{"id":280690,"date":"2021-06-22T15:00:12","date_gmt":"2021-06-22T12:00:12","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/"},"modified":"2021-06-22T15:00:12","modified_gmt":"2021-06-22T12:00:12","slug":"how-to-defend-yourself-against-api-attacks-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/","title":{"rendered":"#How To Defend Yourself Against API Attacks \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a284c154e0b6\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a284c154e0b6\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/#Web_APIs\" >Web APIs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/#Development_Stakeholders\" >Development Stakeholders<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/#Types_of_Attacks\" >Types of Attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/#Protecting_Your_APIs\" >Protecting Your APIs<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/#Quantify_What_Youre_Dealing_With\" >Quantify What You\u2019re Dealing With<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/#Make_Your_APIs_Concise\" >Make Your APIs Concise<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/#Use_Encryption\" >Use Encryption<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/#Authentication_and_Input_Values\" >Authentication and Input Values<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/#Allied_Technologies\" >Allied Technologies<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-defend-yourself-against-api-attacks-cloudsavvy-it\/#APIs_are_on_the_Front_Line\" >APIs are on the Front Line<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How To Defend Yourself Against API Attacks \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 2934px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage wp-image-12078 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/b2316441.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"the word api written in cubes\" width=\"2934\" height=\"1596\" src=\"https:\/\/www.shutterstock.com\/image-illustration\/pixelated-acronym-api-made-cubes-mosaic-210232156\" data-credittext=\"Imagentle\/Shutterstock.com\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-illustration\/pixelated-acronym-api-made-cubes-mosaic-210232156\">Imagentle\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>Modern cloud strategies make heavy use of APIs for controlled, interactive access to hosted services. But the access is only controlled if the APIs are securely implemented and they\u2019re not susceptible to abuse.<\/p>\n<h2 id=\"web-apis\"><span class=\"ez-toc-section\" id=\"Web_APIs\"><\/span>Web APIs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>An <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lication programming interface (API) lets software talk to other software. That requires a set of specifications. There must be a documented set of functions that the API endpoint provides and rules about what the API client must do to use those functions. The type and format of the data returned by the API must be defined for each function. You usually want to restrict who has access to the API, so API clients must authenticate in some way. In a restricted API, requests must only be serviced when the API endpoint has verified the request is legitimate.<\/p>\n<p>As with all software development, a security-by-design methodology is far better than a build it first, secure it later approach. The Peloton API disaster illustrates this perfectly. A flawed API implementation\u2014which is now fixed\u2014allowed unauthenticated API calls to be serviced.<\/p>\n<p>Anybody could pull back personal data about any Peloton customer. The first \u201cfix\u201d simply restricted the API to Peloton owners. This was only marginally better. With the final fix in place, a Peloton user\u2019s data is finally private, unless they explicitly choose to share it.<\/p>\n<p>There are many other examples of weak or poorly designed APIs. <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Facebook<\/a> exposed the personal data of 533 million of its users because an API allowed anyone to search a database using telephone numbers\u2014at a rate of up to 1000 per minute.<\/p>\n<p>Over 80 percent of all internet traffic is API traffic. That\u2019s a lot of APIs. As of mid-2021, the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/owasp.org\/www-project-top-ten\/\">Open Web Application Security Project<\/a>\u00a0(OWASP) top 10 security risks haven\u2019t changed in several years. Sadly, the same mistakes leading to the same vulnerabilities are being repeated over and over. And that\u2019s too enticing for cybercriminals to ignore.<\/p>\n<h2 id=\"development-stakeholders\"><span class=\"ez-toc-section\" id=\"Development_Stakeholders\"><\/span>Development Stakeholders<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>APIs are often less well protected than websites and mobile apps. Performance requirements can force the development team to focus on making them lean and mean. So lean that they contain very little \u2014if any\u2014code devoted to protecting the API and the data they safeguard. A poorly designed or badly implemented API will have weaknesses that can be exploited. The proper remediation isn\u2019t to stick a Band-Aid over it and try to plug the holes. You need to fix the code, or possibly the business logic that was modeled into the API.<\/p>\n<p>When you have many software components talking to one another over API calls\u2014such as microservices\u2014it becomes very difficult to spot business layer process errors. Your code may pass the unit, regression, and other tests. You may experience no crashes. All your logs are clean. But that doesn\u2019t mean the logic is correct, nor that all possible vulnerabilities have been considered. Bringing your security team and your development team together can yield surprising insights.<\/p>\n<p>The development team is responsible for writing the APIs that deliver the required functionality. The security team is responsible for protecting the data that is being serviced via the API. They\u2019re both stakeholders in the success of the development process. Developers are never going to think about security, threats, and attacks like the security team. Why not bring both sets of expertise to bear on the problem?<\/p>\n<h2 id=\"types-of-attacks\"><span class=\"ez-toc-section\" id=\"Types_of_Attacks\"><\/span>Types of Attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The common attack types you\u2019ll encounter can be grouped according to their attack technique.<\/p>\n<ul>\n<li><strong>Credential Stuffing<\/strong>: This is similar to password brute-force attacks, but it uses API credentials instead of user account passwords.<\/li>\n<li><strong>Injection Attacks<\/strong>: In an injection attack the cybercriminal adds computer instructions to their API requests in such a way that the embedded instructions act upon the API endpoint.\u00a0<em>SQL injection<\/em>\u00a0is an attack that exploits SQL databases. Often it is easy to work out which text elements in an API call are going to be included in SQL statements. Appending SQL statements to those API function calls can lead to those snippets of SQL being acted on by the API endpoint SQL servers.\u00a0<em>Cross-site scripting<\/em>\u00a0is a similar attack where the embedded instructions are in a scripting language, typically JavaScript.<\/li>\n<li><strong>Distributed Denial-of-Service (DDoS)<\/strong>: These attacks are very similar to the DDoS attacks that flood a website with traffic, preventing it from servicing genuine requests. DDoS attacks aimed at API endpoints are growing in popularity with threat actors.<\/li>\n<li><strong>Man-in-the-Middle (MitM)<\/strong>\u00a0These attacks rely on the interception of traffic between a genuine, innocent API client and the API endpoint. If API authentication credentials are captured they can be used to reconnect by masquerading as the genuine API client. Sometimes the API calls made from the genuine client are modified so that the API endpoint does what the attackers want, not what the actual client wants.<\/li>\n<\/ul>\n<h2 id=\"protecting-your-apis\"><span class=\"ez-toc-section\" id=\"Protecting_Your_APIs\"><\/span>Protecting Your APIs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When you\u2019re looking to secure a subset of your IT infrastructure, It can be tempting to look for specific or novel solutions. But don\u2019t forget the cybersecurity basics.<\/p>\n<h3 id=\"quantify-what-youre-dealing-with\"><span class=\"ez-toc-section\" id=\"Quantify_What_Youre_Dealing_With\"><\/span>Quantify What You\u2019re Dealing With<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>If you don\u2019t know what you\u2019ve got, you can\u2019t manage it. You must identify and characterize all of the APIs that you use, whether you\u2019ve created them or not. The results of your API audit might reveal opportunities to simplify or rationalize your use of APIs. It will also highlight any aged or orphaned APIs that need to be updated or turned off.<\/p>\n<p>Once you know what APIs you have, what they do, and how they\u2019re protected and made resilient, you can document your API security strategy. Use the opportunity to set ground rules for security-driven development, and plan your API roadmap.<\/p>\n<p>What data is accessible through the API calls? Is it personally identifiable information, or sensitive in some other way? What is its data classification? If your data protection policies have been implemented correctly they\u2019ll already contain this information. Critically review the access to the data. Are you revealing more data than necessary?<\/p>\n<h3 id=\"make-your-apis-concise\"><span class=\"ez-toc-section\" id=\"Make_Your_APIs_Concise\"><\/span>Make Your APIs Concise<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Wanting to make your API a rich experience for the data consumer can lead to over-reporting and needlessly giving away details of the API endpoint itself. Information about data subjects, encryption keys, and authentication tokens have all been leaked by overly-verbose APIs. A more considered and secure approach is to return the minimum amount of data that the API client needs to fulfill the requested function.<\/p>\n<p>This circles back to the principle of least permission, a cybersecurity staple. You should only grant users, processes, IoT devices, or anything else that interacts with your IT the minimum privileges required for their role or function to be fulfilled. Do the same with your APIs.<\/p>\n<h3 id=\"use-encryption\"><span class=\"ez-toc-section\" id=\"Use_Encryption\"><\/span>Use Encryption<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Encrypt your API traffic using TSL, the successor to SSL. Don\u2019t be guided by the value of the data. Remember, you\u2019re also protecting API client authentication tokens. Attackers might not care about the data. But, if they acquire authentication tokens they may be able to use the API to extract more clues about your systems so that they can mount different attacks.<\/p>\n<h3 id=\"authentication-and-input-values\"><span class=\"ez-toc-section\" id=\"Authentication_and_Input_Values\"><\/span>Authentication and Input Values<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Obviously, you need to have a strong authentication system. Don\u2019t reinvent the wheel. Whenever possible, use a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/oauth.net\/2\/\">recognized solution such as OAuth2.0<\/a>. You might feel that internal APIs don\u2019t need to authenticate. But can you guarantee that an internal API won\u2019t be made public in error, perhaps because it is being reused in another project?<\/p>\n<p>Never blindly accept input from an API without validating it first. Scan it for malformed content, embedded scripts, and overrun attacks.<\/p>\n<p>Be aware of the frequency of connection requests, and apply sensible rate-limiting measures. Is a high-frequency visitor someone trying to brute-force their way in, or are they trying to siphon data out of your database, request by request?<\/p>\n<h3 id=\"allied-technologies\"><span class=\"ez-toc-section\" id=\"Allied_Technologies\"><\/span>Allied Technologies<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Web application firewalls (WAFs) help protect websites, hosted applications, and APIs by filtering and monitoring traffic to and from the protected resource. They can detect attacks such as cross-site scripting and SQL injection, among others. A WAF is an application-layer protection <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a>, (level 7 in the ISO model), not a fit-and-forget solution to all of your website or API security. They are best deployed as one element in a layered suite of defenses.<\/p>\n<p>An API gateway sits between the API endpoint and the API clients. They broker API requests between the clients and the API endpoint, sometimes breaking a request into smaller pieces that are serviced by different back-end microservices. responses are collated and sent back to the API client. API gateways can integrate with, or provide, authentication and rate-limiting facilities. Software-as-a-Service API gateways are available, providing high availability and automatic scaling.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"APIs_are_on_the_Front_Line\"><\/span>APIs are on the Front Line<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>With the relentless rise of cloud and microservices, APIs find themselves on the front line of cyberattacks. Cybercriminals like odds when they\u2019re stacked in their favor. with so many APIs out there, it\u2019s inevitable that many of them will be poorly protected or even unprotected. Don\u2019t let them be yours.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/11936\/how-to-defend-yourself-against-api-attacks\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How To Defend Yourself Against API Attacks \u2013 CloudSavvy IT&#8221; Imagentle\/Shutterstock.com Modern cloud strategies make heavy use of APIs for controlled, interactive access to hosted services. But the access is only controlled if the APIs are securely implemented and they\u2019re not susceptible to abuse. Web APIs An application programming interface (API) lets software talk to&#8230;<\/p>\n","protected":false},"author":1,"featured_media":280691,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/b2316441.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-280690","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/280690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=280690"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/280690\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/280691"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=280690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=280690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=280690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}