Cyber security is a frequent topic in the news and among developers. Today we will look at some security topics for APIs (application programming interfaces), how vulnerabilities can exist and some preventative measures. There are many different definitions of API, but as a simple definition for API, as the name suggests, is a programming interface that allows applications to communicate with each other. So how does this lead to security issues? Let's have a look.

Authentication

Authentication is the process of verifying the identity of the client making the API request. It answers the question: "Are you who you say you are?" The client proves their identity, commonly by providing an authenticator (username & password, security token, etc).

Vulnerabilities

A common vulnerability is not having any measures in place to limit the number of log in attempts nor using a second authenticator. This vulnerability allows an attacker to brute force his way in by guessing or using stolen usernames and passwords. Other vulnerabilities are the lack of multi-factor authentication, sending passwords in URLs, weak password storage practices, and improper token validation.

Prevention

First and foremost, it's important to have a complete understanding of all the possible authentication flows in one's system. Have multi-factor authentication where possible, especially for sensitive operations. Implementing anti-brute force mechanisms, rate limits, and lockout protections, using standard conventions for password storing, and token generation can go a long way for preventing potential incidents.

Authorization

Authorization answers the question: "Are you allowed to do what you're trying to do?" The API checks the client's permissions to decide if the requested operation should be permitted or denied.

Vulnerabilities

There are roughly three main types of authorization vulnerabilities that one should be aware of: broken object level authorization (BOLA) where users access unauthorized objects, broken function level authorization (BFLA) where users access unauthorized functions, and broken object property level authorization (BOPLA) where users modify unauthorized object properties.

Prevention

Authorization vulnerabilities can be solved by applying the principle of least privilege; although, this does not solve all authorization vulnerabilities, it is an important first step in controlling them. One BOLA preventative measure is performing a check on all actions that a client submits. BFLA prevention should deny all access by default, only opened where necessary. For BOPLA specifically, implement property-level checks and careful object serialization.

Resource Consumption

APIs consume resources such as network bandwidth, memory, or storage, and when exploited such things can result in financial loss.

Vulnerabilities

APIs are vulnerable to large resource consumption if there are no restrictions in place to limit client calls. Unrestricted requests will quickly consume an API's network bandwidth, CPU, memory, and storage. Secondary effects could see the business incur costs associated with downstream, third-party API requests or storage providers.

Prevention

Implement rate limiting, request throttling, configure spending limits for third-party services, and limit payload data size.

API Configurations

It can be a tricky task to configure an API on first setup, maybe time is short or you just aren't familiar with the technology. In either case, misconfiguration can make an API vulnerable.

Vulnerabilities

Common misconfiguration include: unchanged default settings, like default admin credentials or left open ports; unnecessary enabled features, like less secure endpoints used for testing; improper CORS headers, allowing cross-origin reads of sensitive API data; lack of encryption, such as no TLS support; and overly detailed error messages that expose system internals.

Prevention

Implement security throughout the API lifecycle with regular configuration reviews, automated assessments, proper encryption, restricted HTTP verbs, well-defined CORS policies, and careful error handling to prevent information leakage.

Thank you for reading our article about API security, we hope you have become a little bit more knowledgeable in the fields of cyber security and APIs. If you would like to read our full article about API security, have further questions, or a general inquiry, please contact us.