As enterprises continue on their digital journeys, security teams are preparing for the good, the bad, and the ugly of APIs. We’ll explain in plain language what APIs do, how they are attacked, and how API security works either as a stand-alone solution or with Web Application Firewalls and DDoS protection as part of an overall defense-in-depth application security strategy.
Application Programming Interfaces (APIs) are software intermediaries that enable applications to communicate with one another. Web APIs connect between applications and other services or platforms, such as social networks, games, databases and devices. Additionally, Internet of Things (IoT) applications and devices use APIs to gather data, or even control other devices. For example, a utility company may use an API to adjust the temperature on a thermostat to save power.
APIs also make rapid development and innovation possible in cloud-native environments. APIs simplify low-level software layers and enable developers to focus on the core functionality of their applications. They both lower the barrier to entry for inexperienced developers and increase efficiency for more experienced people. They deliver unprecedented flexibility and speed at lower costs than other development approaches. For more on the benefits of APIs in web application development, read my post, How Web Applications Are Attacked Through APIs.
How cybercriminals attack APIs
APIs often self-document information, such as their implementation and internal structure, which can be used as intelligence for an attack. This makes them tempting targets for cyber criminals. Additional vulnerabilities, such as weak authentication, lack of encryption, business logic flaws and insecure endpoints make APIs vulnerable to the attack types outlined below.
Man In The Middle (MITM)
A man in the middle (MITM) attack involves an attacker secretly relaying, intercepting or altering communications, including API messages, between two parties to obtain sensitive information.
For example, a malicious actor can act as a man in the middle between an API issuing a session token in an HTTP header and a user’s browser. Intercepting that session token would grant access to the user’s account, which might include sensitive personal data, such as credit card information and login credentials.
API injections (XSS and SQLi)
In a code injection attack, malicious code is inserted into a vulnerable software program to stage an attack, such as cross site scripting (XSS) and SQL injection (SQLi).
For example, a perpetrator can inject a malicious script into a vulnerable API (i.e., one that fails to perform proper filter input or escape output (FIEO)) to launch an XSS attack targeting end users’ browsers, etc. Additionally, malicious commands could be inserted into an API message, such as an SQL command that deletes tables from a database.
Any web API requiring parsers or processers is vulnerable to attack. For example, a code generator that includes parsing for JSON code, and doesn’t sanitize input properly, is susceptible to the injection of executable code that runs in the development environment.
A DDoS attack on a web API attempts to overwhelm its memory and capacity by flooding it with concurrent connections, or by sending/requesting large amounts of information in each request. If you have visibility into the API being targeted, you know how it will react to a flood of requests and good DDoS protection will help mitigate the attack.
DDoS protection is compromised, however, when you do not know the full schema or changes that have been made to the schema of an API facing a deluge of requests, so you don’t know how it will respond to an attack.
How API Security works
Imperva API Security enables comprehensive API visibility for security teams – without requiring development to publish APIs via OpenAPI or by adding resource-intensive workflow to their CI/CD processes – by providing full contextual data and tags and automatically determining risks around sensitive data. Security teams can leverage continuous discovery of APIs – whether known edge APIs, unknown shadow APIs or internal APIs driving transactions on the backend –- to incorporate a positive security model and ensure ongoing protection from API-based threats. What’s more, when an API is updated, Imperva API Security enables security teams to understand any new risks and incorporate changes. This all leads to faster, more-secure software release cycles. Imperva API Security is a tool that enables security to keep pace with innovation without impacting development time.
Join us to learn more about API trends, terms, key use cases, and what key capabilities your Security and DevSecOps teams need to protect your enterprise data. We will have Chris Rodriguez, Research Director from IDC’s Security & Trust practice kicking off the session with his industry insights. Then, Imperva’s Head of API Security Lebin Cheng will share what customers are saying about API security.
Join us on March 30 and learn about:
- The trends driving rapid adoption of APIs and the emerging risk surface that results from an outdated API inventory
- Where application security fits in protecting APIs and reducing risks
- Which tools are best to cover each part of the OWASP API Top 10A strategy to discover and classify every API in and out of production
- Hear from two industry experts on API Security and how APIs have become the lingua franca of the Internet today, and why you need to act quickly to prevent data breaches.
Reserve your spot today.
Try Imperva for Free
Protect your business for 30 days on Imperva.