The vast majority of the population turn on the computer or their mobile phones to open their browser applications to surf the web and check their emails or use mobile applications to do the same. As of December 2018, there were billion users on the Internet, and will inevitably grow to unprecedented amounts in the foreseeable future. In today’s web access, much of the data that was accessed is done through APIs. The role of APIs in modern application infrastructure for authentication and access means that it becomes essential to keep these APIs secure.
What is an API?
API stands for Application Programming Interface, and it essentially is a software intermediary that allows two applications to communicate with each other. Think of an API like a restaurant. As a customer, the API would be the waiter that takes your order. Using this analogy, the kitchen would be your server that holds a certain type of information. An API call would be your order, and the response would the food that comes from the kitchen. APIs are exceptionally useful when developers to build applications because they become code blocks that can be reused. Therefore, it’s not uncommon to see a company that runs multiple applications run off the same authentication API or payment APIs.
1. Authentication and Authorization
One of the most common issues when dealing with APIs are the authentication and authorization components of the application. Authentication in the context of an application using an API refers to validating the identity of the user. If no validation is done, and the application consists of multiple roles, it may be trivial for someone to login to a role they shouldn’t have access to. Authorization refers to privileges that the authenticated user has rights to.
Since APIs are the building blocks of a much larger application, not a lot of people think about authorization problems. Therefore, in an application with multiple levels of access, it’s become common for a user of a lesser privilege accesses data or information of users belong to a higher level of privilege. Here are a few well-known unprotected APIs that leaked information due to authentication and authorization flaws:
- The Kardashians: The Kardashian clan launched 4 websites and apps for their followers through Communly. After it was abandoned, the API server was left unprotected, allowing the public to look through the details of registered users.
- Target: Target’s Android application leaked about 5000 users of their real names, email and shipping addresses, phone numbers, and wish lists due to an unprotected API
- Wishbone: A popular teen quiz app had an API without authorization where it included 2,326,452 full names, 2,247,314 email addresses, and 287,502 mobile numbers.
If your application contains critical APIs, it is recommended to give them an entitlement review to ensure users aren’t able to access other user’s data nor higher privileged accounts.
2. Business Logic
Every application serves some sort of business function. You might be charging your customers for a service or a product. Your application might serve as a platform for students, educators, and professors. There are a wide variety of different types of web applications. If it becomes possible for a user to pay for a product or a service for less than the amount that it was meant, then this becomes a circumvention of the application’s business rules. Sometimes this is as simple has changing the value of the price before the API call is sent to the server.
For example, if a money transfer application has a rule in place where transactions over $2000 must be reviewed by a person, it may be possible for a user to bypass such a rule. Regardless of what business rules are in place, these vulnerabilities often carry high impact, and is unlikely to be detected through automated schemes. Hence, it is important for a seasoned tester to have a look what might be high impact for high impact business logic vulnerabilities.
3. Lack of Resources & Rate Limiting
Quite often, APIs do not have restrictions in place to prevent the number of calls that can be requested by their users. This becomes problematic as seen by the Target android application API leak. Security researchers from Avast only needed to figure out how Target assigns an ID to each of the users. Once the pattern (usually a numerical ID) is understood, an attacker can simply iterate through the numerical space to find details of all its other users. First, this is an authorization problem, but had the API had limits in place to prevent this sort of brute-force attack, it would have significantly hampered efforts to gather information on its users.
4. Input Validation and Output Encoding
5. API Logging
Last, but not least, APIs are often not monitored or logged. Without proper visibility and monitoring activity into your APIs, it becomes difficult to discover patterns or excessive usage that could signal an intrusion attempt. More often than not, overtime, this might become a business requirement. Other than its utility in troubleshooting, it has tremendous gains when it comes to security. It is important when implementing API logging to keep errors and API implementation details to a minimum.
Each of these are thoroughly assessed through a strong testing methodology to ensure complete coverage of the OWASP Top 10 and the OWASP API Security Top 10. As the speed and agility of APIs continue to make its way into modern web applications, all the more security testing needs to accompany development at every step of the way. We see firsthand that clients who reach out to us to test their web applications walk away with an immediate benefit for their organizations: code with far fewer security vulnerabilities.