This is the third in a three-part series on REST APIs. You can read the entire series here.
In the previous posts (here and here) we considered the ascendancy of APIs and the security challenges they pose. In this post, we will examine how the Barracuda Web Application Firewall can help secure REST APIs. Note that the BWAF applies the same industry-leading technology for detecting malicious inputs that are used in protecting web applications. Of course, this includes de-obfuscations and protocol sanitizations amongst a host of other checks. Many of these also apply equally to AJAX-based web applications.
Filtering Malicious Data from Untrusted User Inputs in JSON/XML
Developers of programming frameworks and bespoke software alike often omit input sanitization from JSON and XML, despite enforcing it in traditional web interfaces. For example, the JSON gem in ruby was found to be vulnerable to SQL injection and so was the Perl module SQL Maker. This opens up all the OWASP Top 10 attacks through your APIs, even though they may have been locked down through the web interface.
Filtering Malicious Data from Untrusted User Inputs in URL Path
This includes examining the complete URL (not just the URL query part) for malicious inputs. This is enabled by default and is configured from the SECURITY POLICIES > URL Protection page.
Protecting the Entire API Attack Surface
Being a reverse proxy, the BWAF intercepts and protects the entire API’s attack surface. This covers dynamically generated URLs and URLs using resource names as directories (e.g. username or moviename), etc.
Uninterrupted API Delivery with Virtual Patching
Being inline, you can immediately remediate any known or new vulnerabilities in either your API or its framework (e.g. SQLi in Ruby’s JSON gem or a new SSL vulnerability) by applying virtual patches on the BWAF. You are saved from a find-fix-test-redeploy cycle during which your API remains down and business suffers.
Preventing API Abuse from Rogue Consumers (Anti-farming)
Many RESTful web service APIs are farmed by third-party aggregators. For example, price-matching websites can inundate the REST APIs of eCommerce services excessively. If not throttled properly, this could impose excessive load on the API backend, reducing the service quality for other, and possibly paying, consumers. Bruteforce and anti-DDoS policies on the BWAF help enforce disciplined access to the API.
Ensuring SLAs to Business Partners
REST APIs often have different service levels for different resources. For example, the product catalog (/api/products/*) could have a different SLA from product orders (/api/orders/*), which in turn could be different from /api/search. Further, each of these could have different SLAs for different partners. All these can be tackled with Rate Control and Bruteforce prevention on the BWAF.
Protecting XML and JSON Parsers
The BWAF validates XML and JSON content preventing DoS attacks on their respective parsers, which can bring down your API service. It blocks XML bombs that look like valid XML but could still detonate your XML parser, e.g. using exponential entity expansion attack, etc.
API Authentication and Authorization
The BWAF can pre-authenticate the API services or completely offload authentication on to itself in the DMZ. Apart from basic authentication, LDAP, RADIUS, it also supports client certificates, CRL, and OCSP. Additionally, API keys can be allow-listed and validated in any part of the request, including headers.
API Session Security
Out-of-the-box, the BWAF provides tight security for session tokens, be it in the URL, headers, or in cookies. This includes session token encryption, signing, and replay protection that prevents MITM attacks. CSRF token injections, referrer validations, and HTTP header inspections can also be fully enforced on API requests.
Enforcing Verb-based Security Constraints and Access Control
As mentioned in our earlier post, REST applications often tie HTTP (verbs) methods to operational policies and role-based access control (e.g. VBAAC). Often, all the verbs are not valid for every resource. The BWAF can help enforce which methods are allowed on what resources using its granular positive profiling capabilities.
Providing a Secure TLS Fronted to API Service
The BWAF provides a secure TLS stack that prevents MITM eavesdropping on clear text data and credentials (e.g. basic authentication header or API keys). It supports only strong ciphers as well as perfect forward secrecy. REST being very chatty, offloading TLS/SSL to the BWAF also relaxes the API infrastructure and allows it to scale.
API Delivery and Scalability
The chatty nature of REST (and AJAX) can impose significant overhead on your servers due to frequent connection establishments and teardown overhead. Connection multiplexing between the BWAF and the backend servers greatly optimizes these exchanges. A pool of connections is always maintained between the WAF and the backend at all times, over which client requests are multiplexed. Due to this, connection setup and teardown times are not incurred, thus streamlining network processing on the servers.
Caching and Compressing your REST API
REST advocates statelessness to promote caching. Reverse proxies are the best practices to provide caching for your API. This helps speed up API delivery and reduces server load. Being HTTP aware, the BWAF can examine safe methods (e.g. GET) and cache responses only against these, and avoid caching of unsafe method (e.g. POST), instead passing them to the API backend.
Its compression module can compress XML or JSON data in responses, saving significant bandwidth on the wire and speeding up API delivery over flaky mobile networks.
Centralized API Auditing and Analytics
The BWAF provides extensive logging and reporting for all HTTP requests with ready integration with the top SEIM vendors as well. This provides a centralized auditing and regulatory compliance framework for enterprise API services that deal with PII, confidential or sensitive data.
With its rich reporting, you can get immediate insights into API usage and consumption behaviors and drill down into the reports using many different client and server-side metrics.
For more information on the Barracuda Web Application Firewall, visit our product site here.