API Security Explained for Beginners

 API stands for Application Programming Interface that allows different applications to communicate with each other. For example, you want to book a flight. You visit a travel agent’s website and fill in your flight requirements. The travel portal in turn sends requests to airline websites to retrieve the information that you requested. All this happens through APIs. Since API is a medium of communication it is also easily accessible to hackers. Thus, API security is very important to the overall safety of a website.

What is API security?

An API is an interface intended to be used by different kinds of users. To keep data safe from hackers it is important to secure the API. However, a lot of APIs are not tested for security. This might put your website at a risk.

Here is an overview of what API testing involves:

●       Checking the validity of output that API provides for a given input

●       Checking the validity of inputs. Whether they appear in a particular range, are of appropriate size, are not NULL, etc.

Why is API security important?

Every day a new data breach incident against XYZ company makes it to the news. Yet, API security is still not a concern for organizations running publicly accessible websites. It's best to infuse security while developing your application to prevent well-known exploits. But you can also prevent a lot of trouble by testing your API security later, as you’ll learn in this post.

More and more sensitive information is transmitted through API. This, if accessed by the hacker could prove detrimental for the website owner.

Here are some ways attackers can abuse an API endpoint:

●       Injection attack

●       Parameter Tampering

●       DOS/DDOS attack

●       Authentication Hijacking

●       Man-in-the-middle attack

The implications of API; Source: Dzone.com

The attacks listed above are seen across vertices, around industries. For example: When a customer books a plane ticket using a travel application, the backend will reserve the available space on the plane immediately. If the customer completes the reservation and purchases a ticket, the decrease becomes permanent. Otherwise, it lasts for a default timeout period of a few minutes.

This creates an opportunity for abuse. The attackers reverse-engineer the API. Bots pose as customers, to reserve seats but never complete the process. Each time, a seat is removed from available inventory for the entire timeout period. This makes it unavailable to legitimate customers during that time and a large block of seats remains unsold.

How to test API security?

1. Fuzz Testing

Fuzz testing is a blackbox software testing technique which finds bugs using malformed data injection in an automated fashion. In simple words, we send unexpected values to your API and see if it breaks.

It doesn’t require advanced tools and can be done using curl command. You can send testing numbers, testing strings  or other random values into HTML input fields to ensure that inputs are validated and submitted correctly.

Fuzz testing numbers

Sending zero, negative numbers and really large values and other invalid number formats to API inout parameters. Poorly coded applications are reliant on some specific format, so testing this is a  good way to find bugs.

Fuzz testing strings

A form of fuzz testing involves sending  SQL queries in API parameters where a string is expected.  Other tests involve sending large strings, Naughty Strings etc.

2. Command Injection

Injection flaw occurs when untrusted data is sent to the interpreter as part of query. In the context of API command injection, a flaw occurs when a web application passes information from HTTP requests through other commands.

For example, if a request is sent to API using command = rm-rf/ within a query, then an inadequate validity filter will allow the query through, thereby destroying the contents of the server, checkout our guide on AWS Pen Testing for more info.

To test the protection against command injection, send harmless OS commands or SQL queries as input parameters. If the inputs are not validated properly, an attacker could easily run database command through API request

3. Endpoint protection

API should authorize every request before processing it. To test the authorization robustness, conduct automated tests with test authorized endpoints without authorization and test user privileges.

Check for unhandled HTTP methods by using HEAD to bypass authentication and test arbitrary HTTP methods.

4. Parameter tampering

In parameter tampering, API parameters are manipulated by  taking advantage of backend validation errors.

In simple words, if a user can open their browser, change that input value and submit the form successfully, then the service is vulnerable to parameter tampering

Check that the hidden input fields in form are validated correctly. Test various combinations of invalid query parameters and ensure the API returns correct error codes.

How to secure the rest API?

Only 40.4% of API providers are testing for API security. With RESTful API becoming increasingly popular, the security in API design is often the most overlooked. Here are the principles to keep in mind for a secure REST API:

1. Strict privileges: Allow only authorised users to access important methods like DELETE, PUT etc
2. Fail-safe defaults: The access level for any user should be “denied” unless they’ve been granted a “permit” explicitly.
3. Simplicity: Design should be as simple as possible. This allows better analysis and remediation in case of attack.
4. Complete Mediation: Validate access rights and do not rely on cached permission matrix. If the access level to a given resource is being revoked, but that isn’t reflected in the permission matrix, it would violate the security.
5. Minimum Shared states: If a shared state gets corrupted, it can err all components depending upon it. So, keep the number of shared states to a minimum.
6. Ease of accessibility: Security mechanisms should not make the resource difficult to access. All the mechanisms should be designed keeping the user experience in mind. And all user experience features should be designed keeping security in mind.