API security, in a nutshell, is the protection of the integrity of APIs. But what does that really mean?
API usage in businesses is now the norm and no longer a luxury for tech-savvy businesses, and more and more businesses now rely on APIs to transfer information and connect different services.
Considering the importance of APIs and how they are connected to a massive amount of valuable data, it’s obvious that now APIs are major targets of many cybercriminals all around the world. Gartner predicted that by 2022, API-related attacks will be the most frequent attack vectors, resulting in data breaches for many web applications.
Here, we will discuss all you need to know about API protection best practices, but let us first discuss the common API security challenges and threats so we know what we are dealing with.
API Security Threats and Challenges
While cybercriminals can use various methods and techniques to exploit API’s vulnerabilities, there are several main threats and challenges that deserve special attention:
- Inadequate/misconfigured authentication
This particular vulnerability allows attackers to bypass the authentication methods and gain access to the API. Missing or misconfigured authentications can compromise the API keys or passwords, as well as JSON web tokens that are often used to authenticate API access. This type of attack is to gain access to accounts, which in turn will give the attacker the same authority as the victim’s account.
To tackle this issue, not only we have to make sure authentication is implemented and configured properly, but should be strengthened with API Key, OAuth, and OpenId tokens, and others. Also, never send API credentials over connections that aren’t secured and don’t reveal session ID in URL.
- DoS and DDoS Attacks
There are various methods the attacker can use to perform a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, but the objective is to slow down or completely shut down the API so it can’t be accessed by its users (denying its service).
Commonly done by using a botnet (a group of malware-infected devices) to perform a massive amount of requests to the APIs beyond the server’s capabilities. To tackle this, we can limit the number of requests (spike arrest), and when this limit is exceeded, we can block the client from accessing the API key temporarily or permanently.
- Injection Attacks
In an injection attack, a malicious program/code is injected into the API to manipulate its behavior, for example, so that the API will display sensitive data. SQL injection and cross-site scripting (XSS) are typical examples of API injection attacks.
The most effective way to stop injection attacks is to implement input validation.
- Parameter Tampering
Parameter tampering is a type of attack where the attacker manipulates the parameters exchanged between the API’s server and the client to modify application data such as user permissions, price of products, etc.
To tackle this issue, we should carefully validate the received URL parameters to ensure the received data is indeed valid.
- Man In The Middle (MITM) Attack
MITM is a type of attack where the cybercriminal secretly intercepts communications between the API and the client. The attacker splits the original connection into two new connections, one between the API and the attacker, and another between the attacker and the client. As we can see, this effectively turns the attacker into a ‘man in the middle’, hence the name.
Once the new connection has been established, the attacker can then intercept valuable information or even modify the information as they please.
Implementing API Protection To Ensure Security and Integrity
1. Implement Authentication Accordingly
A very important practice to ensure a secure API is a proper authentication for both applications and end-users.
At the moment, OAuth2 is the standard authentication protocol in API security. OAuth2 is a token-based authorization, offering time-bound access to the protected API resources without requiring the user to reveal their credentials. This provides all sorts of versatility for the end-users, applications/clients, and the API itself.
So, make sure to at least implement OAuth2 on your API, besides all the required authentication protocols according to your needs.
2. Install Anti-Bot Management Solution
Many attack vectors targeting APIs are made possible with bots, and so by properly detecting and managing these bot activities, we can effectively protect the API’s integrity and security.
However, detecting bot activities in APIs can be very difficult due to the mobile nature of the API, and a proper solution with mobile API protection is required.
DataDome relies on a combination of both server-side and client-side integration to detect three kinds of unauthorized API access (API call without any application, API call utilizing valid applications on real devices, and API calls from Android/iOS emulators).
3. Slow Attacks With Rate-Limiting
Especially useful on DoS and DDoS attacks, we can establish rules like only allowing a client to call an API 100 times per second, or even limiting the number of API calls per day per client.
While this can’t be 100% effective in preventing very sudden and massive spikes in advanced DDoS attacks, rate-limiting can help absorb minor spikes in API traffic.
4. Input Validation
Input validation is crucial in preventing various types of injection attacks that may occur.
The API should leverage an OpenAPI specification or other methods to clearly define both inputs and output and allow an integrated input validation process. Another effective method is to deploy shared libraries, as well as policies that enable easy and uniformed input validation processes on all levels.
APIs have become major targets for cybercriminals in recent years, and we can no longer rely on traditional solutions to keep you protected from modern attacks. Implementing the right infrastructure to defend your API from external attacks, as well as maintaining cybersecurity best practices are very important so you can quickly stop any threat and protect the integrity of your API.