What is an API attack and how does it work

If you want to visualize how data flows across your connected applications, you can think back to that childhood game of Chutes and Ladders (also called Snakes and Ladders). As a kid, the board felt like a confusing grid that had the weirdest, seemingly arbitrary connections between blocks. In your modern digital environment, your Application Programming Interfaces (APIs) fulfill the same role that the ladders and chutes/snakes fulfilled, connecting disparate blocks across a larger whole.

 

As attackers increasingly target these data connections, understanding what an API attack is and how it works can help you mitigate risks.

What is an Application Programming Interface (API)?

Application Programming Interfaces (APIs) are the set of rules and protocols that developers use so applications can exchange data and perform tasks. By defining the methods and formats for exchanging data, APIs enable disparate software applications, databases, and hardware to communicate by standardizing data request and retrieval.

 

The four basic types of APIs are:

• Internal/Private: used for internal systems and across different internal teams
• Open/Public: publicly available with no restriction on them
• Partner: specific rights or licenses associated with a vendor technology
• Composite: combination of data and service APIs to execute tasks

 

Further, online applications typically use one of the following web service APIs:

• Simple Object Access Protocol (SOAP): defines message structure and communication methods, using XML format for data transfers and Web Services Definition Language (WSDL) for publishing its interface definition
• XML Remote Procedure Calls (RPC): uses proprietary XML data transfer format that is older and simpler than SOAP, requiring less bandwidth
• JavaScript Object Notation (JSON) RPC: uses lightweight data-interchange human-readable format that is easy for machines to parse and generate
• REST/RESTful: provides an architecture for transferring a representation of a resource’s state to the requestor or endpoint delivered using an HTTP format, like JSON, HTML, XLT, Python, PHP, or plain text
• GraphQL: provides a query language for APIs and runtime for fulfilling them with existing data, enabling developers to limit data shared
• gRPC: connects services and supports load balancing, tracing, health checking, and authentication

 

What is an API attack?

Since APIs enable communication between applications, they often expose access to sensitive data and functionalities. APIs handle requests and responses between clients, the front-end application that people use, and servers, the backend database that contains information.

 

Some examples of sensitive data that APIs can expose include:

• Software interface: the two locations, or endpoints, that communicate with each other
• Technical specification: how endpoints exchange data, including the process requests and delivery protocols
• Function calls: directions that include verbs (like GET or DELETE) and nouns (like Data or Access)

When the API exposes this data, threat actors can manipulate how the API works. Typical API attack types include:

• Brute force: guessing the authentication credentials or API keys to gain unauthorized access to the API
• Code injection: inserting malicious code into the API requests to exploit vulnerabilities in the target system
• Denial of Service (DoS): sending so many requests to the API that it becomes overwhelmed and unable to respond to legitimate requests
• Man in the Middle (MitM): intercepting a the data as it travels between the client and server

 

How an API Attack Works

Although API attacks can take different forms, they generally follow the same process:

• Reconnaissance: identifying potential vulnerabilities by gathering information from API documentation, network traffic, or publicly available data about the system
• Bypassing authentication and authorization: gaining unauthorized access through authentication process vulnerabilities, weak password policies, or authorization logic issues
• Identifying endpoints: exploring the target system to select the exploitable endpoints, manipulate parameters, or identify sensitive data
• Deploying attack: manipulating endpoint parameters, injecting code, employing brute force techniques, flooding target API with requests
• Exfiltrating data: escalating privileges to access and steal sensitive data
• Covering tracks: deleting or modifying logs to hide activity

 

Challenges of API Security

As organizations integrate more applications, they add more APIs, making API security both more important and more challenging.

Authentication and authorization weaknesses

Since APIs are technologies not people, requesting credentials or using multi-factor authentication (MFA) isn’t possible. Instead, they typically use access tokens inserted into the API call to verify these non-human “users.” However, the token can be compromised for various reasons, including:

• Incorrectly generated
• Invalidation
• Compromised through a vulnerability

Improper input validation

Web applications require users to provide data, like form data, query strings, and POST requests. Improper input validation mans that the API never reviews the inputs to ensure:

• Syntactical correctness: data in the expected format, like a phone number having the format (XXX) XXX-XXXX
• Semantic correctness: data makes logical sense in the business context, like dollars being only entered as positive numbers

Inadequate Rate Limiting

Rate limiting sets the maximum number of API requests allowed in a specific amount of time. However, as with everything else in technology, rate limiting doesn’t have a single answer. A global rate limit can be valuable, but it can impact performance, especially on shared wireless connections. Additionally, several different rate limiting approaches exist:

• Request: number of requests a user or client can make
• Traffic: amount of traffic transmitted over a network or between networks
• Resource-based: number of requests made to a specific resource

Third-party library vulnerabilities

Developers use third-party API libraries the same way and for the same reason that they use third-party code libraries and frameworks. Using these libraries saves time and often mitigates problems associated with misconfigurations. However, once attackers know that an API has a vulnerability, they look to exploit it. Since not all libraries regularly update their APIs, this creates another software supply chain risk.

Lack of secure data handling

Since APIs transmit data between applications and databases, sensitive data often travels through them. Transport Layer Security (TLS) protocols encrypt communications between the client and server to help protect data. However, implementing encryption isn’t always as easy as it sounds. Developers also need to consider:

• Disabling communication channels that won’t provide encryption in transit, like removing related code, configuring dependencies only with encrypted channels, restricting access credential to only encrypted channels
• Using data message-level encryption when TLS is not permissible
• Managing and rotating keys
• Securing keys

 

Insufficient monitoring and detection

Monitoring APIs means understanding how the data flows between applications. APIs not only increase the attack surface, but they require unique security technologies, increasing the number of locations that security teams need to monitor. Many organizations incorporate web application firewalls (WAFs) specifically to protect APIs from traditional threats, but these still don’t mitigate risks arising from business logic flaws. Simultaneously, security incident event management (SIEM) tools only collect and aggregate data from security technologies. Without a dedicated API security tool, they fail to identify abnormal activity, ultimately increasing security teams’ alert fatigue.

 

Graylog API Security: Continuous monitoring with high-fidelity alerts

With Graylog API Security, you gain visibility into your API landscape and how your environment uses them. With APIs organized by domain, you can align your monitoring with the open API specification, including identifying prohibited and deprecated APIs. Graylog API Security automatically discovers the most common types of attacks and failures so that you gain at-a-glance visibility into the most severe issues without requiring you to have deep technical knowledge about APIs. By automatically categorizing API calls into meaningful buckets, like API calls that are successful, leaking, or malformed, you can bring all this data into focus.

 

To see how Graylog API Security can help you reduce the attack surface and protect your organization, contact us today.