Block API attacks

Because application programming interfaces (APIs) make it very easy to communicate between individual architectures, their use has exploded in recent times. API communication, for example, now accounts for more than 80 percent of all Internet traffic. At the same time, they can also be the cause of a wide range of security problems.

Whereby most attacks are essentially due to authentication problems, bots, security vulnerabilities or Denial of Service (DoS). Around a quarter of enterprises still run critical API-based applications without any security strategies that would be able to effectively prevent hacker attacks.

It's no wonder that attacks at the API level are becoming increasingly popular. Not least because it is more anonymous and APIs are usually not as well protected as comparatively websites or mobile apps. In the worst case, not only the data is potentially at risk, but also the entire infrastructure. By exploiting a vulnerable API, hackers can gain access to an entire network with just a single attack.

Then, if privilege escalation is successful, more types of attacks can occur and malware can spread throughout the network. Certain attacks, often multi-pronged attacks, can potentially lead to an organization's most sensitive data being compromised, be it personally identifiable information (PII) or intellectual property (IP).

Typical hacker attacks on web APIs: APIs are vulnerable to the following types of attacks in particular. None of them are new. Unfortunately, due to a lack of measures, they are often very effective.

Injection attacks: An injection attack occurs when a hacker manages to insert malicious code or commands into a program. Usually where common user input (username or password) is expected. Mitigate damage by validating and sanitizing all data in API requests and limiting response data to avoid inadvertent leakage of sensitive data.

Cross-Site Scripting (XSS): This is a type of injection attack that occurs when a vulnerability allows a hacker to insert a malicious script (often JavaScript) into the code of a web app or website. Mitigate damage by validating input and using escape and filter functions for characters.

Distributed Denial of Service (DDoS) attacks: Attacks of this type cause a network, system, or website to become unavailable to users. This happens, for example, when a website is flooded with more traffic than it can handle. API endpoints in particular are extremely attractive DDoS targets for hackers. Damage limitation through rate and payload limits.

Man-in-the-Middle (MitM) attacks: These attacks occur when an attacker intercepts traffic between two communicating systems. For APIs, MitM attacks can occur between the client (app) and the API or between the API and the endpoint. Mitigate damage by encrypting traffic in transit.

Credential Stuffing: Hackers use stolen credentials at API authentication endpoints to gain unauthorized access. Mitigate damage by using intelligence feeds to identify credential stuffing and implement rate limits and control brute force attacks.

Compliance with safety practices: In addition to these risk mitigation activities, it is important that companies take some other basic measures and execute proven security controls if they intend to share their APIs publicly. To do this, companies must place a higher priority on IT security. After all, companies have a lot to lose with unsecured APIs.

To that end, APIs should be inventoried and managed. Whether an organization has a dozen or hundreds of publicly available APIs, it must first know them in order to secure and manage them. Perimeter scans should be performed to do this. Management could then be done jointly with DevOps teams.
Strong authentication and authorization solutions should always be used. Faulty authentication occurs when APIs do not enforce authentication. Because APIs open an entry point into an organization's databases, it is especially important that the organization strictly controls access to them.

Risk Reduction Activities: Companies should always be guided by the principle of least privilege. This fundamental security principle states that subjects (users, processes, programs, systems, devices) are only granted the minimum necessary access to perform a specific function. This should apply equally to APIs.

Another issue is encrypting traffic with TLS. Some companies choose not to encrypt API payload data that is considered non-sensitive (for example, weather service data). But if APIs routinely exchange sensitive data, TLS encryption must be considered.

Data that should not be shared must be removed. Since APIs are essentially a developer tool, they often contain keys, passwords and other information. These must not be made available to a public audience. Sometimes this step is carelessly overlooked. For this, scanning tools should be integrated into DevSecOps processes to prevent accidental disclosure of secret information.

Some APIs reveal way too much information. For example, the amount of extraneous data returned through the API or information that says too much about the API endpoint. Therefore, APIs should only return as much information as needed to perform their function.

This technical article appeared in the printed edition SicherheitsForum 3-2022.

You want to read the articles of this issue? Then close right now here a subscription.