API

What are API security Threats?

Usually, APIs have a written process of its creation in the public domain as self-documented information, cyber-attackers use this information wisely. Other vulnerabilities, like weak authentication, lack of encryption, flaws in business logic, etc may cause threats to API security. 

The possible attacks on API can be as below:

1. Man in the Middle(MITM)

A man in the middle is a type of attack where the attacker attacks the messages or communication which are sent from source to destination.The attacker captures the messages and communication in between, relays his changes, and then sends altered messages with the intent of fraudulent activities.

For example:

The attacker can act as man in the middle of an API, attack the token in the HTTP header of  the user’s request sent through the browser. This token will give attackers access to the user’s account that may contain sensitive information like credit card numbers, login information etc.

2. API injection:

 This type of attack is also called a code injection attack, malicious code is inserted in a software program which has a possibility of attack.

Example SQL code used by attackers, this techniques is called SQL injection:

  1. Select ItemName, ItemDescription From Item Where ItemNumber=”& Request.QuerryString(‘Item_Id’)”
  2. User_provided input as  “A user-provided input http://www.e_commerce_company_name.com/items/items.asp?itemid=999”

To attack this :

Select ItemName,ItemDescription

From Item

Where ItemNumber=”999”

3. Distributed denial of service(DDOS)

In this type of attack, a huge number of concurrent requests are made to an API which has a huge number of data in each request.API cannot handle this and eventually the system crashes.It attempts to overload the memory and capacity of the system

Example :

An FCC website in 2017 used commercial cloud service and received a massive amount of API requests to a commenting system with intent to exhaust memory capacity. This consumed all memory resources and the system eventually crashed down.

Ways of Authenticating a user API security:

Many businesses and tech providers secure their data by allowing data access only  to authorised users.

1. Multi-factor Authentication

In this process, an app seeks for an authentication key apart from the user_id password. This authentication key is for single use and it will be generated randomly every time a user tries to log in.

It can send an OTP message on the user’s registered mobile number or ask the user to create a digital key, which can be authenticated later.

An example of Two-factor authentication is: Forticlient.

2. Token-Based Authentication

This is another method of securing application API and data access. At the time of generating credentials i.e. username and password a token is provided. 

So next time when a user tries to login, instead of providing a valid credentials which are at greater risk of sharing over the network, only tokens are provided in request for authorization. This will reduce the risk of sharing credentials and minimize the chances of attack.

Most of the tokens have a validity period and it will automatically be updated once the validity period is over.

3. Digital Signatures

One way to keep data authorized is to have digital signatures, we put signatures on everything.

The signatures will be generated by an app using an algorithm and a secret code. API applies the same algorithm to produce its own secret code and assign it as a digital signature.This signature is now compared with incoming signatures, and if the match is found user is authenticated to have access to API or data

4. Public-key cryptography

Another way of securing data in API requests of just saving data over a network is cryptography. In this method an encryption of the actual message is produced and that encrypted message is sent over a network, to avoid MITM attack.This encrypted message is then decrypted on the destination

Cryptography is of two types symmetric and asymmetric, Symmetric is when both the client and the server share the same key to encrypt or decrypt the message.

Asymmetric is when a server provides a public key to a client that can only encrypt a message but keeps the decrypt key private so that it can only be decrypted at server’s end.

5. Digital Certificates

This is one of the secured ways of creating secure communication between client and server. In this case, the server authenticates itself to the client. This is because certificates are only assigned to servers which binds information about the organization. And this is digitally signed by the certificate authority.

6. Logging and Monitoring

Sufficient logging and monitoring should be done for an API, generic suggestions would be:

  1. User centralized log management system, and treat logs as sensitive data, this is very important when the input data is from the user.
  2. Treating logs as sensitive data will be a good approach, this can help detect while an attack is going, instead of after the attack is done.

7. Injections

To avoid injection attacks, input data should be sanitized, precautions should be taken for special characters as they can infect the input data stream. Defining a parameterized interface for strict data typing, where patterns are defined for each text box, which should be followed strictly.

Security best practices, while constructing an API

1. Authorization

  • It is really important to have an API with whitelisted methods and users, on the other hand sensitive data and resources should be protected from cyber attackers. For authorizing a, in a two-factor authentication token key should be sent through cookies, or parameters of the body as cookies are stored on local machines this can be one of the effective ways to protect from unauthorized users.
  • Access rights should be thoroughly defined for the process of operations like DELETE(deletion of Data) or PUT(update the DATA). These methods must be accessed only by authenticated users, for which logs should be maintained.

2. Authentication

  • It is important to have an authentication of the user to make any API request.
  • It can be a shared secret with all authorized users.
  • The most common way of authorization is the username and password apart from this multiple ways can add one more layer to authentication like multifactor authentication or token-based authentication.
  • In API securities, Authentication and Authorization are always two parallel sides which go together. 
  • In an ideal opinion Authentication should be done before Authorization.

3. Auditing

  • Logs should be maintained for each and every request with time stamps. Especially for users who are authorized for DELETING and UPDATING the data.
  • On regular time intervals Auditing should be maintained of logs. 
  • Token validation errors should be strictly logged to ensure attackers are detected.
  • Log data should be sanitized to minimize the risk of injection attacks.

4. Validation

  • In API design where data is the input from the user, authentication, authorization, and input validation should be primary tasks.
  • Input data should be strictly sanitized to minimize the attack through data injections.
  • There should be strict guidelines for typing the input data, instead of enabling copy and paste.
  • Extra care should be taken for special characters as they can infect the input data.

5. TLS(Transport secure layer)

  • When connection is secured by TLS verify  below properties.
    • Connection is private and symmetric cryptography is performed while transmitting data over a network
    • Separate keys for the encryption is generated uniquely for each connection
    • Due which message transmission over a network is secure as message authentication code is attached to encryption and this validate all the way while transmitting data over the network

6. Cryptography

  • This is one of the most important guidelines when comes to security.APIs. Mostly handle data that comes to them in the form of the request so it is really important to receive the data in an encrypted format and decrypt it before sanitizing or validating. Encryption can be done in a symmetrical or in an asymmetrical way.
  • Passwords, banking details, and all sensitive data should be stored in the database in encrypted form, in such a way that anyone other than the non-authorized user cannot decrypt it. This is really important when it comes to a situation while building an API, whose data primarily comes from user input

7. DOS attacks

  • As it is a type of attack where the excessive message is sent to API to process the request, which cannot be processed due to full bandwidth utilization of memory capacity. With these types of attacks, API gives the denial of service.
  • This is really a severe attack because all partners, apps, mobile devices cannot access your API.
  • To avoid this limitation of Data, each request should be maintained, only necessary data should be accepted in form of request which should be sanitized. 

8. HTTP status codes

  • It is important to use proper status return codes, and not just using 404 for error and 200 for success.

Some of the status return codes are:

  • 400 – for bad request
  • 401 – for unauthenticated user
  • 403 – forbidden to access the data
  • 405 – Method not allowed, in case user request for API method which is not supported
  • 429 – to mention that too many request have been made from the same origin

Conclusion

 Organizations use API to connect to services and to transfer data. Unsecured APIs are one of the reasons for data breaches. This article enlists some of the important security aspects of an API. We have an expert team to help you address the issues so that you can experience minimal loopholes, more quality, and secure API.

swapnil-karwa

Test Engineer