By Ashish Chhatani - Dec 12, 2018
image-source: realtime api
APIs are everywhere. Everyday there are millions of calls to API are made to get the job done. APIs are quick, responsive and effective to serve the requests.
What is API?
API is nothing but an intermediator between you and the application system which conveys the system about your needs and gets what you want from an application in return.
Consider a hotel reservation application, in which the user wants to reserve the hotel for specific time period with some more specific requirements e.g, Location, food preferences, price. The user will submit the mandatory details to the application and then the API comes into the picture. API will submit your needs and invoke the database to fulfill your request made. Database will provide the results which meets your request criteria to the API and API will get back with those results. So, API is nothing but an intermediator to ease your tasks. In today’s time, the application consists of thousands of APIs. Each API is set to serve specific needs of a user.
Now as there’s a hype of APIs in the application, security comes into the picture to validate certain things like, authentication, authorization, confidentiality of user data and many more.
API Security- Before and Now:
In the early days, the API security consisted of one step of authentication asking the username-password and boom. Request gets forwarded and served back to the user. That’s how used to be. Though authentication was in place, still a high amount of security risk was there.
Later-on, the authentication was strengthened by introducing Open Authentication (OAUTH). It’s a token authorization system. The good thing about OAuth is that it doesn’t allow the API client to access user data. Asking for user credentials or any data on the public API is never a good idea. So, there’s always one thing to keep in mind is: User data confidentiality and privacy. Nowadays OAuth 2.0 has taken over which said to be more reliable and secure than OAuth 1.0
Multi factor authentication is ain’t a bad option though. In fact, it is as popular as OAuth 2.0
SOAP, REST SWAGGER are the mostly used and popular APIs which have taken the API usage by storm.
For REST APIs, there are only a few security models that are considered to be standard, i.e. well-defined by industry specifications.
Standard Security model available currently:
- Username/Password (basic authentication)
- X.509 certifications (single-sided or mutual
- Custom API keys
Common Flaws in API
1. Use of vulnerable TPLs:
Third party library are the most common targets for attackers. E.g. jstl1.2 jar is a library which consists the high severity risks like arbitrary code execution and XXE. Developers don’t pay much attention to these risks and go ahead using the TPL to get the job done. That’s why it is important to pay attention while using third party libraries. Developers need to make sure that the version which they are going to use doesn’t have any high severity security risks. Also it is mandatory to use the most stable or latest version of TPLs.
If the APIs are not designed properly then there’s always a threat of DDoS. It is noted that the developers often forget to put up a rate limit to the APIs. Though each API behaves differently, still it is recommended to set the rate limit to block malicious requests.
3. CORS misconfiguration:
CORS stands for accessing resources of other origin but it is not good to allow access all origins. It is mandatory to rectify the origins from which the content should be allowed to access rather than allowing to all and increase the risk of subdomain take over and CSRF.
4. Broken authentication and access:
Authentication means asking the user to identify him/herself for accessing the contents of an application. While authorization specifies the region for which the user is granted access. For APIs, both the things are equally important. Asking user to provide username and password for authentication is not sufficient as passwords can be guessable or can be brute forced. Even the change of password may affect the associated services. That’s where multi factor authentication or OAuth is good option to opt for as suggested above.
5. Lack of input validation:
Validation needs to be in place for any kind of data supplied to the application. Be it- content type, length, encoding format etc. Lack of validation can lead to critical risks i.e. SQL Injection, RCE. Understand what’s being supplied into the application, How it's processed and what’s getting in response.
Ideally, the API flaws can be divided into two types- Pre-login attacks and Post-login attacks. Pre-login attacks include credentials stuffing, fuzzing, cookie and token steal. While post-login attack comprises of exploiting CORS, DDoS, Data-application attacks.
Best Practices to secure API
- Use of best encryption standards for data confidentiality
- Use of Quotas and throttling to avoid DDoS
- Input validation in place throughout
- Proper authentication - authorisation techniques
- Effective auditing and logging
- Proper configuration of CORS. If not needed resource from different origins then eliminate CORS.
- Prefer HTTPS over HTTP especially for transferring sensitive data
- Selecting APIs suitable to application architecture
- Eliminate unnecessary http methods from the header
- Security First approach
- Use of safe and updated third party libraries
- Effective error handling mechanisms
- Proper management of API endpoints
- Use of API gateway
API gateway is nothing but a server that is the single entry point into the system…[it] encapsulates the internal system architecture and provides an API that is tailored to each client. It might have other responsibilities such as authentication, monitoring, load balancing, caching, request shaping and management, and static response handling.
API testing tools
- SOAP UI
- Katalon Studio
- Tricentis Tosca