API Security Part #2: API Security Vulnerabilities

API Security

In the previous article, we discussed some of the basic concepts and terminologies around the APIs, in this article we will be looking into different kinds of threats which can be a threat to your APIs.

As we discussed earlier, the exponential growth of API usage in today’s digital world brings the risk of those APIs being vulnerable to attacks. Cyberattacks have become commonplace in today’s news, with multinational corporations making headlines for the wrong reasons due to a lack of API protection.

APIs often self-document information, such as their implementation and internal structure, which can be used as intelligence for a cyber-attack. Additional vulnerabilities, such as weak authentication, lack of encryption, business logic flaws, and insecure endpoints make APIs vulnerable to the attacks.

The most common security risks are compiled annually by the Open Web Application Security Project (OWASP). Their most recognized resource, the OWASP Top 10 vulnerabilities, is a list produced by security experts around the globe each year to highlight the web application and API security risks that are deemed the most critical.

What Is OWASP?
Open Web Application Security Project (OWASP) is an international non-profit organization that educates software development teams on how to conceive, develop, acquire, operate, and maintain applications so that they can be trusted. It’s materials (which includes articles, methodologies, documentation, tools, and technologies) are freely available and easily accessible. These materials improve application security through people, process, and technology.

API Security Vulnerabilities

The area of security vulnerabilities is a diverse field. There are many different attacks with different methods and targets. One way to categorize vulnerabilities is by target area:

  • Network / OS / Driver
    Issues in the operating system and network components (e.g. buffer overruns, flooding with sockets, DOS attacks) which your APIs are running on.
  • Application layer
    Issues in the hosting application server and related services (e.g. message parsing, session hijacking, or security misconfigurations) which your APIs are deployed in.
  • API
    Functional issues in the actual API itself(e.g. injection attacks, sensitive data exposure, incomplete access control)

OWASP Top 10 Vulnerabilities

1. Broken Authentication

When authentication mechanisms are implemented incorrectly, attackers can compromise authentication tokens or exploit implementation flaws to assume the identity of another user. This compromises the security to that particular user, as well as the overall API security.

2. Excessive Data Exposure

Developers may expose all their object properties without taking into consideration these properties’ individual sensitivities and instead rely on the clients for data filtering before displaying it to the user.

3. Lack of Resources and Rate Limiting

If an API does not impose a restriction on the size or number of resources that a user/client can request, server performance can suffer, as well as lead to a Denial of Service (DoS). This also creates an opportunity for authentication flaws such as brute force.

4. Broken Function Level Authorization

Authorization flaws can arise from complex access control policies, different hierarchies/groups/roles, and a blurred distinction between administrative and regular functions. These issues allow attackers to gain access to other users’ resources and/or administrative functions.

5. Mass Assignment

When client-provided data (JSON, for example) is bound to data models without applying proper filtering properties, attackers are able to modify object properties they are not supposed to. This can be done by exploring API endpoints, guessing object properties, reading documentation, or using request payloads to provide additional object properties.

6. Security Misconfiguration

Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.

7. Security Misconfiguration

Misconfiguration can result from a number of common issues: insecure default configurations, open cloud storage, incomplete or ad-hoc configurations, misconfigured HTTP headers, and more.

8. Injection

Injection flaws, such as SQL, NoSQL, Command Injection, etc, occur when a command or query causes untrusted data to be sent to an interpreter. Malicious data from an attacker can trick an interpreter into accessing data without proper authorization or executing unintended commands.

9. Improper Assets Management

Composing proper and updated documentation is critically important for APIs as they tend to expose more endpoints than traditional web applications. An inventory of deployed API versions and proper hosts can help mitigate common IT security risks like deprecated API versions and exposed debug endpoints.

10. Insufficient Logging and Monitoring

Perhaps the most exploited security vulnerability, hackers rely on a lack of logging and monitoring to compromise data unnoticed. By the time the breach is detected, it is often too late.

In addition to above, following vulnerabilities also can be found in APIs;

Parameter Tampering

It’s another type of vulnerability that is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL query strings, and is used to increase application functionality and control.

HTTP and Lack of TLS

The absence of a Transport Layer Security (TLS) in an API is practically equivalent to handing out open invitations to hackers. Transport layer encryption is one of the most elementary ‘must-haves’ in a secure API. Unless a TLS is used, risks of the fairly common ‘Man-In-The-Middle’ attacks remain very high. Use both SSL and TLS in your APIs, especially if you are going public with your APIs.

Having at least one of the above vulnerabilities in your APIs will create lots of Threats to your APIs and Organization, next Let’s look at some of the possible threats over the above discussed vulnerabilities.

I hope I covered almost all everything you need to know about the API Security Vulnerabilities. If you have any questions related to this article, feel free to ask anything in the comment section below. Cheers!

Next on the Series: API Security Threats

Versatile Full-stack Developer with 5+ years of experience designing, developing, and managing complex applications and internal frameworks.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store