APIs make your systems easier to run — and make it easier for hackers, too. Let’s explore some of the API vulnerabilities that get exploited and abused by hackers, and I’ll share some easy tips for you to consider to close those gaps.
APIs make your systems easier to run — and make it easier for hackers, too.
API usage has exploded, and cybercriminals are increasingly taking advantage of API security flaws to commit fraud and steal data.
APIs make everything a bit easier — from data sharing to system connectivity to delivery of critical features and functionality — but they also make it much easier for the bad actors (and the bad bots they deploy) to carry out attacks.
Let’s explore some of the API vulnerabilities that get exploited and abused by hackers, and I’ll share some easy tips for you to consider to close those gaps.
When I’m in hacker mode, the first thing I do is identify as many APIs as possible. I start by using the target application as expected. Web applications get opened in a browser; mobile apps are download and installed. All the while, I monitor the communications with an intercept proxy.
The intercept proxy catches all the requests my browser or mobile app makes to the backend webservers, allowing me to catalog all the API endpoints available. For instance, most APIs have /API/V1/login as an authentication endpoint.
If the target is also a mobile app, I take the application package apart and look at the API calls available inside the application. With all the possible activity in view, I can search for common misconfigurations or APIs that don’t protect user data correctly.
Finally, I look for API documentation. Some organizations publish API documents for third parties, but use the same API endpoints for all users.
With a decent inventory of the endpoints, I can test both standard user behavior and abnormal behavior testing. You can find interesting vulnerabilities through both methods.
Learn what are the most important API security threats engineering leaders should be aware of and steps you can take to prevent them
APIs can be as simple as 1 endpoint for use by 100s of users or as complex as the AWS APIs with 1000s of endpoints and 100s of thousands of users. Building them can mean spending a couple of hours using a low-code platform or months of work using a multitude of tools. Hosting them can be as simple as using one platform that does everything we need or as complex as setting up and managing ingress control, security, caching, failover, metrics, scaling.
I’ve been working with Restful APIs for some time now and one thing that I love to do is to talk about APIs.
After the special 100th edition last week, which was all about API security advice from the industry’s thought leaders, this week we are back to our regular API security news, and we have twice the number of them, from the past two weeks.
The method used for this initial research was to obtain a list of the ASX100 (as of 18 September 2020). Then work through each company looking at the following