API Security & Real Case Sharing
Definition of API
API stands for Application Programming Interface. It is a set of protocols, tools, and routines for building software applications. In simple terms, an API allows different software applications to communicate with each other. It allows developers to access the functionality of a program or service without having to know how the program or service works.
APIs can be provided by third-party services, such as social media platforms, payment gateways, or weather services. For example, a developer might use an API to integrate a payment processing service into their e-commerce website, allowing customers to make purchases directly on the site.
In either case, APIs provide a standardized way for different software components to interact, which can make software development faster, easier, and more efficient.
Some Example of Endpoints API
In API design, an endpoint is a specific URL (Uniform Resource Locator) or path where an API service can be accessed. The endpoint specifies the location and format of the requested resources and the method used to access them. Here are some examples:
=> GET /api.example.com/users/userID=1001
=> POST /api.example.com/users
=> PUT /api.example.com/profile/userImage
=> DELETE /api.example.com/products/Tamiya
What is API Security
API security refers to the practices and mechanisms put in place to protect the data and resources accessed through an API from unauthorized access and other malicious activities.
Also, is a critical aspect to increasingly security of API because many developer used to connect different applications and services where there’s can expose sensitive data of users and get leaked to attackers.
Here some several aspects for API Security:
1. Authentication: APIs should use strong authentication mechanisms to ensure that only authorized users or applications can access the protected resources. Common authentication methods like API keys and JSON Web Tokens (JWT).
2. Authorization: APIs should enforce appropriate access controls to ensure that they can only access the resources they are authorized to use. Authorization mechanisms can include role-based access control and policy-based access control.
3. Encryption: APIs should use encryption to protect data in transit and at rest, using protocols such as SSL/TLS and AES.
4. Rate limiting: APIs should limit the number of requests that can be made in a given period to prevent overloading the system and to mitigate potential DDoS attacks.
5. Input validation: APIs should validate all inputs to ensure they are in the expected format and do not contain malicious code or payloads that could exploit vulnerabilities in the system.
6. Monitoring and logging: APIs should be monitored and logged to detect and respond to security incidents and to identify potential vulnerabilities.
7. Regular updates and patches: APIs should be regularly updated and patched to address any known security vulnerabilities and to stay current with evolving security threats.
OWASP Top 10 API Vulnerability
API1 — Broken Object Level Authorization | BOLA
=> API does not properly enforce access controls on individual resources, allowing unauthorized access to sensitive data or functions. For example, an attacker may be able to access or modify other user data
API2 — Broken User Authentication | BUA
=> API’s authentication mechanisms are weak or not properly implemented, allowing attackers to bypass authentication and gain unauthorized access to resources. For example, an attacker may be able to use stolen credentials to access a user’s account or gain administrative privileges.API3 — Excessive Data Exposure
=> API returns more data than is necessary or appropriate, potentially exposing sensitive data to unauthorized users.API4 — Lack of Resource & Rate Limiting
=> API does not limit the number of requests that can be made by a user or client, potentially allowing attackers to launch denial-of-service attacks.API5 — Broken Function Level Authorization | BFLA
=> API does not properly enforce access controls on specific API functions, allowing unauthorized access to sensitive data or functions. For example, an attacker may be able to modify or delete data belonging to another user by calling an API function without proper authorization.API6 — Mass Assignment
=> API allows clients to specify more parameters than is necessary or intended, potentially exposing sensitive data or allowing unauthorized access to resources. For example, an attacker may be able to modify user data or access sensitive information by modifying parameters in an API request.API7 — Security Misconfiguration
=> API is configured incorrectly or insecurely, potentially exposing sensitive data or allowing unauthorized access to resources. For example, an API may be configured to allow unencrypted connections, exposing data to interception or tampering.API8 — Injection
=> Attacker is able to inject malicious code or data into an API request or response, potentially exposing sensitive data or executing unauthorized actions.API9 — Improper Assets Management
=> API does not properly manage or secure its assets, such as authentication tokens or other sensitive data. For example, an API may store authentication tokens in plaintext.API10 — Insufficient Logging and Monitoring
=> API does not properly log and monitor access to sensitive resources, making it difficult to detect and respond to security threats and attacks. This can include failing to log failed login attempts, failed API requests, or other suspicious activity.
PoC API Security
Here are some steps to create PoC for API Security:
1. Identify the target API: First step, Identify the API you want to test and the specific endpoints and functions that you want to target.
2. Identify the attack surface: Identify the potential attack vectors and entry points that an attacker could use to exploit vulnerabilities in the API.
3. Vulnerability scanning: Conduct vulnerability scanning to identify potential security vulnerabilities in the API, common vulnerability like XSS, SQLi & etc.
4. Exploit: Once you have identified potential vulnerabilities, next step is to exploit them using different attack methods and techniques.
5. Identify Impact of the vulnerabilities: After exploitation we will try to identify how the impact of the vulnerabilities by showing how an attacker could access sensitive data or execute unauthorized actions.
6. Countermeasures & Best Practices: Last step, we should find how to secure the API and protect against potential security threats, also the effectiveness of the countermeasures and best practices technique. This can include implementing strong authentication & authorization mechanisms, using encryption, validating all inputs, and implementing monitoring and logging.
Real Case Sharing
At this section I will show some API vulnerability that I found in some mobile application, so let’s roll to the topic.
First, I will show you real case about BOLA (Broken Object Level Authorization) vulnerability. Let see the picture below:
As you can see the enpoint called ‘/api/getMember HTTP/2’ and ‘/api/getListNotification’ have vulnerability against BOLA. Where I can see some sensitive data such: name, phone number, address, email, birthdate, BPJS number and inbox message. Those parameters of ‘id’ & ‘muid’ is the main problem, where I can change / modify the value and send the request then I got the other user data from the endpoint response.
Second, I will show you real case about BFLA (Broken Function Level Authorization) vulnerability. Let see the picture below:
Lastly, I will show you real case about Lack of Resource & Rate Limiting vulnerability where attacker can launch brute force attack. Let see the picture below:
Conclusion
APIs provide a convenient and flexible way for applications to exchange data and functionality, but they also create new attack vectors for attackers to exploit. To ensure the security and integrity of APIs, it is important to implement security best practices and to conduct regular security testing to identify and mitigate potential vulnerabilities.
Additionally, it is important to stay up-to-date with the latest security threats and vulnerabilities. Also, by taking a proactive and comprehensive approach to API security, organizations such as big company or small company can reduce the risk of data breaches and other security incidents to keeping trust, security and privacy for their users.
