API Security Tutorial

What is API Security?

API security is a diverse area with multiple layers. The focus of each layer is on specific API security and is designed to earn a specific and strong protection level.

‍

API Discovery

Can you answer a simple question: "How many APIs do you have?" Managing an API inventory is a vital task for organizations that work with multiple APIs. You can't protect what you don't know.

In a large organization, it's impractical for anyone to keep track of every API and the data each one exposes. No surprises there is a problem of shadow APIs (similar to shadow IT), API endpoints that exist within an organization's environment but are not known to, or managed by, the organization's IT or security teams.

The challenge of maintaining an API inventory intensifies when considering projections that by 2025, fewer tan half of the APIs will be actively managed. This implies a significant presence of "zombie APIs" – APIs that, while deprecated, remain accessible due to legacy systems. These unmanaged APIs are potential vulnerabilities, leaving them exposed to potential threats.

Finally, APIs go through their lifecycle. An API evolves, new versions of an API come up or an API may even be deprecated but continue to operate for a temporary period for backward compatibility and then be forgotten or gradually fall off the radar because they receive very little traffic.

API discovery is a race between API providers and hackers; the latter can easily exploit APIs once they're found. To identify your APIs before attackers do, you can analyze your API traffic from different sources. This data is sourced from API gateways, load balancers, linux kernel (eBPF) or directly from network traffic. It's then processed by a specialized engine that produces a comprehensive list of APIs. This list can subsequently be compared with the catalogs of APIs available through an API management layer.

API Real-Time Protection

Most commons API threats are well described in OWASP API Security Top-10 (see the detailed section below). You need to have proper visibility and security controls to mitigate all of these threats.

‍API Security Testing

As the number of APIs continues to grow, many teams are struggling with how to innovate while also ensuring security and compliance. While the shift-left concept has been around for years, it remains a challenge even for the modern orgs to successfully integrate API security testing into their engineering process.

When deploying application security tooling in your CI/CD pipeline, you need to make sure that the products and tools are adequate for your protocols. For example, if your API is mainly REST and GraphQL, make sure your SAST, DAST, IAST tooling supports those.

‍

‍

API Security Checklist

Not sure where you stand with API security?  

API Security Checklist can serve as a starting point for Engineering and Security teams looking to keep APIs compliant and secure.

In this checklist we have collected all the common API safety vulnerabilities and their consequences. We also gave recommendations on how to fix them and mitigation strategies.

Download the API Security checklist by Wallarm

‍‍

API Security Leaks

API Leaks refer to the accidental or intentional exposure of sensitive data through Application Programming Interfaces (APIs). If not secured properly, APIs can expose sensitive information, such as personal data, financial information, or other types of confidential data, to unintended parties. API leaks can occur due to misconfigured API settings, vulnerabilities in the code of the API, or inadequate security protocols. These leaks can lead to severe consequences, including data breaches, identity theft, and financial loss.

There are several types of API leaks, including:

1. Data leaks: These are the most common type of API leaks, where sensitive data such as personal information, passwords, and financial data are made accessible through APIs.
2. Access leaks: In this type of leak, unauthorized users are granted access to restricted APIs, giving them access to sensitive data that they should not have access to
3. Integration leaks: This type of leak can occur when APIs are integrated with other applications without proper security measures in place
4. Supply chain leaks: These leaks occur when third-party APIs with vulnerabilities are included in the supply chain, giving attackers a means to exploit the weak points in the API
5. Configuration leaks: This type of leak happens due to misconfigured APIs, where settings are not set to the desired level of security, making data vulnerable to attacks.

‍

API Authentication Methods

The task of verifying users’ identity is imperative as it keeps ill-usage of API at bay and verifies user authenticity before granting him the access to the stored information kept for better Web API Security. It involves verifying the identity of someone who tries to view or edit the API resources, allowing only authenticated users for the same.

1. Host-based authentication
   

The host-based authentication schema is widely used for IOT devices and raw network authentication. It is not recommended for web technologies since it can be bypassed with spoofing. This process comprises verifying the host or server so that only the verified users can access resources deployed on the servers. It doesn’t demand any key or other means to initiate the process. However, the server should be competent to validate the login keys beforehand to keep the incidents of DNS spoofing, routing spoofing, and IP spoofing under control. 

In the process and manner, it’s very much similar to RSA. 

The argument used here is either yes or no. By default, no argument is set. The host-based verification of users can be done by an administrator by creating a private key for the local host or extracting the public key used for the localhost. 

2. Basic authentication
   

One of the most straightforward API identity-confirmation schemes, this method is crafted using HTTP protocol and process as the client dispatches an HTTP request with a pre-built header for verification of authenticity and demanding credentials like account’s password and username. This basic check is done in a browser-powered environment.

Being supported by every possible browser and server makes basic identity-confirmation the most common one. The credential details are shared over the network in the form of cleartext and are encoded using base64. The credential details are shared over the network in the form of cleartext (or base64) by default, this is a bad practice since it gives man-in-the-middle attack vectors. The good practice is to encrypt the credentials using algorithms such as RSA, SHA-256 or even custom made ones.

It is functional over proxy servers and grants access to resources not hosted on IIS servers. As it fails to add encryption, not much security can be expected out of it. Also, it’s more prone to replay attacks.

3. OAuth
   

OAuth is the open method of identity confirmation. It is a customary API authenticity-verification technique that covers users’ identity verification and defining authorization criteria. The protocol is used widely for allowing applications to authorize their users based on tokens, published from OAuth server (such as Google).

It requires asking for a token when someone tries logging into the system. The token serves here as the means of verifying and approving the user identity. The person/request-creator has to forward the request to accessing the resource to the authentication server. Based on the quality and result of identity-verification, the server can accept or reject the request. 

OAuth is safer and more secure than other processes making it the first choice for many. The three key ingredients of OAuth are OAuth provider, Google and Facebook are the common ones, OAuth Client, refers to the information-owning website/page, and owner, denotes the user making an access request.

4. OAuth 2.0
   

A widely used protocol of API access management, OAuth 2.0 is an updated version of OAuth. Its functioning involves keeping the API client access limited by using HTTP services for the client application enabling. Some HTTP services needed for this sort of protocolare GitHub and Facebook. It takes the help of a code for identity-verification and doesn’t ask for user credentials.

The three factors involved in OAuth 2.0 are the user, who is possessing the data to which the API wants the view or edit permission, the application, and the API.

Using this method for identity confirmation, it’s easy to interpret user data using different resources. It can be deployed for the verification and approval of web-based, mobile-based, and desktop-based applications/devices.  

5. SAML
   

SAML stands for Security Assertion Markup Language and is a standard API process for identity confirmation using single-sign-on technology. It denotes confirming the user as per the provided details. Once the process completes and the user is verified, access to assorted applications/resources is granted. Presently, its SAML 20 version is running. It’s very much similar to the ID. Only user identity assessment is done with its help.

API Security OWASP TOP 10 Vulnerabilities

API1:2019 Broken Object Level Authorization

APIs will in general uncover endpoints that handle object identifiers, making a wide assault surface Level Access Control issue. Item level approval checks ought to be considered in each capacity that gets to an information source utilizing a contribution from the client.

API2:2019 Broken User Authentication

Validation systems are frequently executed mistakenly, permitting assailants to think twice about tokens or to take advantage of execution defects to accept other client's characters for a brief time or for all time. Compromising a framework's capacity to distinguish the customer/client, compromises API security generally speaking.

API3:2019 Excessive Data Exposure

Anticipating nonexclusive executions, engineers will in general uncover all item properties disregarding their singular affectability, depending on customers to play out the information sifting prior to showing it to the client.

API4:2019 Lack of Resources and Rate Limiting

Frequently, APIs don't force any limitations on the size or number of assets that can be mentioned by the customer/client. Not exclusively would this be able to affect the API worker execution, prompting Denial of Service (DoS), yet additionally leaves the entryway open to verification imperfections like animal power.

API5:2019 Broken Function Level Authorization

Complex access control strategies with various chains of command, gatherings, and jobs, and a hazy detachment among authoritative and ordinary capacities, will in general prompt approval blemishes. By taking advantage of these issues, assailants access other clients' assets as well as regulatory capacities.

API6:2019 Mass Assignment

RESTricting customer gave information (e.g., JSON) to information models, without legitimate properties sifting dependent on an allowlist, for the most part prompts Mass Assignment. Either speculating objects properties, investigating different API endpoints, perusing the documentation, or giving extra article properties in demand payloads, permits assailants to change object properties they shouldn't.

API7:2019 Security Misconfiguration

Security misconfiguration is ordinarily an aftereffect of unstable default designs, fragmented or impromptu arrangements, open distributed storage, misconfigured HTTP headers, pointless HTTP techniques, lenient Cross-Origin asset sharing (CORS), and verbose mistake messages containing delicate data.

API8:2019 Injection

Infusion blemishes, like SQL, NoSQL, Command Injection, and so forth, happen when untrusted information is shipped off a translator as a component of an order or question. The assailant's noxious information can fool the translator into executing accidental orders or getting to information without appropriate approval.

API9:2019 Improper Assets Management

APIs will in general uncover a larger number of endpoints than customary web applications, making appropriate and refreshed documentation exceptionally significant. Appropriate has and conveyed API forms stock additionally assume a significant part to relieve issues, for example, censured API forms and uncovered investigate endpoints.

API10:2019 Insufficient Logging and Monitoring

Lacking logging and checking, combined with absent or inadequate incorporation with occurrence reaction, permits aggressors to additional assault frameworks, keep up with steadiness, turn to more frameworks to alter, remove, or annihilate information. Most break studies exhibit an opportunity to distinguish a break is more than 200 days, normally identified by outside parties instead of inward cycles or observing.

‍

‍

What Does API Security Entail? 

APIs, related to the app that you own, can only be controlled. This is why security API is focused on securing APIs that are exposed to a user, directly or indirectly. APIs, offered by other parties, that a user consumes are not a prime priority of Web API security as valuable insights related to such APIs can be gained by detailed analysis of outgoing API traffic. 

One another key point to note here is that API security practice implementation involves multiple teams and systems. Network security principles like throttling, rate limiting, along with key data security concepts like identity-based security and analytics are a part of API security.

‍

‍

API Security Standards - TOP 12 Best Practices

API security is a non-negotiable aspect for data-centric projects and API development. Based upon the types of API implementation and various stages, the below-mentioned API security best practices are widely used to keep diverse security risks at bay.

1. Use of Encryption

Encrypted APIs are hard to get attacked. APIs, used for internal and external communications, should be ciphered using the TLS encryption protocol. If possible, try to use encryption at both ends. Most TLS versions should be deployed. 

2. API Authentication

API authentication is the easiest way to ensure that APIs are not exposed to strangers. Keep track of the resources that are calling the APIs, via API key or basic access authentication. This practice will increase the difficulty of the system and make it more secure. 

3. Make Most Of OAuth&OpenID Connect

OAuth is a mechanism designed to prevent the need of remembering copious passwords. OAuth&OpenID Connect allows APIs to take the full responsibility of authorization and/or authentication.

Rather than generating different website-based accounts, OAuth allows you to connect via different credentials like Facebook or Google. In the case of APIs, it has the same sort of modus-operandi. API providers need to bank upon other third-party servers for API authorizations as API consumers, instead of offering their credentials, hand over the third-party granted token,  

In this process of authorization, both the API consumers and API providers are not directly bearing the API authorization responsibility. Being a widely used delegation protocol, OAuth allows API providers to secret APIs a little further by adding the identity layer. That additional identity layer is known as the Open ID Connect standard that extends OAuth 2.0 with ID tokens.

4. Security Experts  

With multiple API security practices, it’s natural to get confused and pick one. Hiring seasoned security experts that can guide you on using suitable Antivirus systems or ICAP servers will help you big time to enjoy robust API security. 

5. Continual Monitoring, Auditing, and Logging 

Prevention is better than cure. On the same note, it’s wise to keep track of the API interaction and spot the errors in the infancy stage. Audit and log relevant information on the server. These logs and records will be used later at the time of debugging. To keep track of API consumption, monitoring the dashboard is vital. When you’re updating the versions, don’t forget to add them to all the APIs.

6. Share Limited Information 

The less information you share via APIs, the fewer would be API security risks. Try to display the least possible information in the error messages.  

The content and email subjects of pre-defined messages that are not customized should be locked up as IP addresses can give away the location details.

Using IP Whitelist and IP Blacklist is a great way to keep the resource access limited. API resource access should be granted only to authorized professionals and all the crucial information, saved on interfaces, should be kept hidden. 

7. Throttling and Quotas For Protection 

To make sure the backend system bandwidth is as per the server’s capability, throttle yourself and grant access to only a limited number of messages. Throttling and quotas are useful to keep the dangers like DDOS at bay.  

8. Valid Data 

Everything that the server is going to accept should be checked twice and validated. Any added content, data that is huge, and information shared by the consumer should be verified. JSON and XML validation are the two most widely used tools to find out whether or not the parameters are safe. They also keep SQL injection or XML bomb incidents under control. 

9. Robust Infrastructure

Implementation of updated security networks and latest server and load balance software always keep API security tight and makes APIs strong enough to deal with data breaches. 

10. Pay Attention To OWASP Top 10

In this list, the worst API vulnerabilities and their impacts are explained in detail. Experts suggest referring to this list and getting educated on the dangers that your API might encounter in the future. Alongside, securing all the OWASP vulnerabilities is also crucial

11. Use API Firewalls

Just as building a wall around our home keeps unwanted access controlled, building API firewalls ensures APIs have only allowed access. While you’re firewalling the APIs, make sure two layers are added. 

The first layer should be used to perform basic security checks like paying attention to the message size, the presence of SQL injections, and blocking the intruders instantly. 

The second layer should be in LAN loaded with high-end security mechanisms. 

12. API Gateway Deployment  

APIs that are well managed are less prone to dangers. For effortless API management, we suggest using API Gateways as they allow you to control, monitor, and secure the API traffic from beginning to end.

How to Pen Testing API?

Watch our webinar "API Threats Simulation With Open-Source Tools"

Read the guide - "How To Hack API"

Update 2022: We published online service - API Security testing platform - GoTestAPI

‍

API Protocols

Based on the requirements, APIs can be used in various forms and styles. The chosen API style (REST, SOAP, GraphQL, gRPC, Websocket or Webhooks) decides how API security should be applied and implemented.  Different API protocols, such as gRPC, GraphQL, and others, introduce their own unique security threats and attack vectors. For instance, GraphQL, due to its flexible querying capability, can be prone to resource exhaustion attacks if queries aren't properly validated and rate-limited. Each protocol, with its distinct architectural and operational nuances, requires specialized security considerations to address potential vulnerabilities and defend against tailored exploitation techniques.

API Protocol Comparison

‍

‍

How to secure / protection API and cloud-native apps

Use Wallarm - a dependable and complete API security tool - designed to safeguard websites, microservices, and APIs from all sorts of dangers including OWASP API Top 10, bots, and application abuse easily. 

The great part is Wallarm’s zero manual rule configuration and ultra-low false positives with Wallarm. Only reliable and real-time API security analysis and viable solutions will be offered. There is a free trial and demo offered for the convenience of the users.  The tool is capable of protecting APIs of all sorts such as REST, SOAP. 

Our seasoned API security team is skilled enough to secure APIs in any sort of environment. We have mastered the art and science of API security in AWS, GCP, Azure and IBM Cloud ecosystem, regardless of the type of deployment.