Open API: The Key Security Threats

Jun 27, 2017

blog (5)

APIs enable integration of various applications, connect people, systems, data and things, and simplify interaction between them.

Enterprises can be transformed into platforms. However, Open APIs represent a gateway for cyber attacks.

IoT, mobile apps, and the Cloud require companies to reveal their data to their employees, customers, and partners.

The open structure of APIs simplifies the work of developers and ensures agility in the company. However, it bears a range of security risks.

The most common forms of attacks

Identity-based attacks

In fact, APIs having weak spots in authentication/authorization or session tracking are vulnerable for identity-based attacks.

In web technologies, authentication is performed using a combination of username and a password as well as a limited browsing history. In case of APIs it is different. Device identities interact with identity levels such as user login data for various apps and websites or device identification.

API keys pose an additional challenge, as they assign a unique identity to a client application and represent a kind of access code.

If requested a particular application can be identified, however, not the user or each instance of the application. This makes APIs vulnerable for identity-based attacks.

Using just API keys is not enough to ensure security.

The keys should not be used as an authorization tracking mechanism, as they don’t recognize user identities and often are visible in server protocols and integrated into URLs. Hackers can easily identify API keys as they can’t be securely stored on the Client side.

In order to prevent identity-based attacks, it is recommended to use HTTPS as a basic requirement for a secure API management. HTTPS ensures the integrity of all data that are exchanged between Client and Server and provides the authentication option on the Client side.

The user identities and applications should be implemented separately. The implementation of strict authentication based on such criteria as IP address, access duration, device identification for mobile apps or position localization is indispensable.

Parameter risks

There are various parameter attacks forms. However, the basic principle is that hackers manipulate a system and gain access to the application and its’ data structure (incl. URL, query parameters, and HTTP headers).

Parameter attacks often target web structures posing a growing threat for APIs. In compare with web technologies, APIs reveal a great part of the HTTP protocols, making parameterization more vulnerable.

There are security strategies helping to reduce the risk of being attacked. The most effective defense approach is to verify the validity and security of all incoming data.

It can be achieved by a strict specially developed schema that determines the permitted data inputs and compares them with the incoming data. It works using typing, ranges, and sets. The results are white lists that reduce the risk of data and system manipulation due to a continuous configuration.

It should be mentioned, that automatically generated schemas produced from many development tools often reduce parameters to rough models which are less effective for threat detection.

One option for XML-based content types is to use the XML schema language, which is highly effective in creating restricted content models and structure.

The JSON schema description language can be used for the increasingly expanding JSON data types. The benefit: JSON is less complicated than XML and helps to make risks transparent and improves the protection effectiveness.

Man-In-The-Middle

So-called ‚Man-In-The-Middle‘ attacks are much feared as an attacker simulates the identity of the other communication partner in order to invisibly intervene in the data traffic.

Sending API keys, OAuth and JSON-Web-Tokens via e-mail makes it easier for MITM attackers to break into the application. If a developer neglects the lifecycle management and ignores the best practices of a secure key management, the manipulation risk significantly increases.

The consistent protection of APIs and API data traffic is represented by an efficiently configured SSL connection.

Hardware security modules provide an additional protection for API keys.

The best solution for a secure API management is to separate the implementation and the protection of APIs.

Developers can concentrate on the API configuration ensuring the connection between applications, systems, and data. Security experts are responsible on their side for the protection of parameters, identities, and data. Linking the competencies and concentrating on strengths helps to minimize the attack threats.