Submit support requests and browse self-service resources.
API attacks are growing more common. That's why it's critical to adopt API security best practices to protect your APIs — and their data.
In this blog, we break down common API attacks and what you can do to prevent them.
An API attack is a malicious use of an API. In API attacks, the attackers use an API endpoint to access and exploit data.
Unfortunately, API attacks won't stop anytime soon. They're expected to be the most common attack by 2022 (according to Gartner).
In order to prevent API attacks, you need to your API risks. And you need to adopt security measures that will keep your APIs safe.
In the webinar below, we share tips on mitigating security and compliance risk.
Here are five of the most common API attacks — and how to prevent them.
A man- or bot-in-the-middle attack occurs through the use of packet capture technology on shared public circuits between the API consumer and the API server. The attacker intercepts authentication credentials in the request URL as a query parameter or in the authorization header.
Identity theft is also possible by acquiring the credentials of a valid user as a result of:
You can prevent this API attack through proper authentication measures.
Do mutual TLS certificate checking on the client and server side through the use of pinned certificates. This reduces the probability of this occurring by encrypting the socket.
However, certificate pinning can still still vulnerable to DNS attacks. These could trick the API client to request a pinned certificate from a phishing site pretending to be the actual API server.
Avoid antiquated authentication protocols. For example, you'll want to avoid a basic authentication that sends an encoded password with each request message.
Use tokens that last for minutes instead of hours or days. Use an HMAC signature and a nonced MAC OAuth token instead of a BEARER token. This further reduces the probability that a token intercepted on a public unencrypted Wi-Fi network — or copied from a server log file — may be replayed to the API gateway.
Recommended reading >>What Is OAuth?
SSL protocol downgrades can also open you up to API attacks. In this attack, bot-nets or malicious API clients may attempt to take advantage of legacy exploits not yet deprecated in the client or server.
For example, the “POODLE” vulnerability was present in web browsers and even the Oracle JVM until February 2015. That's because SSL v3 (an 18-year old protocol) was still shipping and enabled. This permitted the SSL handshake to be performed using a weak process that leaked certificate details. So, it enabled those with the stolen keys to decrypt any packets captured by a man-in-the-middle.
You can prevent API attacks resulting from SSL protocol downgrades by choosing the right API gateway.
Ensure that API clients, servers, and gateways are continuously patched. This ensures that recent zero day vulnerabilities are addressed. And it ensures any antiquated encryption algorithms and protocols are deprecated from environments connected to public networks.
Pay attention to new security protocols. And apply security measures in your API gateway.
Recommended reading >> What Is NIST?
API attacks can also occur from authenticated clients who are not authorized.
User A authenticates with the API gateway using a valid ID and credentials. But then they reconstruct the API request being made by the client application to guess a different account number parameter. This is an attempt to execute a transaction or request data belonging to a different user.
To prevent this API attack, you'll need to adopt authorization measures.
Use SAML and OAuth tokens decorated with attributes to correlate an account number with the email address, user ID, or app ID used to request the token.
Verify the account number as an authorization factor prior to responding with the data requested to prevent accidental data leakage or the execution of a transaction. This may be accomplished on an API gateway by leveraging a mediation and orchestration patterns.
For example, a BPEL process does not connect to the protected API behind the gateway until after the multifactor authorization step passes verification. This invokes a fraud detection / account owner verification API prior to invoking the protected API.
Recommended reading >> What Is an API Gateway?
API attacks can also occur on mobile devices. Mobile applications that use shared secrets to request OAuth tokens can cause credential leakages. Especially if the application ID and secret is stored in clear text in the client application code.
Prevent mobile API attacks with security policies.
Don't use shared secrets to request tokens. This will make your mobile applications vulnerable.
Configure the API gateway OAuth token endpoint to integrate with a secured keystore. This verifies a certificate stored in a p12 encrypted X.509 client certificate keystore to connect to the API gateway with mutual TLS.
Consider a mobile device container to encrypt the entire process on the mobile device that is running the client application code. And rather than relying on protocol level encryption alone, leverage X.509 keys to encrypt/decrypt body of the message payload itself.
Recommended reading >> What Is a Mobile Gateway?
Finally, malicious code / SQL injections are another common API attack you need to avoid.
Authenticated API consumers may still be malicious — even though they are valid users and authorized to use the API with their own credentials. They can still expose data to risk when API requests contain escape characters followed by SQL queries. For example, ‘select * from tablename’ in the REST URL GET path or query parameters. This can also occur in headers as well as the XML or JSON body of a POST request.
Apply a malicious patterns detection security policy.
Leverage an API gateway to inspect the parameters of API requests for such patterns using regular expression to detect and stop such requests from ever leaving the API gateway.
Don't connect the API gateway directly to the SQL database. Even if the SQL injection ran on the API gateway, there would be no connection to a database for any data to be returned.
Introduce a mediation (aka DMZ) tier in front of the app/database tier with a tolerable added latency of 2–20 milliseconds to perform such input validation on each message.
Recommended reading >>Malicious Code Injection
The best way to prevent API attacks is to choose the right API gateway. That's why some of the world's leading enterprises choose the Akana API platform and Akana API gateway.
With Akana, you can govern the usage of APIs. And you can properly manage the SDLC process to ensure that security technologies are properly configured. By using Akana, you will be on your way to passing your next vulnerability assessment and meeting your compliance requirements.
That's because Akana helps you by:
See for yourself how Akana can help you prevent API attacks in the enterprise.
START MY TRIAL ▶️ WATCH THE DEMO FIRST
Explore additional resources:
API Security & Integration Architecture, Akana
Ryan Bagnulo has implemented API integration and security and privacy solutions for hundreds of global transactional systems over the past 2 decades, with deep technical experience in investment banking high performance grid computing as well as connected electronic medical devices and international regulatory compliance. Ryan was the first chief security officer and the head of Solution Architecture for Joyent, a container focused cloud IaaS startup in 2010, and has worked with a number of Silicon Valley startups on cloud API IoT and Microservices innovations.