REST API Security Essentials | Dreamfactory
by Terence Bennett • April 23, 2024Cybersecurity is one of the most prominent and pressing concerns for businesses today. As developers move more of their web applications to a microservices architecture, data is shared by web service APIs now more than ever. Industry analysts predicted that API attacks would become the most common attack vector by the end of this year. Unfortunately, that prediction has come true. More than three out of every four cybersecurity professionals in the US and UK have reported at least one API-related security event in the past year. This has encouraged organizations to put a stronger focus on securing their APIs from such vulnerabilities. However, many companies are still far from where they should be when it comes to REST API security. Are you sure you're adequately protecting your intellectual property and your customers' data? If not, this article will get you up to speed on REST API security essentials
Here's the key things to know about REST API security essentials:
- API Security is essential for protecting sensitive data accessed through Application Programming Interfaces (APIs), encompassing practices and technologies that secure APIs from unauthorized access and attacks.
- REST API Security involves securing RESTful APIs, which are widely used for web services and commonly interact with JSON data formats, focusing on authenticating and authorizing access through methods like API keys and OAuth standards.
- SOAP Security, though less common today, provides built-in security features for SOAP-based APIs, which strictly use XML data format and include comprehensive specifications to ensure secure data transmission.
- Importance of API Security: Given APIs' role in accessing application functions and data directly, effective API security is crucial in preventing data breaches, unauthorized access, and ensuring data integrity and confidentiality.
- Best Practices include using HTTPS for encrypted communication, implementing strict authentication and authorization controls like OAuth2, and regularly updating and testing APIs to guard against emerging security threats.
What Is API Security?
API (Application Programming Interface) security is a broad topic that includes two main categories: REST API security and SOAP security.
REST (Representational State Transfer) is an architectural style for software. It's essentially a set of rules that developers follow in order to be REST compliant. RESTful APIs are the most common type of APIs in use today. JSON (JavaScript Object Notation) is the file format most frequently associated with RESTful APIs.
SOAP (Simple Object Access Protocol) is a messaging protocol, so it is in a different category than REST. It is less commonly used than REST these days, but it is still a strong option thanks to its built-in security measures. SOAP can only transfer data in the XML format.
Following good REST API security practices prevents unauthorized access to important data and processes. These practices generally include the use of API keys or OAuth (Open Authorization) or the preferred OAuth2 standard. Both OAuth and OAuth2 use security tokens to authenticate clients, but OAuth2 is a better fit from a modern cybersecurity standpoint. OAuth 2 provides the same functionality as the original OAuth (versions 1.0 and 1.1) and offers the same general user experience but OAuth 2 is not backward compatible with OAuth. OAuth2 delegates all security functions to the HTTPS protocol. To accommodate this change, OAuth2 introduces new roles in the process of data transfer via APIs. Whereas OAuth did not explicitly separate the role of resource servers and authorization servers, OAuth2 defines four roles: client, authorization server, resource server, and resource owner.
OAuth and Oath2 use security tokens instead of passwords, while API keys are codes used to confirm the identity of the user requesting access. Additionally, both SOAP and REST can use HTTPS (Hypertext Transfer Protocol Secure) over HTTP for additional security.
Why Is API Security Important?
The value of sensitive data exposed by an API, combined with the prevalence of APIs today, makes them an attractive target for attacks. In addition, many tools are available today to automate these attacks. Companies lose millions every year to vulnerabilities in APIs and other cybersecurity concerns.
Around 50% of B2B interaction takes place through API requests, and APIs also strongly affect the client experience. This means that APIs are handling a significant amount of client and business data, making adequate security even more essential.
Common API Security Risks
There are some security concerns that are unique to web APIs, including poor coding, CSRF (Cross-Site Request Forgery) attacks, man-in-the-middle attacks, XXS (Cross-Site Scripting) attacks, and finally, injection attacks.
Poor Coding
REST APIs do not have the same strict standards as SOAP, meaning they are more susceptible to this problem. Poor coding can easily make a REST API vulnerable to hackers who are looking for the kind of opening this provides.
Poor coding may simply mean your web service is easy to break, or it may mean that important security measures are lacking and an unauthorized user can access essential data. To keep poor coding from opening the door to security issues, your organization can implement code review. A team of programmers should review code for any security holes that may exist.
Bot Attacks
Bot attacks are becoming one of the biggest concerns for cybersecurity in general, and APIs specifically. Not all bots are malicious in intent, as they can be used to automate legitimate tasks. But bots can also be used to abuse an API or to facilitate a data breach.
Denial of Service Attacks
Large groups of bots (botnets) can be used in a massive flood of requests to an API. The end result is a Denial of Service attack: overloading the backend servers hosting the web service, effectively denying legitimate users access to the service. This can be a tricky attack to defend against, with an organization's firewall interfaces and banning ranges of IP addresses often being the best solution.
CSRF Attacks
A CSRF attempts to trick users into performing an action that may aid the attacker in stealing data, passwords, etc. This action may be changing an account setting or password, among other things. If this attack is successful with someone with full access to the application, it will compromise the application itself.
Man-in-the-Middle Attacks
MITM attacks, also known as hijack attacks, are where a user is trying to communicate legitimately with a second party or platform and an attacker hacks, blocks or otherwise interrupts the line of communication without the victim being aware. The user then sends their credentials or other sensitive information to the hacker instead of its intended destination.
XSS Attacks
A Cross-Site Scripting attack is a client-side attack. The attacker injects a malicious script through an application into a website.
Injection Attacks
There are various types of injection attacks, but all involve malicious input into a program or service. Injection flaws permitting this type of attack are a common problem in APIs.
Data Vulnerabilities
In the field of data vulnerabilities, there are two main classes: excessive data exposure and mass assignment. Both are commonly seen and add significant risk to APIs and underlying data.
Excessive data exposure happens when an API returns more information than what was expected for a particular web service. For example, if a client requests user details, the username along with first name and last name might be considered appropriate data to return. An excessive data return might include a hashed password or other information associated with the user.
An API should return only the minimum amount of data to meet the goal of the service.
Mass assignment occurs when a client can inject additional request data beyond what the API is expecting. How the API endpoint interprets and stores that data in the underlying database can then lead to security issues. A common example is an attacker guessing at usernames (like "admin"). Ideally, the API will reject or ignore extraneous requests, but a mass assignment vulnerability would see this data stored.
Developers can avoid these issues by simplifying the data objects exposed by APIs and doing thorough testing for validation that only the correct amount of data goes in and out of a system.
Some API Security Best Practices
REST API security is a complicated business, but there are some things that you can implement relatively easily.
Use HTTPS
While you can use either HTTP or HTTPS with APIs, it is strongly recommended that you always use HTTPS. HTTPS provides an added layer of security through encryption. HTTP offers no encryption and only basic authentication, meaning that anyone who gains access to the service can read the data.
Use Existing API Frameworks
Using API frameworks or templates can also be an excellent way to ensure that you are adhering to the best security practices. There are many open-source or paid options for REST API frameworks. These will often have security measures built in.
Use TLS/SSL
SSL is a cryptographic protocol. An SSL (Secure Socket Layer) certificate encrypts the connection between the server and browser with two keys. The first is a public key, and the second is a private key. In addition to aiding security, an SSL certificate also has some influence on Google rankings.
TLS (Transport Layer Security) is a newer and improved protocol for the same purpose. It has improved measures to protect against additional types of attacks, such as Cypher Block Chaining attacks.
SSL relies on MAC (Message Authentication Code), while TLS relies on HMAC, the hash-based message authentication code.
API Security Tools
There are many free and commercial options available to improve REST API security within your business. Just a few of these are security testing frameworks, OWASP and API management platforms.
1. Security Testing Frameworks
API security testing frameworks are commonly open-source, or you can use open-source tools to build your own. Developers have built these as solutions for regular testing of your API.
What it does:
It is often necessary to test your API for vulnerabilities or potential problems. Some common tests used for this purpose are fuzz testing, injection testing and penetration testing. These can help discover a potential for DDoS attacks (Distributed Denial of Service), as well as injection attacks, XSS attacks and CSRF attacks, among others. They can either determine what response the web service will make to such an attack or reveal poor coding that would enable the loss of data.
How to use it:
A security testing framework is reusable, meaning you can test your API regularly. This makes it much more likely that you will discover a vulnerability prior to an attack, saving perhaps millions of dollars in the long run.
One example of this in action is the Metasploit framework. Metasploit offers penetration testing software for APIs. It is open-source, meaning you can view the source code on GitHub and use the free version. Alternatively, you can use Metasploit Pro.
2. OWASP
OWASP, the Open Web Application Security Project, is a top resource for any company managing APIs. Besides an incredible knowledge base, OWASP offers various services to help with security.
What it does:
OWASP offers testing guides, an Application Security Verification Standard (ASVS) as a framework for better API security and much more. All of this is open-source.
How to use it:
OWASP intends for companies to use its resources as guides and metrics to determine the current level of their security and additionally improve security in development.
One example of this in action is the OWASP Top 10 Security Vulnerabilities, which more than a dozen companies have repeated and shared as the framework by which they identify the most serious threats to their APIs.
3. API Management Platforms
Selecting the right API management platform for you may be the best solution of all since it can perform much more than just security. An API management platform can also build and monitor APIs for your company.
What it does:
An API management platform helps standardize security, connect and monitor your APIs, and perform API rate limiting.
How to use it:
Connecting with a managed API-as-a-service platform provider brings you new functionality that will enable you to improve your security drastically.
One example of this in action is, of course, the DreamFactory platform. We offer full REST automation so that you can deploy secure APIs without having to write a single line of code.
RESTAPI Security With DreamFactory
By now, you may have a pretty good idea of how complex API security can be. There are so many different types of attacks and vulnerabilities that it can be a great struggle to maintain client data safety, and as companies fall behind in security, they lose money and the trust of their customers.
DreamFactory helps bring improved security with a minimum of time and effort on the part of your business. We offer instant API creation, logging and reporting, SQL support, and comprehensive security. To learn more about what an API management platform can mean for your business, contact DreamFactory today and start your free trial.
Frequently Asked Questions on API Security
1. What is API Security?
API security involves practices and technologies aimed at protecting APIs from misuse and attacks. It encompasses authentication, authorization, encryption, and activity monitoring to ensure that APIs are only accessed by authorized entities and that data remains confidential and integral.
2. What are the main types of APIs that need securing?
The two primary types of APIs that require security measures are RESTful APIs and SOAP APIs. RESTful APIs are more common in web services today and utilize HTTP methods, typically with JSON data formats. SOAP APIs, though less common, provide built-in security features and use XML for data transfer.
3. How does OAuth2 improve API security?
OAuth2 is an authorization framework that delegates security functions to the HTTPS protocol, defining roles like client, authorization server, resource server, and resource owner to facilitate secure data transfer. It uses tokens instead of passwords, enhancing security by minimizing exposure of credentials.
4. What are common API security risks?
Common risks include poor coding practices, which can open up security vulnerabilities, bot attacks, CSRF (Cross-Site Request Forgery), XSS (Cross-Site Scripting), and various injection attacks, all of which can compromise data integrity and confidentiality.
5. How can API Gateways enhance API security?
API gateways act as a controlling layer for API traffic, offering threat protection features like rate limiting, IP filtering, and endpoint monitoring. They manage authentication and authorization, and ensure that APIs receive only legitimate requests.
Related Reading:
Terence Bennett, CEO of DreamFactory, has a wealth of experience in government IT systems and Google Cloud. His impressive background includes being a former U.S. Navy Intelligence Officer and a former member of Google's Red Team. Prior to becoming CEO, he served as COO at DreamFactory Software.