules because they know that users reuse passwords.
- Stolen tokens
Phishing, looking at public repos on GitHub, and other methods can all lead to losing an OAuth token. Because most token confirmations are lightweight bearer tokens, a leaked token can be used by anybody from anywhere until it expires.
- Outside-the-app scenarios
Hackers try to find hidden API vulnerabilities by bypassing the client-side app. The API providers themselves are often unaware of these vulnerabilities.
While companies can mitigate these additional API security threats by tightening security procedures, risks remain.
Old Tools Will Not Protect You
Many businesses still use old security tools, such as API gateways and Web Application Firewalls (WAFs), and other traditional protection methods. However, as threats become more complicated and sophisticated, standard tools completely miss attacks that target APIs.
Here are a few examples:
- API Gateways: API management tools collect all user requests and turn them into one. They become the entry point for every new request that the app executes. However, these secure only the APIs known for this tool, while many function outside such gateways.
- WAF: Many solutions in this category rely solely on traditional application security methods. In this category, signatures are used to look for known attack patterns, but signatures are ineffective since each API is different and has its own set of vulnerabilities. These proxy-based solutions lack the architecture required to comprehend API context and, as a result, are unable to understand unique logic or identify attackers targeting specific vulnerabilities.
API attacks happen to the best of us
Here are some examples of famous API attacks:
- USPS (2018): data on 60 million users exposed
The company’s information visibility API, mapped to their online website, supported unauthenticated requests for tracking data
- Facebook (2018): personal data of 87 million users harvested
The company’s developer Graph API supported queries on some members with no consent and rate limits.
- Venmo (2018 and 2019): details of 207 million and 7 million payment transactions scraped
The company’s developer API supported unauthenticated requests for transaction details download with ineffective rate limits over time.
- Equifax (2017): sensitive information about 148 million US citizens compromised
There were two critical HTTP-based communications during this cyber attack’s kill chain:
- Initial exploitation through a manipulated HTTP request
- Exfiltration with an accumulated high volume of HTTP response payloads
- Capital One (2019): sensitive information about 100 and 6 million US and Canadian citizens respectively was compromised
Two critical sets of AWS API calls created this breach:
- Forged requests (by SSRF) to a metadata endpoint to get temporary credentials
- A synchronize request to S3 storage to download all the data onto the local attacking machine
Even the most sophisticated companies can suffer from API vulnerabilities, resulting in millions of users’ data breaches. However, they could also have prevented this damage with a proper API security solution.
What You Can Do
With the massive and increasing use of APIs across the internet, it is no wonder that API security is becoming a significant concern for all organizations. Traditional tools are no longer adequate, and a specific solution for APIs is now mandatory for any organization.
WIB is a full-lifecycle API security platform that utilizes state-of-the-art proprietary AI and ML to analyze millions of requests in real-time, providing complete visibility, actionable insights, and comprehensive protection across the entire lifecycle from development to testing to production.