In this article we tried to list down few known API security threats which your team should be aware of and proposed steps to prevent these threats.
In this era where everyone either digitally transformed or undergoing for digital transformation, an huge amount of data is exposed via API’s which make API Security no longer an afterthought. APIs expose data directly without involving browser precautions. Unlike old days where people were worried about issues like SQL injections or XSS, one need to be concerned about the issues like bad actor who was able to paginate through all confidential data of your customers. As APIs are designed to handle a very large number of API accesses so traditional prevention mechanisms like Captchas or browser fingerprinting is not the answer in case of APIs. To start with your team need to thing like hackers and equip exposed API’s to detect and block known and unknowns for zero-day exploits.
Few knowns are:
- Broken Object Level Authorization
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources & Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfiguration
- Improper Assets Management
- Insufficient Logging & Monitoring
Few tips for prevention of security threats are list below
Secure against pagination attacks:
The simplest way to track no of items of single resource are accessed within a certain timeslot by each user or issued Key rather just at the request level. Such tracking of API resource access at the user level, will help you blocking a user or API Key once a pre-defined threshold is touched.
Secure against API key pools
the quickest and simplest way to secure is by requiring a human to sign-up for exposed service and generate API Key. New user who sign-up for your service should not be allowed to generate API-Key programmatically unless there is a legitimate business case. To secure further ensure any anomaly detection for abnormal behavior is done at the user and account level in addition to each API key level.
Go one step further and ensure any anomaly detection for abnormal behavior is done at the user and account level, not just for each API key.
Stopping DDoS attacks
As every access requires an API Key, if no key provided reject should be automatically rejected, this is the real magic in APIs. Ensure authentication is short circuited very early before later middleware like request JSON parsing. To handle authentication request, the easiest method is to limit counters for each API key i.e. handle X requests/minute and reject those anobe the threshold with a 429 HTTP response. There are a variety of algorithms to do this such as leaky bucket and fixed window counters.
Ensure no caching
You should ensure Cache-Control headers are properly configured. A big gotcha for APIs is that many do not use the standard Authorization header instead using a custom header like X-Api-Key. Caching servers do not have knowledge of this request being authenticated and thus chooses to cache the request.
If you like our article please let us know, we will write more on this subject.