APIsecurity.io - APISecurity.io Newsletter: Issue 154

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #154
Views on APIs and security, report into API misconfiguration, detecting malicious API activity

This week, we have a viewpoint on what security officers can do to address API security. There’s also a report from IBM revealing that two-thirds of cloud breaches are due to misconfigured APIs, the best practices for detecting malicious activity on API endpoints, and a description of common attack vectors on GraphQL implementations.

Opinion: APIs and security
 

This week, the 42Crunch Field CTO Isabelle Mauny was featured in Security Boulevard, discussing how security officers should approach the challenges of securing APIs. The growth of API consumption has — unfortunately but unsurprisingly — resulted in an increase in attacks against API infrastructure, resulting in well-known breaches that have also been covered in this newsletter.

Mauny suggests that the reason why API security issues are so prevalent include:

  • Development teams are increasingly agile, resulting in a more frequent release schedule that presents challenges to security teams who are still reliant on manual testing procedures.
  • Application development techniques are changing: the monolith is being broken down, and modern applications are composed of multiple APIs — frequently client-side — that can be invoked directly without adequate controls.
  • Security is typically implemented late in the application lifecycle as part of a mandatory compliance stage, which results in security testing with high false-positives late in the development process.

Modern APIs (especially in interconnected microservices) erode the typical network boundaries and reduce the effectiveness of traditional perimeter protections, such as web application firewalls (WAFs). Mauny suggests with the receding importance of the perimeter, it is more important to protect the data than the perimeter itself.

The other key consideration is ensuring that API security tooling has the full context to ensure that the tool makes the correct decision, either statically (like when auditing an API contract against the OpenAPI standard) or dynamically when enforcing traffic behavior on an API endpoint. WAFs also exemplify how the lack of context renders them ineffective in protecting an API: a WAF cannot distinguish bad (unintended) behavior from good (intended) behavior.

Finally, the article highlights the value of API contracts as a means towards a positive security model, one in which the expected behavior is clearly defined, the opposite of a negative security model where bad behavior is inferred. By utilizing an API definition (such as an OpenAPI definition of the API contract) it is possible to verify the API development process at every stage of the development and deployment cycle. Such an approach affords a security officer early insight into the security posture of APIs and guarantees that APIs can be tested against their contracts.

Report: Two-thirds of cloud breaches due to misconfigured APIs
 

A recent report from IBM  reveals that two-thirds of cloud breaches have their origins in misconfiguration of the API implementations. The report contains 12 months of findings from various IBM research teams and concludes that cloud environments need to be better secured.

The key findings from the report include:

  • There is a vast and thriving black market for the resale of public cloud access details and credentials, such as Remote Desktop Protocol access.
  • Many systems could be compromised due to poor passwords and inadequate policies.
  • APIs were the most common cause of compromise, accounting for nearly two-thirds of the cases identified in the report.
  • The erosion of the traditional perimeter has resulted in more complex scenarios which are difficult to protect with legacy systems.

The main recommendations from the report include:

  • Environments should be secured by a more robust hardening of systems (such as by protecting passwords, or enforcing policies).
  • Stricter governance must be imposed on “shadow IT” because it represents an unquantified business risk and is a frequent source of compromise.
  • Organizations must understand the risks inherent in the rapid opening of hitherto internal-only APIs to public access because this opens new attack vectors.
Best practice: Detecting malicious activity on APIs
 

Also featured this week is an article by Jason Kent in Threat Post on how to detect malicious behavior on API endpoints. Increasingly, API endpoints intended for either web or mobile applications are under attack by rogue actors and bots. Being able to identify such attacks in systems allows potential attacks to be thwarted before they are successful.

Kent’s experience as a hacker comes to the fore in the article, with several key (and relatively simple) suggestions for API developers:

  • Use a separate domain for web and mobile applications. This allows spurious activity to be identified, for example, by being able to detect when a browser is accessing an endpoint intended for a mobile application — a leading indicator that a human attacker may be attempting to reverse-engineer the API.
  • Pay attention to the presence of ‘crawlers’ — such as Facebook and Google, commonly used in enumerating websites — in API endpoints, particularly those for mobile applications. The presence of crawlers in logs is often an indication of active reconnaissance and an imminent attack.
  • Review API logs periodically,  paying particular attention to user agent strings — a sign of unusual or unexpected behavior is often the precursor to an attack.

Given the rise of bot attacks on APIs, these simple recommendations should prove valuable to API builders.

Article3-2

 

Article: Practical GraphQL attack vectors
 

In issue 150, we covered best practices for hardening your GraphQL implementations. In this week’s issue, we feature some brief observations on common attack vectors used against GraphQL  implementations.

GraphQL is a data query language that allows the client to construct arbitrary data queries against the underlying data stores . This contrasts to the more well-established REST API that allows a structured method of access through known endpoints. The difference is illustrated below:

Article4

Whilst the GraphQL endpoint provides more flexibility for the client consumer, it does represent additional security considerations due to the complexity of the underlying implementation. Mihalache’s article highlights a few common attack vectors to consider to protect, or other compensating controls:

  • Introspection: One of the benefits of GraphQL is the ability to dynamically enumerate the underlying data, which can — unfortunately — facilitate attackers’ discovery process.
  • Missing access controls: Default implementations don’t provide access controls, developers must be implemented them in bespoke logic.
  • SQL and NoSQL injections: GraphQL is easily susceptible to traditional injection attacks on the backing data stores.
  • Information disclosure: Default GraphQL implementations tend to be very verbose, potentially to the advantage of attackers.
  • Bypassing rate limiting: Batching queries can lead to denial of service (DoS) attacks on the GraphQL endpoints.
  • DoS: In addition to above, nested queries too can easily be used for launching DoS attacks.

Mihalache reaches the same conclusion as our previously referenced GraphQL article, namely that default GraphQL implementations are often insecure by default, and the savvy API developer is well-advised to harden implementations to eliminate some of the more common attack vectors.

 
ColinD

 

 

Colin Domoney

ApiSecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 153

Thursday, September 30, 2021

Hi, this week, we have an article on how API proliferation is opening up security holes, another vulnerability in WordPress REST API, again through a third-party plugin. In addition, we look into the

APISecurity.io Newsletter: Issue 152

Thursday, September 23, 2021

Hi, this week, we have a breach involving exposed API keys for payment integration, leaked API tokens on Travis CI. APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue

APISecurity.io Newsletter: Issue 151

Thursday, September 16, 2021

Hi, this week, we have details on the security patch in WordPress 5.8.1 fixing an issue on the REST API, a report on the rise of botnet attack APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 150

Thursday, September 9, 2021

Hi, this week, we have recent vulnerabilities in the Fortress home security system that allowed an attacker to remotely disable the system APIsecurity.io The Latest API Security News, Vulnerabilities

APISecurity.io Newsletter: Issue 149

Thursday, September 2, 2021

Hi, this week we have vulnerabilities on Cisco routers allowing device takeover, a vulnerability on the Bumble app disclosing user's location APIsecurity.io The Latest API Security News,

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power