What Are APIs and How to Protect API Vulnerabilities?

cover image

What Is an Application Programming Interface (API)?

Most people are familiar with the term “user interface (UI)”, which describes all the visible functions and features shown on the frontend that shape a user’s interaction with a software application. But when it comes to application programming interface (API), most find it difficult to depict a clear picture of what it does. This isn’t surprising because the end-user of the application only sees the UI and does not see the API. In fact, the main purpose of the API  is to hide the internal details of how a program works from the end-user.

Just as how the UI acts as an intermediary between the end-user and the application, the API serves as an intermediary between different applications. It is the code that determines the functions and procedures that enable one software application to communicate with another. APIs can be readily incorporated into application development, saving a lot of time and energy for developers.

With increasingly sophisticated functions and features, it is very inefficient to incorporate all functions into one complete application. This is because every time a part of the application needs changes, the entire program must be rewritten to link all requests to the server again. Such single-application programs are said to have a monolithic architecture.

Most applications we use today are built with a microservices architecture, where a typical application consists of hundreds of small applications that deliver microservices. In other words, an application is, in reality, a network of applications connected by APIs. For instance, imagine shopping on an e-commerce platform with millions of items from different sellers. A lot of small applications are built within the website to enable different features. The search console may be served by one application, whereas the recommendation feature is served by another. One of the most crucial applications is the login form, where the API processes the user credentials and retrieves corresponding private data from the database. In a nutshell, the API is the bridge that holds the entire application together, with its primary goal being to retrieve and transfer data between the UI and different applications.

 

What Are API Attacks?

In API-based web applications, user requests are processed by hundreds of small applications, and data are drawn from their respective microservers. Since every server is an endpoint, there are now hundreds of endpoints to secure. Security administrators must make sure every server is well updated and protected.

Most importantly, the API itself can be exploited by hackers for targeted attacks. One API vulnerability is enough to compromise a network of servers and databases. Given its crucial role in processing data, the API is an appealing entry point for those seeking unauthorized access to sensitive personal and financial information. We explain below some of the most common API vulnerabilities and how attackers can exploit them.

 

API Injection:

Ranked as the No. 1 threat on the OWASP Top 10 Vulnerabilities list and No. 8 on the OWASP API Security Top 10 list, injection attacks remain the greatest risk to websites and APIs. The most common types of injection include SQL injection (SQLi) and cross-site scripting (XSS).

SQL injection is when the attacker exploits vulnerabilities in the API by injecting an invalid SQL statement into the application query, resulting in the execution of malicious commands on the database. Depending on the severity of the vulnerability, the attacker could gain the privilege to view, modify, or even extract private data.

Similarly, cross-site scripting is when the attacker exploits vulnerabilities to inject malicious JavaScripts into the database. When the data is requested by the query, the JavaScripts would be executed by the web browser, revealing session information. The attacker can then use the session information to gain access to admin accounts.

 

Distributed Denial-of-Service (DDoS):

DDoS attacks are one of the most straightforward attacks carried out against web applications and APIs. The attacker hijacks a large number of IP addresses to send a bombardment of requests to the API, overwhelming the server and preventing it from processing legitimate requests. Similarly, brute force attacks can be carried out in a similar manner to overload the API and potentially breakthrough authentication. In severe cases, a continuous DDoS attack could bring down an application for days to weeks.

 

Privilege Escalation:

Privilege escalation is a common intrusion method where the attacker gains access to accounts and resources with limited access by escalating their account privilege. This can also be done at API endpoints, where hackers use exploited credentials of admin accounts to gain access to the API. This commonly occurs after API updates, as endpoint access is sometimes not taken care of during the updates.

 

Unsecured API Keys:

APIs are secured by keys that are only granted to the developer or admin user. Since each API key is unique, they prevent unauthorized users from tampering with the application program by modifying the API. However, it is not uncommon for developers to accidentally expose their API keys by saving them in insecure server environments. In some cases, API credentials get carelessly copied and pasted on GitHub.

 

Improper Assets Management:

Rated as a common API vulnerability on the OWASP API Security Top 10, attackers constantly search the web for beta and testing versions of APIs that tend to be forgotten in unsecured servers. These unprotected versions could still share endpoints that allow attackers to gain access to the production API. Similar to unsecured API keys, older versions of APIs should be either kept secure or safely retired. At the same time, access to production APIs should be separated from access to non-production versions.

 

Insufficient Logging and Monitoring:

Every organization should have a set of logging and monitoring systems in place so that it can be alerted when abnormal activities are detected. Instead of manual monitoring, automated monitoring systems help track failed login attempts, access denials, or suspicious traffic on a real-time basis, allowing security administrators to identify issues before they spread through the network and cause greater damage.

 

WAPPLES, the Ultimate Solution to Web and API Security

With Penta Security’s logical web application firewall (WAF) WAPPLES, all the web and API vulnerabilities can be safely protected with its AI-based detection rules, preventing all kinds of known and zero-day vulnerability exploits on web applications and APIs.

With automated logging and reporting, self-diagnostics, and periodic inspections, WAPPLES users enjoy the best user experience in the market, saving time and energy from manual maintenance. Download WAPPLES’ data sheet to learn more.

 

Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security