by Waldemar Rosenfeld, APIIDA AG
Co-author: Olga Irmen, pixelideen UG
More than a decade ago, APIs (Application Programming Interfaces) were largely insignificant. Around the turn of the millennium, Roy Fielding set himself the goal of simplifying APIs. He succeeded in greatly simplifying the creation and maintenance of APIs thanks to clearly defined, easy to implement and universal rules. As a result, APIs gained a growing user base. Even large e-commerce companies or emerging Web 2.0 services such as image portals or Twitter used APIs.
Now, digital transformation is forcing all industries to break new ground. As they are robust, powerful and scalable, many companies are using APIs. In their core function as a link between different systems, APIs open sensitive data to people and programs, making them a popular target for cybercrime.
In the past, the interception of sensitive data, such as order history or credit data, has attracted attention – and, in addition to financial damage, could also result in liability risks and damage to a company’s reputation.
But how is it possible that the attacks succeed again and again?
It can be seen that successful attacks on APIs can always be traced back to the same hedging errors – assumed security measures were taken at all. Attackers use security loopholes to gain access to the function or data behind the APIs in a variety of ways.
The most common threats are:
No or incorrect authentication: Users are often neither identified nor authenticated. The use of weak authentication methods, which can be easily manipulated, leads also to successful attacks.
No or incorrect access control: If no restrictions are set for authenticated users, attackers have an easy time gaining access to sensitive data.
Injection (SQL, OS, LDAP): If transferred data is insufficiently checked before processing, unwanted instructions are executed in the background instead of transferring user data.
No adaptation of the standard configuration: The insecure standard configuration of systems is adopted and not adapted to the own requirements. This includes the lack of encryption and the use of standard passwords. These are typically publicly documented on the manufacturer pages and are therefore easy for anyone to find out. The search engine Shodan shows very impressively how problematic this is. It quickly shows how many IoT devices are connected to the Internet and are only secured with the standard password.
XML and JSON attacks: XML and JSON are standard formats for data exchange in REST (REpresentational STate) APIs. These formats are flexible in content. If this is not clearly defined and there is no automatic sorting out of unexpected content, unauthorized access is also possible here.
Insufficient monitoring: the longer it takes for an attack to be detected, the longer it has to unfold its full effect. Manual monitoring is the least effective method.
In order not to become the next victim of cybercrime, knowledge about the above mentioned sources of danger is important. There are also some steps companies need to take to ensure the security of their APIs. In our next article on this topic, we will provide insights and tips on what action is needed.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.