WHAT’S AN API?

An API (Application Programming Interface) is a set of rules and tools (aka, protocol) that allow applications to communicate and interact with each other. It provides a standardized way for applications to exchange information without needing to understand the inner workings of the underlying systems. Apis are necessary for integrating software systems, enabling developers to use existing services and data while building new applications. They are common in web development, mobile apps, operating systems, and databases.

This common use means that they are frequent targets of abuse.

API USE AND ABUSE

APIs are meant to be used. like a shopping mall with all of its stores - the doors are open and ready for business, and business is best done when the shop allows all-comers, even though that openness presents risks.

For a visible analogy, here's a video of a Security gate that gets opened in an unintended way, not because there's a flaw in how it's designed, but by using the mechanism how it's meant to be used, and in a creative way (IMPORTANT NOTE: this video shows how fire departments are able to gain entry so they can do their job. Use knowledge like this only for good!) 

Because APIs are intended to be used heavily, one way of compromise is using them as they are intended, but in unusual or unexpected ways. Securing APIs requires alternate and layered forms of security.

2023 – RECORD NUMBER OF BREACHES?

2023 is on track to beat 2021’s all-time record of 1862 breaches. Many factors (e.g., notification timing, minimum regulatory requirements, and wishing to minimize reputational damage) go into reporting breaches, but the “lack of actionable information in data breaches continue from 2022” creates an inability to analyze root causes. This presents further troubles because organizations don’t know what to do to prevent or mitigate those risks.

STORIES OF API EXPLOITS

What happens in real-life API attacks and exposures?

A) On December 15th, 2022, a threat actor posted extracts from a database containing information about a restaurant’s customers to a hacking forum. Data posted included files about big restaurant chains, clients, payment reports, reservation lists, and API keys.

• ● One good aspect was their incident response (this should be one of the first policies and procedures that a company develops): "it "disabled access to the interface" immediately following the incident and have launched an investigation."

B) Mid-2022 found the data of 5.4 million users of a social media site for sale on a hacking forum. Criminals were able to steal and sell the data after exploiting a known API vulnerability.

C) In late 2022, a security researcher discovered backdoor access into a car maker’s information system. The researcher was able to escalate “to a system administrator account by exploiting an information disclosure flaw in the system's API.” 

What are these mysterious API flaws?

5 MOST COMMON ATTACKS

In 2023, OWASP (Open Web Application Security Project) released the updated version of their API Security Top Ten, an update to their 2019 list. Because there were not enough responses about known API risks, the group instead analyzed reported API breaches and incidents since 2019 to bring this invaluable list to life.

These Top Ten are important for organizations to understand. A recent study shows that “bad actors use combinations of these 10 attacks to propagate more sophisticated attacks.” 

The five top API threats are:

1. Broken Object Level Authorization (BOLA)
2. Broken Authentication
3. Broken Object Property Level Authorization
4. Unrestricted Resource Consumption
5. Broken Function Level Authorization (BFLA)

Here’s some more detail, along with fixing the issue:

1. BOLA: APIs extend the Object Level Access Control attack surface by exposing endpoints that handle object identifiers.

• o Mitigation: Consider object level authorization checks in every function that accesses a data source using an ID from the user.

2. Broken Authentication: This risk refers to vulnerabilities in the authentication process of APIs. Weak or improper authentication mechanisms can lead to unauthorized access and compromise the security of the API.

● To remediate Broken Authentication, implement solutions such as:

• o strong authentication mechanisms such as multi-factor authentication, OAuth, and OpenID Connect;
• o proper credential management (e.g., password policies, password hashing, and encryption);
• o proper session management, such as session timeouts and session revocation to prevent unauthorized access to user accounts; and
• o proper error handling, e.g., not revealing sensitive information in error messages to prevent attackers from exploiting vulnerabilities.

3. Broken Object Property Level Authorization: Similar to Broken Object Level Authorization, this risk focuses on vulnerabilities related to the ability to access to each object’s list of properties. 

• a. Implement proper authorization checks at the property level to prevent unauthorized access to sensitive data.

4. Unrestricted Resource Consumption refers to APIs that do not have proper limits or controls on resource consumption. Attackers can exploit this vulnerability to exhaust system resources, leading to denial of service (DoS) or performance issues.

• a. The solution should include ways to limit the use of resources such as CPU, memory, and number of restarts.

5. BFLA: API functions and resources can have multiple permission roles in use.

• a. Apply proper authorization checks at the function level to ensure that only authorized users can access specific functions or operations. 
• b. An example of this is when almost 2 million state residents had their department of insurance data exposed for an inordinate amount of time. "The issue in the code allowed members of the public to access a protected part of that online application"

THE SECURITY APPROACH

Because there’s no one-rule-to-secure-them-all, a couple additional steps to take are:

1) Monitoring APIs for suspicious activity

• a. Since APIs can be abused by normal use (e.g., threat actor slowly perusing the APIs for vulnerabilities can appear to be normal traffic), monitoring for strange behavior (e.g., anomalous traffic from a set of IP addresses) can help catch bad behavior.

2) Keeping API software updated with the latest security patches.

• a. With all of the APIs that can be deployed, ensure that they’re known and up-to-date.

Because there’s so much involved with protecting APIs, it’s best to have more than a checklist – have an approach.

Regardless of what the team’s title is, have internal experts who have a DevSecOps approach or philosophy. A specific example here is: "Access tokens issued to each client can be designed differently based on that client’s end-to-end API flows...Using tokens in this way provides a zero trust API architecture, where APIs do not trust each other."

APIs are good for business yet also create more attack opportunities for threat actors to compromise customer and corporate data. Securing that data is worth spending the necessary time, talent, effort, and money. 

About Author:

Ross Moore is the Cyber Security Support Analyst with Passageways. He has experience with ISO 27001 and SOC 2 Type 2 implementation and maintenance. Over the course of his 20+ years of IT and Security, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP along with CompTIA’s Pentest+ and Security+ certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University. He is also a regular writer at Bora.