APIs have emerged as a solid backbone of applications in this modern world of mashups where applications are using one back-end with multiple front-ends. REST based APIs running over HTTP with JSON or XML are becoming preferred choices for developers. However, API end points are also becoming points of attack for attackers. Hence, developers need to implement proper security controls across APIs during design and development. Here are some important security controls for APIs :
Authentication control – APIs should have proper authentication control in place. APIs mostly run with access tokens/keys. OAuth is a popular building mechanism for tokens or keys. One should make sure that the tokens get validated with every API call/request. If session based authentication is defined, session management along with proper validation must be in place.
Authorization control – APIs should be well guarded by a proper authorization layer on two fronts – token layer and HTTP method access. REST APIs use HTTP methods like GET for read, POST for create an entry, PUT for update and DELETE for remove. Hence, it is imperative to implement double locking with authorization both at the token layer and at the method layer. Also, in certain cases, resource locking is required at path level as well (example: /admin/ or /globalconfig/).
Injection Controls – API parameters need to be validated before consuming into business logic. All these parameters come over HTTP and can be easily tampered with. Hence, all traditional attacks like SQLi, XSS, CMDinjections etc. are possible on each of these parameters. One needs to have strong controls for injections and at the validation layer across API calls.
CSRF Control – CSRF is a highly likely attack vector with session cookies in play. Hence, methods like PUT, DELETE or POST need to be validated with tokens to avoid CSRF attacks. Also, CORS can be used to strengthen the defence against CSRF attack vectors using preflight check with a set of rules.
Client Side Controls – Browsers are powerful points of abuse for attackers. Hence, critical vectors like XSS or ClickJacking can abuse APIs. It is important to apply appropriate types of HTTP headers like “nosniff” on X-Content, X-Frame options, Content-Type etc. to protect against these vectors. Also, it is critical to apply JSON and XML encoding as appropriate for the API context. Since DOM based XSS are also on the rise, using secure methods in the browser after consuming APIs is also a must (avoid .innerHTML call and use other pure text calls).
Third-Party-Integration Controls – At times, APIs are using various third-party components and it is imperative to use right coding practices before consuming them. Many applications leverage third party APIs for authentication purpose but fail to make calls to third party APIs when the user logs out of the application, keeping the session alive and exposed for a long duration. Further, before serializing and de-serializing objects, it is important to make sure that the used libraries are secure and do not have intrinsic vulnerabilities like command injection or similar. Also, many times parsers introduce weaknesses into API calls. Hence, strong overall vetting and controls are required when using third-party components in the code base.
Information Leakage Controls – HTTP status codes are important for context analysis of APIs. In many cases, these codes help in enumerating information. APIs should not spit out exceptions causing internal implementation or other sensitive information leakage. Hence, proper security controls around exception handling are a must for information leakage protection.
DoS Controls – REST APIs are easy to DoS by overloading with multiple requests in a short span of time. It is a good practice to keep “Rate Limit” on the basis of keys or users in many cases. Also, publicly open calls can be controlled by IP or on session basis to provide robust defence against API layer DoS.
Crypto & Sensitive Data Controls – Obviously, it is important to have SSL/TLS controls (HTTPS) in place for API communication over Internet. Apart from that, one should avoid having sensitive data in the API URL itself. This data can be harvested and misused from time to time at intermediate levels depending on the implementation. Data stored should be kept securely and must also have crypto applied to sensitive fields. If the API is using third party protocols or controls, then their implementation should be verified as well. (Example – JWT integrity).
Auditing Controls – APIs need strong audit and logging controls from security standpoint. API methods and its usage should be logged for various details like authentications, authorizations and injections. If any attempt of bypass or injection is happening across APIs, it should not only be logged but also flagged from time to time for protection of the APIs. One should analyse logs and extract security related incidents from them for improving defences.
Conclusion
Guarding and protecting APIs is becoming very critical for enterprises. We have seen many recent breaches where APIs are being leveraged to enter into corporate networks. API controls are different from regular web applications and need to be addressed at the design and development levels themselves. Controls covered in this article should help as a guideline for developers.
Article by Hemil Shah
Authentication control – APIs should have proper authentication control in place. APIs mostly run with access tokens/keys. OAuth is a popular building mechanism for tokens or keys. One should make sure that the tokens get validated with every API call/request. If session based authentication is defined, session management along with proper validation must be in place.
Authorization control – APIs should be well guarded by a proper authorization layer on two fronts – token layer and HTTP method access. REST APIs use HTTP methods like GET for read, POST for create an entry, PUT for update and DELETE for remove. Hence, it is imperative to implement double locking with authorization both at the token layer and at the method layer. Also, in certain cases, resource locking is required at path level as well (example: /admin/ or /globalconfig/).
Injection Controls – API parameters need to be validated before consuming into business logic. All these parameters come over HTTP and can be easily tampered with. Hence, all traditional attacks like SQLi, XSS, CMDinjections etc. are possible on each of these parameters. One needs to have strong controls for injections and at the validation layer across API calls.
CSRF Control – CSRF is a highly likely attack vector with session cookies in play. Hence, methods like PUT, DELETE or POST need to be validated with tokens to avoid CSRF attacks. Also, CORS can be used to strengthen the defence against CSRF attack vectors using preflight check with a set of rules.
Client Side Controls – Browsers are powerful points of abuse for attackers. Hence, critical vectors like XSS or ClickJacking can abuse APIs. It is important to apply appropriate types of HTTP headers like “nosniff” on X-Content, X-Frame options, Content-Type etc. to protect against these vectors. Also, it is critical to apply JSON and XML encoding as appropriate for the API context. Since DOM based XSS are also on the rise, using secure methods in the browser after consuming APIs is also a must (avoid .innerHTML call and use other pure text calls).
Third-Party-Integration Controls – At times, APIs are using various third-party components and it is imperative to use right coding practices before consuming them. Many applications leverage third party APIs for authentication purpose but fail to make calls to third party APIs when the user logs out of the application, keeping the session alive and exposed for a long duration. Further, before serializing and de-serializing objects, it is important to make sure that the used libraries are secure and do not have intrinsic vulnerabilities like command injection or similar. Also, many times parsers introduce weaknesses into API calls. Hence, strong overall vetting and controls are required when using third-party components in the code base.
Information Leakage Controls – HTTP status codes are important for context analysis of APIs. In many cases, these codes help in enumerating information. APIs should not spit out exceptions causing internal implementation or other sensitive information leakage. Hence, proper security controls around exception handling are a must for information leakage protection.
DoS Controls – REST APIs are easy to DoS by overloading with multiple requests in a short span of time. It is a good practice to keep “Rate Limit” on the basis of keys or users in many cases. Also, publicly open calls can be controlled by IP or on session basis to provide robust defence against API layer DoS.
Crypto & Sensitive Data Controls – Obviously, it is important to have SSL/TLS controls (HTTPS) in place for API communication over Internet. Apart from that, one should avoid having sensitive data in the API URL itself. This data can be harvested and misused from time to time at intermediate levels depending on the implementation. Data stored should be kept securely and must also have crypto applied to sensitive fields. If the API is using third party protocols or controls, then their implementation should be verified as well. (Example – JWT integrity).
Auditing Controls – APIs need strong audit and logging controls from security standpoint. API methods and its usage should be logged for various details like authentications, authorizations and injections. If any attempt of bypass or injection is happening across APIs, it should not only be logged but also flagged from time to time for protection of the APIs. One should analyse logs and extract security related incidents from them for improving defences.
Conclusion
Guarding and protecting APIs is becoming very critical for enterprises. We have seen many recent breaches where APIs are being leveraged to enter into corporate networks. API controls are different from regular web applications and need to be addressed at the design and development levels themselves. Controls covered in this article should help as a guideline for developers.
Article by Hemil Shah