If you googled ‘What is an API’, you might have come across something like – “Application Programming Interface (API) acts as an intermediatory in between two software applications or hardware to communicate with each other.”
Well, to make it clearer for everyone, let’s try with a much more simplified definition through a story.
“Consider having a magic lamp (that exact one from Aladdin’s fairy tale). You will be asking the genie 🧞 a wish (which abides his golden rules); he will just go swish into the air (how can it be without those sparkles ✨) and bring you the wish you asked for from some magic land.”
Back to reality, consider yourself in the story as a client-application (the one which you use). And the genie is the API here which brings you what you requested (and only whatever the rules allow him to). And the magic land is the end-server or database or the hardware or whatsoever where the data is stored.
The whole purpose of an API is to make it easier for the developers to build an application in a short span of time.
Also, API provides a layer of abstraction (the ability to use without knowing the entire functionality) and hence we are not required to explain or know what is happening in the server or database.
“No good (API) can survive for too long without security”
Due to its greater functionality, API gained wide acceptance and usage over the years. But with its simplified usage, the cyber risks associated with it have also risen tremendously.
To make it much more clear with an example, WordPress has been a revolutionary open-source CMS (content management system) technology that made hosting a website much more simplified. And according to the latest reports from Built With, over 34,896,670+ websites are made with WordPress, which makes one-third of the entire websites present all over the world wide web.
Also, with these analytics, there is also another astonishing fact that one-out-of-six websites made from WordPress are susceptible to severe vulnerabilities, as of 2021.
And with the emergence of critical vulnerabilities such as Log4j, cyber-attacks are only going to rise which makes WordPress security plugins an inevitable integration to be implemented in every WordPress website.
Top vulnerabilities affecting APIs
Let us have a look into the top 10 security vulnerabilities which affect API according to OWASP.
API1:2019 Broken Object Level Authorization (BOLA)
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user.
API2:2019 Broken User Authentication
Attackers often compromise authentication tokens or implementation flaws to assume other user’s identities temporarily or permanently due to incorrect implementation of authentication mechanisms. Compromising a system’s ability to identify the client/user compromises API security overall.
API3:2019 Excessive Data Exposure
Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.
API4:2019 Lack of Resources & Rate Limiting
In most cases, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. This can impact the API server performance, leading to Denial of Service (DoS), and leave the door open to authentication flaws such as brute force.
API5:2019 Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. Attackers can gain access to other users’ resources and/or administrative functions by exploiting these issues.
API6:2019 Mass Assignment
Binding client provided data (e.g., JSON) to data models, without proper filtering of properties based on an allow list, usually leads to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
API7:2019 Security Misconfiguration
Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
API8:2019 Injection
Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
API9:2019 Improper Assets Management
APIs tend to expose more endpoints than traditional web applications. This makes proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role in mitigating issues such as deprecated API versions and exposed debug endpoints.
API10:2019 Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data.
How to ensure API Security ?
Implementing API gateways is very helpful in tracking all the API calls and monitoring how the API is utilized.
The simpler the security you implement in the API, the easier it is for a hacker to gain access to it. Hence always implement a proper access control which defines who can access the resources through the API.
Even if you did proper security measures, still there will be unseen vulnerabilities due to common mistakes, outdated assets or due to negligence. And the most effective way to mitigate this is by conducting frequent vulnerability assessment and penetration testing on the APIs with an API security testing tool.
About the Creator
The Rise of Tre Jones: A Basketball Phenom Making His Mark
*San Antonio Spurs Point Guard Putting Up Strong Numbers** Tre Jones, the starting point guard for the San Antonio Spurs, has been on a tear lately. Currently averaging **10.0 points, 3.7 rebounds, and a stellar 6.2 assists per game**, Jones has been a bright spot for a young Spurs team. **Recent Highlights:** * **Triple-Double:** Jones recorded his first career triple-double on April 2nd against the Denver Nuggets, chipping in 10 points, 12 rebounds, and 11 assists. * **Scoring Surge:** Jones has averaged 11.8 points, 6.7 assists, and 4.8 rebounds over the last 11 games, shooting over 50% from the field. * **Playmaking Prowess:** Jones has dished out at least 10 assists in seven games this season, showcasing his ability to create scoring opportunities for his teammates.
By Yunus Bashit4 days ago in Journal
Midnight
60 seconds… 59 seconds… Time was slipping through his fingers, though he clawed at the falling grains of sand, he could not stop the hourglass from flowing. Around him, the silence was deafening. He had taken over every screen in the command centre, putting the terrible seconds before the terrified eyes of his friends and comrades.
By Alexander McEvoy3 days ago in Fiction
Comments
There are no comments for this story
Be the first to respond and start the conversation.