• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Codemotion Magazine

We code the future. Together

  • Discover
    • Events
    • Community
    • Partners
    • Become a partner
    • Hackathons
  • Watch
    • Talks
    • Playlists
    • Edu Paths
  • Magazine
    • Backend
    • Frontend
    • AI/ML
    • DevOps
    • Dev Life
    • Soft Skills
    • Infographics
  • Talent
    • Discover Talent
    • Jobs
    • Manifesto
  • Companies
  • For Business
  • IT
  • ES
Home » Videos » The rise and API attacks require better API security

The rise and API attacks require better API security

Historically, API attacks have largely flown under the radar of security professionals. But the ihnerent lack of security in APis makes them an easy target for cyberhackers.

June 23, 2020 by

Each time you publish an API, you punch a hole in your enterprise perimeter. Through API attacks, a lot of critical data which used to be well-protected in enterprises data centers is now exposed directly to the Internet. Whenever you create APIs, you have to make sure that you have done everything you could to validate data flows, properly authenticate users, authorize access to the data, keep an audit trail among other security tasks. 

 Isabelle Mauny. is the co-founder and CTO of 42Crunch, a company on a mission to make API security as easy as possible for developers and security teams. She spoke at Codemotion about the roots of current API security issues, and how you can address them at development time. It’s an extensive talk with plenty of code to deep dive into, so we encourage you to watch the video below to gain the full experience:

Loading the player...

API attacks are key points of entry to hackers

Historically, API attacks have largely flown under the radar of security professionals, who have been focused on attack vectors known to do significant damage: ransomware, distributed denial of service (DDoS), and malware, among others. But APIs inherently lack security which makes them an easy target for cyberhackers. 

API’s are now the new entry point into your companies into your data, your processes, and it’s becoming a very important threat factor. While API data breaches often occur because of third party actors, in many cases, simple failures to treat API security with respect leads to some significant data breaches that affected many millions of users.

The API attack at Equifax

In September of 2017, Equifax announced it experienced a data breach, which impacted the personal information of approximately 147 million people. The data breach was attributed to an exploit of a vulnerability in an open-source component, Apache Struts CVE-2017-5638. Struts is a mainstream web framework used to create web applications and APIs.

Equifax is not alone. API attacks are on the rise. Instagram recently became a victim, and other victims have included Facebook, Amazon and Paypal. 

 OWASP and API attacks

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Isabelle is a member and she shared that OWASP recently added under-protected APIs to its Top 10 list of app vulnerabilities, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

It’s a recognition that API security is NOT web security. Rather APis have different attack vectors. They are data-centric and there are lots of attacks coming from mishandling API data.

Meet PIXI

The Pixi-CRS Continuous Integration pipeline provides automated end-to-end testing of the intentionally-vulnerable Pixi application with a Web Application Firewall (WAF) in front of the application, and an automated security vulnerability scanner and web proxy (“ZAP”, OWASP Zed Attack Proxy) pointed at the application and WAF. It’s part of the OSWAP DevSlop.

According to Isabella: “It has all the problems in a single place, but it’s very useful to illustrate the problems in what we find  So you have access to that you have the source code, you can see how it works.”

What can you do?

  • Use non-guessable IDs (UUIDs)
  • Implement authorization checks to validate the user actually owns the data they are trying to retrieve
  • Don’t expose internal IDs externally – instead, use a non-guessable ID you then map to internal IDs.

Prevent APIs attacks and Access Token misuse

  • Access tokens are used for authentication purposes
  • A single token allows access to many APIs and operations
  • API keys and OAuth secrets are leaking all over GitHubWhat you should do
  • You should restrict token use
  • Google APIs example (restrictions on referrers, APIs, list IPs)
  • Oauth scopes
  • Fine grained authorization (such as attribute based)
  • Don’t rely on access tokens to authenticate a user (use OpenID connect instead)
  • use short lived access tokens
  • authenticate your apps (so you know who is talking to you_

How to detect vulnerabilities that could cause API attacks

Isabelle suggests that you “Put some filtering in place of your data, What is the sensitive data that you manipulate? You need to make sure that that information can never leave through the API unless you want to in a certain way, but it really shouldn’t. So you have to put in place some filtering and authorization.”

How I could have hacked any Instagram account

Last year a security researcher and bug hunter, Laxman Muthiyah, found an account-breaking bug in the mobile version of Instagram’s password reset system. When a user wants to reset his or her password, Instagram tries to validate their identity by sending a 6-digit code to a recovery phone number. They have to enter that code within 10 minutes to be able to change the password. Instagram developers had implemented a rate-limiting mechanism to prevent attackers from brute-forcing the six-digit code, but the researcher identified a way to bypass it. The researcher noticed that if he sent 1,000 requests containing possible verification codes, 250 of them would go through while the rest would be blocked. He then used what he described as a combination of a race condition and IP rotation to send out a total of 200,000 requests.

The researcher created a race condition, a situation that occurs when a computer tries to process multiple requests at the same time — and by making attempts from a huge number of IP addresses was able to do an end run around Instagram’s brute force blocker. He then bombarded Instagram with 200,000 codes from 1,000 different IP addresses. This was made quite simple using cloud-based tools. 

Laxman earn $30,000 from Facebook for this efforts. 

Blocking unauthorised calls

Isabelle asserts the needs to be mindful of the power of resource-level access control: “What am I authorised to see and do when I connect somewhere. Are there any things that you have left in an API that you don’t expect people to use? I’ve seen that many times in the same API, I have admin function to manage users, for example, and non-admin functions, which are the ones I’m exposing outside. 

For example, there’s a single API except I’m just telling people from outside you can use those for permissions. And telling the people from inside, you can also use those operations right, but they are In the same API. Mixing admin and non-admin all together, that’s a very common example of a problem.” Hackers can then use bots to guess which potential paths are open (say GET/admin/user) and get access to things that should be hidden.

What do else you can do to reduce API attacks

  • Detect whether verbs not specified in the API contract can be used
  • Systemically reject any path not described in the API contract
  • Validate that the user has proper access rights.
  • Test everything, don’t trust any data!

Tagged as:Security Manager

Related articles

  • So you want to work in cybersecurity?
  • Cybersecurity is as much about social engineering as bugs
  • Codemotion Berlin Shows the Future of Programming, Work, and Society
  • Codemotion Feeds Who Is Eating the World
  • Encryption and why keeping secrets is hard, even for computers
  • Neural networks, software 2.0, and differentiable computers

Primary Sidebar

Free Whitepaper: The Ultimate Azure Cybersecurity Handbook.

Codemotion Talent · Remote Jobs

Flutter Developer

3Bee
Full remote · Android · Flutter · Dart

Python Back-end Developer

h-trips.com
Full remote · Django · Pandas · PostgreSQL · Python

AWS Cloud Architect

Kirey Group
Full remote · Amazon-Web-Services · Ansible · Hibernate · Kubernetes · Linux

AWS SysOps Administrator

S2E | Solutions2Enterprises
Full remote · Amazon-Web-Services · Terraform · Linux · Windows · SQL · Docker · Kubernetes

Latest Articles

An article about Image Containers and security best practices.

Container Images: Technical Refresher and Security Best Practices

Cybersecurity Uncategorized

10 Useful and Affordable IT Certifications Under $200

Dev Life

Anche le grandi idee falliscono, tech fails

Tech Fails: When Brilliant Ideas Go Bust

Stories

Javascript color library. Discover how to use it in this guide.

Unsupervised Learning in Python: A Gentle Introduction to Clustering Techniques for Discovering Patterns

Languages and frameworks Machine Learning

Footer

  • Magazine
  • Events
  • Community
  • Learning
  • Kids
  • How to use our platform
  • Contact us
  • Become a Contributor
  • About Codemotion Magazine
  • How to run a meetup
  • Tools for virtual conferences

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • YouTube
  • RSS

© Copyright Codemotion srl Via Marsala, 29/H, 00185 Roma P.IVA 12392791005 | Privacy policy | Terms and conditions

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • RSS