If you googled ‘What is an API’, you might have come across something like – “Application Programming Interface (API) acts as an intermediatory in between two software applications or hardware to communicate with each other.”
Well, to make it clearer for everyone, let’s try with a much more simplified definition through a story.
“Consider having a magic lamp (that exact one from Aladdin’s fairy tale). You will be asking the genie 🧞 a wish (which abides his golden rules); he will just go swish into the air (how can it be without those sparkles ✨) and bring you the wish you asked for from some magic land.”
Back to reality, consider yourself in the story as a client-application (the one which you use). And the genie is the API here which brings you what you requested (and only whatever the rules allow him to). And the magic land is the end-server or database or the hardware or whatsoever where the data is stored.
The whole purpose of an API is to make it easier for the developers to build an application in a short span of time.
Also, API provides a layer of abstraction (the ability to use without knowing the entire functionality) and hence we are not required to explain or know what is happening in the server or database.
“No good (API) can survive for too long without security”
Due to its greater functionality, API gained wide acceptance and usage over the years. But with its simplified usage, the cyber risks associated with it have also risen tremendously.
To make it much more clear with an example, WordPress has been a revolutionary open-source CMS (content management system) technology that made hosting a website much more simplified. And according to the latest reports from Built With, over 34,896,670+ websites are made with WordPress, which makes one-third of the entire websites present all over the world wide web.
Also, with these analytics, there is also another astonishing fact that one-out-of-six websites made from WordPress are susceptible to severe vulnerabilities, as of 2021.
And with the emergence of critical vulnerabilities such as Log4j, cyber-attacks are only going to rise which makes WordPress security plugins an inevitable integration to be implemented in every WordPress website.
Top vulnerabilities affecting APIs
Let us have a look into the top 10 security vulnerabilities which affect API according to OWASP.
API1:2019 Broken Object Level Authorization (BOLA)
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user.
API2:2019 Broken User Authentication
Attackers often compromise authentication tokens or implementation flaws to assume other user’s identities temporarily or permanently due to incorrect implementation of authentication mechanisms. Compromising a system’s ability to identify the client/user compromises API security overall.
API3:2019 Excessive Data Exposure
Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.
API4:2019 Lack of Resources & Rate Limiting
In most cases, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. This can impact the API server performance, leading to Denial of Service (DoS), and leave the door open to authentication flaws such as brute force.
API5:2019 Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. Attackers can gain access to other users’ resources and/or administrative functions by exploiting these issues.
API6:2019 Mass Assignment
Binding client provided data (e.g., JSON) to data models, without proper filtering of properties based on an allow list, usually leads to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
API7:2019 Security Misconfiguration
Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
API9:2019 Improper Assets Management
APIs tend to expose more endpoints than traditional web applications. This makes proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role in mitigating issues such as deprecated API versions and exposed debug endpoints.
API10:2019 Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data.
How to ensure API Security ?
Implementing API gateways is very helpful in tracking all the API calls and monitoring how the API is utilized.
The simpler the security you implement in the API, the easier it is for a hacker to gain access to it. Hence always implement a proper access control which defines who can access the resources through the API.
Even if you did proper security measures, still there will be unseen vulnerabilities due to common mistakes, outdated assets or due to negligence. And the most effective way to mitigate this is by conducting frequent vulnerability assessment and penetration testing on the APIs with an API security testing tool.