Application programming interface (API) security is a series of strategies and solutions focused on understanding and mitigating the unique vulnerabilities and attacks that target APIs. The purpose of API security is to detect, mitigate and prevent malicious attacks by hackers seeking to penetrate the network and compromise APIs. Application security should provide full coverage of the OWASP API Security Top 10 attacks, including protecting from all forms of injections, XSS, access violations and DoS/DDoS.
An API is an interface that defines how different software interact. It controls the types of requests that occur between programs, how these requests are made, and the kinds of data formats that are used. APIs are used in Internet of Things (IoT) applications and on websites. They often gather and process data, or allow the user to input information that gets processed within the environment housing the API.
Watch this Radware Minute episode with Radware’s Uri Dorot to learn what APIs (Application Programming Interfaces) are, what cyber threats they are exposed to, why it is so important to protect your organization’s APIs and what to look for when evaluating API protection solutions.
Why is API Security Important?
Businesses use APIs to connect services and to transfer data. Major data breaches occur due to broken, exposed or hacked APIs which can expose sensitive medical, financial, and personal data for public consumption. However, not all data is the same, nor requires to be protected in the same way. How you approach API security depends on the kind of data that is being transferred.
SOAP versus REST APIs
APIs are built with REpresentational State Transfer (REST) or Simple Object Access Protocol (SOAP). REST is famous for its simple techniques and has a simple architectural style for building web services. SOAP, on the other hand, is a message protocol that allows seamless communication between the elements of an application.
REST APIs function with transport layer security and HTTP and can also use Javascript Object Notation (JSON), while SOAP functions primarily with Hypertext Transfer Protocol (HTTP).
SOAP versus REST APIs
What is OWASP API Security Top 10?
- API1 - Broken Object Level Authorization
- API2- Broken User Authentication
- API3 - Excessive Data Exposure
- API4 - Lack of Resources and Rate Limiting
- API5 - Broken Function Level Authorization
- API6 - Mass Assignment
- API7 - Security Misconfiguration
- API8 - Injection
- API9 - Improper Assets Management
- API10 - Insufficient Logging and Monitoring
Six Automated Threats to APIs
API Abuse
Attackers reverse engineer mobile and web applications to hijack API calls, and program bots to invade the business APIs. They target APIs to take over accounts, scrape business-critical data and perform application distributed denial of service (DDoS) attacks. Bots deluge the API server with unwanted requests. It is essential to distinguish accurately between good API calls and bad API calls, for online businesses.
Vulnerabilities in APIs are abused by cybercriminals and nefarious parties to steal Personally Identifiable Information (PII) and business-critical data, carry out account takeover attacks and systematically execute website content scraping campaigns. The types of bot-executed API abuse attacks include application DDoS, account takeover and web scraping.
Account Takeover
Account takeover (ATO) is a form of identity theft where a fraudster illegally uses bots to get access to a victim’s bank, e-commerce site or other types of accounts. A successful ATO attack leads to fraudulent transactions and unauthorized shopping from the victim’s compromised account. Fraudsters use two primary methods to hijack accounts: credential stuffing and credential cracking.
Application DDoS
APIs can be attacked by hackers and cybercriminals who intentionally overload APIs with large volumes of bot traffic from multiple devices and IP addresses. For enterprises, business-critical services are thus put at risk, such as login services, session management and other services that enable application uptime and availability for users.
Attackers who carry out DDoS campaigns often use asymmetrical techniques through which they send small volumes of data to generate API calls, which usually result in servers being heavily overloaded as they need to answer such API calls with much larger volumes of data. These attacks seriously tie up system resources, and greatly increase the server response times for all users of the system.
Credential Cracking or Brute Force
Also known as “brute forcing,” credential cracking is a way to identify valid credentials by trying different values for usernames and passwords (usually from lists of breached account credentials that were made public by malicious parties and hackers). Hackers deploy bots to hack into customers’ accounts using the brute force approach, dictionary attacks (inputting large numbers of words) and guessing attacks to identify valid login credentials. Brute force attack symptoms include a sudden increase in failed login attempts and high numbers of account hijacking complaints from customers.
Credential Stuffing
Credential stuffing exploits users’ propensity to use the same username and password on multiple websites. Hackers use bots to test lists of credentials, obtained as a result of data dumps of breached credentials (or purchased from the dark web), against a range of websites in the hope that a victim has used the same combination of credentials on multiple sites. Unlike credential cracking, credential stuffing does not involve brute force or guessing of any values; instead, mass login attempts are used to verify the stolen username and password pairs. Credential stuffing symptoms include consecutive login attempts with different credentials from the same HTTP client.
Web Scraping
Competitors, fraudsters and “fly-by-night” operators who set up websites to defraud consumers, often plagiarize an entire website’s content by carrying out systematic scraping campaigns, using bots to extract data from APIs. Hackers also try to reverse engineer web and mobile applications to hijack API calls and carry out scraping attacks.