API Security: Ten Major API-Related Vulnerabilities and Ways to Address Them

APIs are used by businesses to link services and transmit data. However, APIs that are broken, disclosed, or hacked can expose sensitive medical, monetary, or personal data. This article underlines various security vulnerabilities associated with APIs and how each of them can be remediated.

One of the critical building blocks of a subject’s (user or process) access to information resources is the Application Programming Interface, or API. Because of this, API vulnerabilities are a popular attack target. Developers must pay close attention to how they are created, and organizations must take appropriate steps to manage any associated risk.

How APIs Work

APIs act as messengers between an application and the resources they access, as shown in Figure 1. When an application needs to communicate with a cloud or on-premises service, it uses an API developed by the service or a common API used by multiple services.

Figure 1: API

An application can use as many APIs as needed to communicate with all essential services.  Further, services often use APIs to communicate with each other.  These communication paths can be established between 

• • On-premises applications and services
  • On-premises services
  • On-premises applications and cloud services
  • Cloud services

In addition to providing an easy-to-use interface for use by developers, APIs can also provide layer protection between communicating entities. In other words, the use of APIs prevents user applications and servers from directly accessing each other. For example, an application only communicates with the API, and then one or more API functions communicate with the target resource.

Because APIs are the center of communication, including data passing, threat actors commonly look for vulnerabilities that compromise API operations.

See More: API Complexity: How Can Enterprises Tackle It

API Vulnerabilities and Remediation

The OWASP API Security Top 10Opens a new window (2019) describes the most common vulnerabilities exploited by threat actors. These vulnerabilities apply directly to API use and development. They also apply to the general configuration of systems. The following sections describe these vulnerabilities and how to manage them. They are based on the information provided in a Cloud Security Alliance articleOpens a new window by Sekhar Chintaginjala and the OWASP knowledge base.

API 1:2019 Broken Object Level Authorization (BOLA)

Like all processes, API access to services should include explicit controls over what an API function can or cannot do. Authorization is enabled by including an object identifier in an API request. However, if object-level authorization is not enabled, threat actors can manipulate the object identifiers to gain unauthorized access.  Object-level authorizationOpens a new window should be enabled for access to any highly classified or categorizedOpens a new window systems or services.

API 2:2019 Broken User Authentication

API access significantly depends on the entity’s identity, authentication, and authorization logged into the associated application or service. Broken authentication includes attacks against weak passwords, like brute force attacks and credential stuffingOpens a new window . The best defense is the use of multifactor authentication to protect identities and the resources they access.

API 3:2019 Excessive Data Exposure

API transactions can expose data, and commonly used APIs can expose more than needed for the transaction. Managing this vulnerability includes encrypting all API traffic. API frameworks like REST/SOAP provide TLS for this purpose. Further, developers must work with security to review the classification and categorizationOpens a new window of data APIs will access. Access must then be managed based on the risk involved.

API 4:2019 Lack of Resources and Rate Limiting

Like any weakly configured or developed resource, denial of service attacks against API implementations is a possibility. One way a threat actor can overwhelm an API is with brute force attacks to retrieve a password. Another attack approach is to send general requests at a rate that overwhelms resource availability to manage them.

APIs need defined and enforced rate limiting. Further, payload sizes should be limited. Regardless of steps taken to maintain correct API use, security teams need to monitor the resources requested and identify movement outside established baselines.

API 5:2019 Broken Function Level Authorization

This is the second access control vulnerability in the Top 10. API use often fails to adequately separate administrative and general use of API functions, and threat actors know how to access the privileged functions.

The authorization level of API functions is based on the entity calling a function. This requires a definition of roles and limiting access based on those roles and enforcement. This requires object-level authentication that restricts access based on the calling entity.

API 6:2019 Mass Assignment

Mass assignment is caused by the failure of an API implementation to sanitize entity input. If the input is not adequately filtered, threat actors can alter the results of a called function. This enables attackers to modify objects affected by the API functions.

As with all input validation efforts, all expected input to API functions must be defined and compared with entity input. Further, monitoring should include behavior modeling to identify anomalous behavior.

API 7:2019 Security Misconfiguration

API elements like transport protocols and application infrastructure require configurations that harden the attack surface. For example, failure to configure API use for proper authentication and authorization creates other vulnerabilities already described, including broken object-level authentication and authorization; and excessive data exposure.

Other secure configuration considerations include

• • Timely patching of APIs and related systems
  • Explicit protection of all objects
  • Removal of unneeded features

Steps needed to ensure proper configuration include adding APIs in the existing vulnerability management procedures. Also, security teams must limit and log privileged access to systems. Finally, developers must define all expected behavior and outcomes and implement reasonable and appropriate programmatic responses. Monitoring must look for unexpected outcomes.

See More: How ‘APIfication’ Is Changing the Way Businesses Innovate and Grow

API 8:2019 Injection

API functions pass entity input to services like those that access SQL databases and execute operating system commands. If entity input is not validated against allowed content, threat actors can “inject” malicious strings that access data or system functionality.

As with many vulnerabilities, input validationOpens a new window is critical for preventing injection attacks.

API 9:2019 Improper Asset Management

Like with third-party development modules, the use of APIs must be controlled. Failure to vet, record, track, and manage API use prevents effective risk assessments; security cannot assess emerging vulnerabilities if analysts are unaware of what APIs are being used.

Asset management also includes protecting APIs from access by anyone not involved in approved development activities. The level of protection depends on the classification and categorization of what the APIs access.

API 10:2019 Insufficient Logging and Management

Monitoring API behavior fits well into UEBA (user entity behavior analytics) activities designed to look for anomalous user, process, device, and network behavior. Organizations can never assume that the configurations and controls in place are working as expected. Threat actors are capable of finding ways around our safeguards, especially when zero-day vulnerabilities emerge.

Final thoughts

APIs are powerful development tools. However, they are always an element of a system’s attack surface. The safeguards described above are needed, but overall control of API operation is best managed with an API gatewayOpens a new window . All API transactions pass through a single point for evaluation, transformation, and transaction security with a gateway.

If organizations do not have robust API management procedures, they likely have significant gaps in their information resource attack surfaces.

Do you think API security ranks as a priority among application security teams at enterprises? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!