by Tony Harris • December 5, 2022
Cybersecurity is one of the most prominent and pressing concerns for businesses today. As developers move more of their web applications to a microservices architecture, data is shared by web service APIs now more than ever. Industry analysts predicted that API attacks would become the most common attack vector by the end of this year. Unfortunately, that prediction has come true. More than three out of every four cybersecurity professionals in the US and UK have reported at least one API-related security event in the past year. This has encouraged organizations to put a stronger focus on securing their APIs from such vulnerabilities. However, many companies are still far from where they should be when it comes to REST API security. Are you sure you’re adequately protecting your intellectual property and your customers’ data? If not, this article will get you up to speed on REST API security essentials
By the end of the article, you will have learned the most common security risks,REST API security essentials and best practices, and some of the top REST API security tools.
Sign up for our free 14 day hosted trial to learn how.
API (Application Programming Interface) security is a broad topic that includes two main categories: REST API security and SOAP security.
SOAP (Simple Object Access Protocol) is a messaging protocol, so it is in a different category than REST. It is less commonly used than REST these days, but it is still a strong option thanks to its built-in security measures. SOAP can only transfer data in the XML format.
Following good REST API security practices prevents unauthorized access to important data and processes. These practices generally include the use of API keys or OAuth (Open Authorization) or the preferred OAuth2 standard. Both OAuth and OAuth2 use security tokens to authenticate clients, but OAuth2 is a better fit from a modern cybersecurity standpoint. OAuth 2 provides the same functionality as the original OAuth (versions 1.0 and 1.1) and offers the same general user experience but OAuth 2 is not backward compatible with OAuth. OAuth2 delegates all security functions to the HTTPS protocol. To accommodate this change, OAuth2 introduces new roles in the process of data transfer via APIs. Whereas OAuth did not explicitly separate the role of resource servers and authorization servers, OAuth2 defines four roles: client, authorization server, resource server, and resource owner.
OAuth and Oath2 use security tokens instead of passwords, while API keys are codes used to confirm the identity of the user requesting access. Additionally, both SOAP and REST can use HTTPS (Hypertext Transfer Protocol Secure) over HTTP for additional security.
The value of sensitive data exposed by an API, combined with the prevalence of APIs today, makes them an attractive target for attacks. In addition, many tools are available today to automate these attacks. Companies lose millions every year to vulnerabilities in APIs and other cybersecurity concerns.
Around 50% of B2B interaction takes place through API requests, and APIs also strongly affect the client experience. This means that APIs are handling a significant amount of client and business data, making adequate security even more essential.
There are some security concerns that are unique to web APIs, including poor coding, CSRF (Cross-Site Request Forgery) attacks, man-in-the-middle attacks, XXS (Cross-Site Scripting) attacks, and finally, injection attacks.
REST APIs do not have the same strict standards as SOAP, meaning they are more susceptible to this problem. Poor coding can easily make a REST API vulnerable to hackers who are looking for the kind of opening this provides.
Poor coding may simply mean your web service is easy to break, or it may mean that important security measures are lacking and an unauthorized user can access essential data. To keep poor coding from opening the door to security issues, your organization can implement code review. A team of programmers should review code for any security holes that may exist.
Bot attacks are becoming one of the biggest concerns for cybersecurity in general, and APIs specifically. Not all bots are malicious in intent, as they can be used to automate legitimate tasks. But bots can also be used to abuse an API or to facilitate a data breach.
Large groups of bots (botnets) can be used in a massive flood of requests to an API. The end result is a Denial of Service attack: overloading the backend servers hosting the web service, effectively denying legitimate users access to the service. This can be a tricky attack to defend against, with an organization’s firewall interfaces and banning ranges of IP addresses often being the best solution.
A CSRF attempts to trick users into performing an action that may aid the attacker in stealing data, passwords, etc. This action may be changing an account setting or password, among other things. If this attack is successful with someone with full access to the application, it will compromise the application itself.
MITM attacks, also known as hijack attacks, are where a user is trying to communicate legitimately with a second party or platform and an attacker hacks, blocks or otherwise interrupts the line of communication without the victim being aware. The user then sends their credentials or other sensitive information to the hacker instead of its intended destination.
A Cross-Site Scripting attack is a client-side attack. The attacker injects a malicious script through an application into a website.
There are various types of injection attacks, but all involve malicious input into a program or service. Injection flaws permitting this type of attack are a common problem in APIs.
In the field of data vulnerabilities, there are two main classes: excessive data exposure and mass assignment. Both are commonly seen and add significant risk to APIs and underlying data.
Excessive data exposure happens when an API returns more information than what was expected for a particular web service. For example, if a client requests user details, the username along with first name and last name might be considered appropriate data to return. An excessive data return might include a hashed password or other information associated with the user.
An API should return only the minimum amount of data to meet the goal of the service.
Mass assignment occurs when a client can inject additional request data beyond what the API is expecting. How the API endpoint interprets and stores that data in the underlying database can then lead to security issues. A common example is an attacker guessing at usernames (like “admin”). Ideally, the API will reject or ignore extraneous requests, but a mass assignment vulnerability would see this data stored.
Developers can avoid these issues by simplifying the data objects exposed by APIs and doing thorough testing for validation that only the correct amount of data goes in and out of a system.
REST API security is a complicated business, but there are some things that you can implement relatively easily.
While you can use either HTTP or HTTPS with APIs, it is strongly recommended that you always use HTTPS. HTTPS provides an added layer of security through encryption. HTTP offers no encryption and only basic authentication, meaning that anyone who gains access to the service can read the data.
Using API frameworks or templates can also be an excellent way to ensure that you are adhering to the best security practices. There are many open-source or paid options for REST API frameworks. These will often have security measures built in.
SSL is a cryptographic protocol. An SSL (Secure Socket Layer) certificate encrypts the connection between the server and browser with two keys. The first is a public key, and the second is a private key. In addition to aiding security, an SSL certificate also has some influence on Google rankings.
TLS (Transport Layer Security) is a newer and improved protocol for the same purpose. It has improved measures to protect against additional types of attacks, such as Cypher Block Chaining attacks.
SSL relies on MAC (Message Authentication Code), while TLS relies on HMAC, the hash-based message authentication code.
There are many free and commercial options available to improve REST API security within your business. Just a few of these are security testing frameworks, OWASP and API management platforms.
API security testing frameworks are commonly open-source, or you can use open-source tools to build your own. Developers have built these as solutions for regular testing of your API.
What it does:
It is often necessary to test your API for vulnerabilities or potential problems. Some common tests used for this purpose are fuzz testing, injection testing and penetration testing. These can help discover a potential for DDoS attacks (Distributed Denial of Service), as well as injection attacks, XSS attacks and CSRF attacks, among others. They can either determine what response the web service will make to such an attack or reveal poor coding that would enable the loss of data.
How to use it:
A security testing framework is reusable, meaning you can test your API regularly. This makes it much more likely that you will discover a vulnerability prior to an attack, saving perhaps millions of dollars in the long run.
One example of this in action is the Metasploit framework. Metasploit offers penetration testing software for APIs. It is open-source, meaning you can view the source code on GitHub and use the free version. Alternatively, you can use Metasploit Pro.
OWASP, the Open Web Application Security Project, is a top resource for any company managing APIs. Besides an incredible knowledge base, OWASP offers various services to help with security.
OWASP offers testing guides, an Application Security Verification Standard (ASVS) as a framework for better API security and much more. All of this is open-source.
OWASP intends for companies to use its resources as guides and metrics to determine the current level of their security and additionally improve security in development.
One example of this in action is the OWASP Top 10 Security Vulnerabilities, which more than a dozen companies have repeated and shared as the framework by which they identify the most serious threats to their APIs.
Selecting the right API management platform for you may be the best solution of all since it can perform much more than just security. An API management platform can also build and monitor APIs for your company.
An API management platform helps standardize security, connect and monitor your APIs, and perform API rate limiting.
Connecting with a managed API-as-a-service platform provider brings you new functionality that will enable you to improve your security drastically.
One example of this in action is, of course, the DreamFactory platform. We offer full REST automation so that you can deploy secure APIs without having to write a single line of code.
By now, you may have a pretty good idea of how complex API security can be. There are so many different types of attacks and vulnerabilities that it can be a great struggle to maintain client data safety, and as companies fall behind in security, they lose money and the trust of their customers.
DreamFactory helps bring improved security with a minimum of time and effort on the part of your business. We offer instant API creation, logging and reporting, SQL support, and comprehensive security. To learn more about what an API management platform can mean for your business, contact DreamFactory today and start your free trial.
Understanding SOAP Security
Join the DreamFactory newsletter list.