Hazards when using APIs

by Waldemar Rosenfeld, APIIDA AG
Co-author: Olga Irmen, pixelideen UG

More than a decade ago, APIs (Application Programming Interfaces) were largely insignificant. Around the turn of the millennium, Roy Fielding set himself the goal of simplifying APIs. He succeeded in greatly simplifying the creation and maintenance of APIs thanks to clearly defined, easy to implement and universal rules. As a result, APIs gained a growing user base. Even large e-commerce companies or emerging Web 2.0 services such as image portals or Twitter used APIs.

Now, digital transformation is forcing all industries to break new ground. As they are robust, powerful and scalable, many companies are using APIs. In their core function as a link between different systems, APIs open sensitive data to people and programs, making them a popular target for cybercrime.

In the past, the interception of sensitive data, such as order history or credit data, has attracted attention – and, in addition to financial damage, could also result in liability risks and damage to a company’s reputation.

But how is it possible that the attacks succeed again and again?

It can be seen that successful attacks on APIs can always be traced back to the same hedging errors – assumed security measures were taken at all. Attackers use security loopholes to gain access to the function or data behind the APIs in a variety of ways.

The most common threats are:

No or incorrect authentication: Users are often neither identified nor authenticated. The use of weak authentication methods, which can be easily manipulated, leads also to successful attacks.

No or incorrect access control: If no restrictions are set for authenticated users, attackers have an easy time gaining access to sensitive data.

Injection (SQL, OS, LDAP): If transferred data is insufficiently checked before processing, unwanted instructions are executed in the background instead of transferring user data.

No adaptation of the standard configuration: The insecure standard configuration of systems is adopted and not adapted to the own requirements. This includes the lack of encryption and the use of standard passwords. These are typically publicly documented on the manufacturer pages and are therefore easy for anyone to find out. The search engine Shodan shows very impressively how problematic this is. It quickly shows how many IoT devices are connected to the Internet and are only secured with the standard password.

XML and JSON attacks: XML and JSON are standard formats for data exchange in REST (REpresentational STate) APIs. These formats are flexible in content. If this is not clearly defined and there is no automatic sorting out of unexpected content, unauthorized access is also possible here.

Insufficient monitoring: the longer it takes for an attack to be detected, the longer it has to unfold its full effect. Manual monitoring is the least effective method.

In order not to become the next victim of cybercrime, knowledge about the above mentioned sources of danger is important. There are also some steps companies need to take to ensure the security of their APIs. In our next article on this topic, we will provide insights and tips on what action is needed.

This website uses cookies to permanently improve the user experience. By visiting this website, you automatically agree to this fact. Further information can be found in our Privacy Policy.

Die Cookie-Einstellungen auf dieser Website sind auf "Cookies zulassen" eingestellt, um das beste Surferlebnis zu ermöglichen. Wenn du diese Website ohne Änderung der Cookie-Einstellungen verwendest oder auf "Akzeptieren" klickst, erklärst du sich damit einverstanden.

Close