Reviewing our 2019 AppSec predictions: Attacks against APIs
At the start of the year, I made three predictions on attacks vectors that would become big problems over the year and beyond. This is the look at where the three are, now, at the end of the year. This is the second prediction - an increase in attacks against APIs.
API security is not as good as it should be at this time – most APIs are not used directly by consumers and weren’t widely exploited until very recently. ... API protection is another place where companies need to focus on this year, to avoid major data breaches.
Over the last 2 years, Uber has had API vulnerabilities exposed. One of them allowed any user to get free rides. The team who discovered the vulnerability dug into the Uber app’s payment API and realized that it did not validate the payment method at the end of the ride. They could use the API to submit an invalid method as payment and were able to get away without payment.
The researchers also discovered a second one – this one far more dangerous to Uber drivers and users. Using some of the Uber API’s, they were able to get any user’s UUID by submitting valid phone numbers or email addresses. This UUID could then be used to request and receive the user’s app access token and a lot of their personal information. Using this access token and UUID, they could then take over the account.
It isn’t just Uber that has these issues – the official app for the BlackHat conference, T-Mobile (twice), AT&T, TrueCaller, JustDial, AirTel, and multiple IoT devices – including children’s smartwatches have been having API vulnerabilities exposed in the last two years. The pace is only accelerating, as more and more organizations deploy API-based applications without providing complete security.
Unfortunately, the understanding of API deployments and their security needs has been lagging. In many cases, when an app that uses an API is launched, there is little thought given to securing the API, versus the amount of thought given to API delivery and scalability. The prevailing thought seems to be that an API is a very technical thing that few people know or understand.
There is also another problem that has come up in the recent past – API sprawl. Much like websites and apps, where forgotten domains and apps came to haunt companies, security admins today also face the problem of API discovery. In many cases, they aren’t aware of which API’s are deployed, how many of them are public, and how many are internal only. In at least two of the examples above (JustDial and AirTel), the APIs that were discovered were testing APIs that were not meant for public consumption. However, they were published on the internet – and were discovered (thankfully) by White Hats.
Today, the number of systems that speak to each other to accomplish various functions – from buying a phone on a payment plan to paying for lunch online – is enormous, and all of them use APIs. APIs require significant security to ensure that your app doesn’t become best known for a massive breach or take your company into bankruptcy. The vulnerabilities that were seen in many of the cases in this blog were standard web application vulnerabilities that have been known about for years – and have known defenses, both in terms of programming practices (non-guessable/non-enumerable ID’s) and defense techniques (rate-limiting, lockouts).
There are some basic steps that can be taken to secure your API’s:
- Setup a secure SSL/TLS frontend for all your applications
- Use a secure/hardened parser
- Ensure you have access control and session security in place for the API’s (This could mean using JWT’s or OAuth)
- Enforce Verb-based Security Constraints and Access Control
- Allow-list approved HTTP Methods
- Use the principle of least privilege and fail-safe defaults (default access is “none)
- Don’t expose any information in the URL’s and make sure you hash any security tokens
- All user inputs
- Any input parameters
- Incoming content-types
The Barracuda WAF family provides full protection for web and API applications wherever they are hosted. It makes it easy to setup web, mobile and API application security. Discovering and securing APIs is made easier using XML Schema/WSDL and OpenAPI spec import.
The BWAF family can protect the entire API attack surface. As a reverse proxy with hardened XML and JSON parsers, it intercepts all traffic and covers all parts of the application, including dynamically generated URLs and URLs with resource names as directories. In addition, it provides API gateway capabilities to securely deliver and scale your API’s. For a no-risk 30-day trial, visit our corporate site at www.barracuda.com/waf.
To read our commentary on our Account Takeover prediction, click here.