What Are API Attacks and How Can You Prevent Them?
Cyberattacks using API (Application Programming Interface) are increasing explosively in recent years. An API is a language or a message format used for communications between an operating system and an application program. Since it is difficult and cost-inefficient for businesses to develop a variety of functions from scratch each time, commonly used functions are organized and provided in the form of OS and middleware.
Since an API can define procedures for using general-purpose functions, it is mostly utilized in applications and cloud infrastructures. Therefore, when using specific functions, it only needs to write a short program instead of configuring the entire program from scratch.
According to recent research in South Korea, large enterprises are operating an average of 25,000 APIs within the organization. API vulnerabilities can be fatal to individuals and businesses as APIs have access to data much more quickly than web applications. 91% of companies reported that they have experienced security issues related to APIs in the past year, and 83% were unaware of the details of the information included in APIs. More surprisingly, 34% of them did not even deploy any security measures in advance. Nevertheless, API usage by enterprises increased by about 400% last year and made it crucial for businesses to establish secure API security environments.
In order to respond more effectively to API security threats, OWASP (The Open Web Application Security Project) has been publishing 10 different frequent and high-risk security threats every year. In this blog, we will take a brief look at the API security threats, countermeasures, and furthermore, an introduction to Penta Security’s threat detection technology.
OWASP Top 10
Broken Object Level Authorization
Occurs when APIs communicate with each other and object-level permissions are not activated properly.
To prevent this, it is recommended that organizations manage appropriate user authorization policies. It is also best to additionally verify all logged-in users through an authentication process. Penta Security’s WAPPLES responds quickly to this vulnerability by detecting and blocking all forgery that could occur on the web through its 36 predefined rules.
Broker User Authentication
Credential stuffing attack (a method of extorting personal information by randomly substituting login information leaked from other places to other websites or apps) method taking advantage of a vulnerability that does not verify authorized users.
Developers must stick to the API standard and avoid using API keys for user authentication and implement multi-factor authentication. WAPPLES protects the environment from brute force attacks through two-factor authentication deployed within the management tool and quickly detects such vulnerabilities through the access control functions.
Excessive Data Exposure
Occurs during API calls and searches for sensitive data and information to launch additional attacks.
In order to prevent this, it is necessary to filter all sensitive data. We recommend that you review the API’s response and calls to verify that it contains only legitimate data, and also ensure that the responses do not raise any cybersecurity concerns. In other words, it is of utmost importance to design the security architecture from the very beginning, so that sensitive data is not at all exposed during the development process.
Lack of Resources & Rate Limiting
Occurs when attacks exploit the API’s use of system resources such as network, CPU, memory, and storage to modify the API’s requests to improperly exhaust all resources.
To avoid this, we recommend using a Docker environment that can easily limit access to memory, CPU, file descriptors, and processes in the cloud. It is also a good idea to implement a frequency limit for API calls and set notifications when a response times out. WAPPLES detects and blocks whether the file size, extension, and types are forged and prevent the attack from manipulating parameters such as size in the response.
Broken Function Level Authorization
Occurs when an attack targets loopholes in endpoints, such as attacks performed by accessing the endpoint of an API and eventually extorting administrator privileges.
To prevent this, it is important to check if the authentication process is properly set when requesting or gaining access. It is critical to check whether it has been forged or tampered with and whether calls were made after an authentication process. WAPPLES can check if all API requests and responses were legitimate, and also confirms through its 36 predefined detection rules.
Occurs when an attack in which the endpoint of an API automatically converts the clients’ variables into internal properties and extorts key information from the system.
To prevent this, it is recommended that you do not use a function that automatically binds an internal object to an input variable when developing. It is also a good practice to allowlist only the properties that clients need to update, and blocklist properties that clients should not have access to. This vulnerability needs to be checked prior to coding and designing.
Occurs when an attack targets loopholes in system management, such as missing patches or outdated systems.
To prevent this, API management should consist of:
1) Limited access environment and a process that enables quick and easy deployment,
2) Process to review and update the configuration in the entire API,
3) Secure communication channel to access static properties such as images.
Moreover, we recommend that you define and document all API responses, including error responses, and also implement appropriate Cross-Origin Resource Sharing (CORS) policies for APIs you expect your clients to have access to. During this process, WAPPLES makes sure that the list of open file directories by default is not exposed, and also helps with detecting whether the data has been forged, to make sure that it doesn’t expose any sensitive data.
Occurs when an attack injects malicious data into parts of any web protection.
To prevent this, data provided to all clients must be verified, filtered, and deleted. It is important to strictly define and manage data types and patterns for all variables with a web application firewall in advance. WAPPLES detects and blocks intrusion attacks that can occur in parameters through various types of injection rules.
Improper Assets Management
An attack targeting APIs with poor system management or with unpatched vulnerabilities.
To avoid this, it is recommended to list all API hosts and document the data exchanged. Moreover, even if you document the information of all APIs in your system and apply the latest version of the API, it is still recommended to use it after sufficient security tests. In other words, admins must apply security tests to APIs used within the system and manage them through documentation.
Insufficient Loggin & Monitoring
Occurs when failed to respond in case of a breach because no logs are created or notified.
To prevent this, it is recommended to log all failed authentication attempts and denied access. Logs should contain enough information to identify malicious attempts and should be designed to enable early detection and response of suspicious activities. WAPPLES logs all detections and systems, therefore, if there is an error in the system, it notifies the admins so that it can be dealt with in a timely manner.
In order to respond to the rapidly increasing API security threats, it is important for enterprises to safely design and develop products and services in advance. We also recommend that you identify the major security threats, analyze attack scenarios, and devise countermeasures tailored to your products and services. Penta Security provides the easiest way to implement security for web and API with WAPPLES, an award-winning WAF listed on Forrester Now Tech 2022 and recognized by renowned market research companies. Get to know more about the product here today.
For more information on security implementation, check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Automotive, Energy, Industrial, and Urban Solutions: Penta IoT Security
For detailed inquiries, contact Penta Security’s security consulting team.