Five Critical API Security Vulnerabilities

Application Programming Interfaces (APIs) are a fundamental part of modern software development. Organizations use APIs to enhance the user experience for their products and services. Almost every application uses an API. While APIs are valuable and necessary for any digital transformation strategy, they are also high-value targets for bad actors seeking to take over accounts, create fake accounts, or engage in credential stuffing or content scraping. Industries, such as the financial and healthcare industries, are prime targets for API-based attacks due to the highly-valuable data that both industries collect, maintain, and disclose. Given the known risks associated with deploying applications that use APIs, organizations must protect and secure the APIs they produce and consume if they intend to maintain a strong security posture.

API Security Weaknesses and Vulnerabilities

API weaknesses allow attackers to take advantage of an organization's digital assets. They are similar to any other internet-accessible resource. Once an attacker exploits an API weakness, businesses risk suffering financial and reputational harm, especially when sensitive data is exposed. Several of the most notable and large-scale attacks have been due to API vulnerability exploits. In 2021, Experian's API weakness resulted in the unauthorized exposure of customer account information, including credit scores. A researcher found that an API is directly accessible without authentication. The researcher also discovered that when they entered all zeros in the date-of-birth field, they could view the credit score of individuals. Last summer in 2021, a researcher found a Peloton API vulnerability that allowed unauthorized access to customers' personally identifiable information (PII), resulting in severe criticism.

These attacks highlighted the impact of insecure or leaky APIs and the challenges organizations face navigating the API security threat landscape. It is becoming increasingly clear that traditional security tooling cannot protect against the current API threat landscape.

Critical API Security Vulnerabilities

According to the OWASP Top 10 for 2021, the most critical API security vulnerabilities fall within the following five categories

• Broken Access Control
• Cryptographic Failures
• Injection
• Insecure Design
• Security Misconfiguration

Access control is an essential component of data security. This security technique determines who can view or use a company's resources. Access controls can consist of fences, key locks, turnstiles, and biometric systems. Poor implementation of access control mechanisms can lead to broken access control. Broken access controls may result in varying types of privilege escalation (horizontal, vertical, and context-dependent), which may allow a bad actor to gain privileged access to systems. When a bad actor obtains privileged access to a system, they have access to sensitive data that could be disclosed, modified, or destroyed. The OWASP Top 10: 2021 notes that broken access control is the category with the most severe web application security risk.

The cryptographic failures category, previously categorized by OWASP as sensitive data exposure, includes vulnerabilities related to cryptography, leading to exposed sensitive data. Data left unencrypted is at risk for exposure, and sensitive data exposure may harm individuals, damage an organization's brand reputation, and costly fines.

Cryptographic failures may occur when:

• Old or weak cryptographic algorithms or protocols are used either by default or in older code.
• Depreciated hash functions such as MD5 or SHA1 are in use.
• Non-cryptographic hash functions are in use when cryptographic hash functions are necessary.

The injection category consists of an attacker adding input, sometimes malicious code, to a program or application, altering the execution of a program. In addition, an application is vulnerable to attack when:

• User-supplied data is not validated, filtered, or sanitized by the application.

• Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.

• Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.

• Hostile data is directly used or concatenated.

• The SQL or command contains the structure and malicious data in dynamic queries or stored procedures.

The insecure design focuses on risks related to design flaws and increased use of threat modeling, secure design patterns, and reference architectures. OWASP states that threat modeling should be used for critical authentication, access control, and business logic to mitigate risks related to design and architectural flaws.

As for the fifth category, security misconfigurations may stem from insecure default configurations. For example, an application may be vulnerable if default accounts and their respective passwords are still enabled and unchanged. Organizations seeking to prevent vulnerabilities should implement an automated process to verify the effectiveness of the configurations and settings in all environments.

Protecting and Securing APIs

There is no straight and exact path to secure APIs while the API threat landscape continues to progress. Discovering API vulnerabilities exist, logging and monitoring, and identifying and closing security gaps are crucial to protecting and securing APIs. Some security best practices for protecting and securing APIs include strong and properly-implemented encryption, firewall protection, and strong authentication and authorization protocols. API security testing can ensure that these basic security requirements are satisfied.

To mitigate the risks associated with some of the vulnerabilities discussed above, organizations with mature security programs will implement a strategy for securing their APIs. Implementation will require development and security teams to work to support a culture of security. Both teams will need to fully understand the API threat landscape, API vulnerabilities, and immature security practices that may leave the organization exposed to risks.

Sign up for a Cybrary Insider Pro subscription today to enroll in the OWASP API Security Top Ten course and other courses to sharpen your skills, mitigate risk, and better protect your organization.

About the Author: Ambler is an attorney with a background in corporate governance, regulatory compliance, and data privacy. She currently consults on governance, risk, compliance, enterprise data management, and data privacy and security matters in Washington, DC. LinkedIn: https://www.linkedin.com/in/amblertjackson/ Twitter: @amblerjackson

REFERENCES

CISO, Peloton's API Vulnerability Exposes Users' Personal Information, Accessed 2022-02-24: https://cisomag.eccouncil.org/pelotons-api-vulnerability-exposes-users-personal-information/

Experian API Exposed Credit Scores of Most Americans, Accessed 2022-02-24: https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/ OWASP, Broken Access Control, Accessed 2022-02-24: https://owasp.org/Top10/A01_2021-Brok-en_Access_Control/ OWASP, Cryptographic Failures, Accessed 2022-02-24: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ OWASP, Injection, Accessed 2022-02-24: https://owasp.org/Top10/A03_2021-Injection/

OWASP, Insecure Design, Accessed 2022-02-24: https://owasp.org/Top10/A04_2021-Insecure_Design/

OWASP, Security Misconfiguration, Accessed 2022-02-24: https://owasp.org/Top10/A05_2021-Security_Misconfiguration/ OWASP TOP 10 2021, Accessed 2022-02-24: https://owasp.org/Top10/