Marzena Trembecka
Marzena Trembecka

API interface vulnerable to cyberattacks

A modern technology causes that we are connected with the entire world. The extended network which is the Internet makes that we have everything within our reach. It is enough to switch your laptop on, take a smartphone or tablet and you can log into social media, do shopping, book a flight, log to your bank account or play your favourite game.

Access to information has never been so simple. We can connect the Internet in any place and at any time. What makes that we can connect the world in such a fast manner? What allows us for fast information flow?

Underestimated hero

The fast and simple method of communicating computer programmes and applications is guaranteed by API. This underestimated hero is an application programming interface. It is a mechanism which works under the programme or application visual layer and enables users to make an anticipated interaction. Such an interaction may include logging, tapping or scrolling. API enables flight, restaurant table or hotel room booking and connecting social portals and other websites.

What is API?

API – Application Programming Interface is a messenger. It accepts a command of performing a given interaction, sends a signal to the system and returns with a demanded response. API is a simple method of communicating with various programmes with the use of established protocols (JSON-RPC, XML-RPC). API is invisible for a user because it is located under a visual layer. It is frequently used for sending key and sensitive data.

API security

API interfaces are present everywhere. They are used by e-commerce, telecommunications and entertainment sectors. The wide scope of applications and huge quantity of stored data makes API a source of valuable information for cybercriminals.

Most frequently, communication by means of API is invisible for a final recipient. Therefore, in most cases security is disregarded by developers. The protection of the application programming interface is a serious challenge for cybersecurity specialists.

API flexibility and scalability has also many loopholes in security measures. A comprehensive scope of hazards leads to frequent hacker attacks on the application layer. Therefore, API is in the OWASP list among 10 largest hazards for the application layer in 2017.

                              OWASP A10 - Under-protected APIs

Sectors exposed to attacks

Attacks onto the application layer take place more and more frequently. Sectors storing sensitive data are particularly exposed to such attacks. API interfaces in the e-commerce sector are frequently exposed to brute-force attacks. Their objective is the identification of logins and interception of users' accounts resulting in the theft of property.

In this case, a significant hindrance for many WAF systems is that traffic specification is similar to the traffic generated by "bad bots", what means the lack of cookies support, traffic is generated from data centres or there is the lack of references to statistical content (graphical files, CSS and Javascript).

The Internet of Things is also strongly correlated with the API. IoT provides devices and systems which allow for remote monitoring and managing of smart homes. Taking the control over such data resources may be catastrophic. In such a case, an attack onto the API blocks people from controlling their smart home remotely.

The communication method based mainly on API is continuously exposed to attacks. In order to protect against such attacks and guarantee customer safety it is worth using solutions of Machine Learning. It will allow for the detailed verification of the correct operation of the service and ensure protection against attacks on API.

API vulnerability to hazards

On the one hand, we have modern solutions based on advanced algorithms, and on the other hand, challenges for safety. A complex API system allows for providing a response to nearly every inquiry. Unfortunately, access to appropriate security measures and tests detecting loopholes are limited. API has the same types of hazards as a traditional application. These include, among others, problems with coding, access control, authentication method or injection of incorrect configurations.

API interface risk

The largest challenge in API is protection of sent data. Cybercriminals may violate access authorisations, intercept a session and finally deceive API. Their objective is most frequently to intercept sensitive data. Hackers manipulate data transferred to API or use bots which may be a source of DDoS attacks.

API is primarily dedicated to applications, not final users. For instance, the use of XML/JSON validation or other transmitted parameters may be useful in testing and monitoring API security. Yet, the complexity of API makes the automatisation of safety tests quite a challenge.

Application layer protection

The API interface security greatly depends on the understanding of a hazard model, and then ensuring proper protection. Firstly, it is necessary to make sure whether we have strong authentication for API, and all the certifications and keys are protected properly. The correct configuration of parsers, implementation of access control and supporting all plots are also important here.

It is worth introducing the mechanisms limiting the quantity of inquiries for respective users (Rate limiting) and limiting the number of unsuccessful authorisation attempts. The modern approach towards safety involves also the introduction of fuzzing tests.

The monitoring of internal resources, number of connections and references among microservers (e.g. DDoS attack on Netflix platform) are equally important.

Andrzej Prałat
Marzena Trembecka

For media

Provide us with contact details.

Thank you