Web Application Programming Interfaces (APIs) are designed to allow users to have automated, programmatic access to an organization’s Internet-facing resources. While navigating a traditional web page may be the best option for a human user of the service, some customers want to be able to make queries or requests in an automated fashion. These bots or scripts may well be legitimate (and desirable) users, and optimizing the interface for them makes their job easier and takes the load off of the webserver trying to respond to their frequent requests.
Typically, these scripts are developed by users who want easy access to a significant amount of the organization’s data or protected functionality. As a result, web APIs are designed to allow bulk data requests or other functionality that may not be accessible to traditional users. While this ability to quickly access data is valuable to certain clients, it can be useful to hackers as well.
The power and easy accessibility of a web API makes them a common target for hackers. As a result, web API security is an important component of any organization’s cybersecurity strategy. Understanding the ways in which web APIs are potentially, and commonly, attacked is vital to ensuring the security of the sensitive data that they protect.
Attacking Web APIs
Web APIs are often the gateway between a user and an organization’s collection of sensitive customer data. These APIs are designed to respond to requests for data and, therefore, must be implemented as executable code.
The value of the data that a web API protects makes it a common target for hackers, and the fact that it consists of code means that there is a chance that it can be exploited if a vulnerability is discovered. While many developers are aware of the OWASP Top Ten list of web application vulnerabilities and design their applications to be secure based up on the list, these are not the only potential ways in which an organization’s web API can be attacked.
Some attack vectors, like credential stuffing attacks and Distributed Denial of Service (DDoS) attacks are designed to attack web applications whose code is free from exploitable vulnerabilities. However, failure to understand and properly secure against these attacks can allow a hacker to gain illegitimate access to a web API or to deny legitimate access to authorized users.
- Credential Stuffing/Login Attacks
Credential stuffing attacks take advantage of the fact that most online accounts restrict access to their protected data and functionality using passwords, and that the average user is extremely bad at properly using passwords.
Most users reuse passwords, potentially even across both personal and business accounts. As a result, when a data breach occurs for one service, it is likely that other accounts of users of that service are also jeopardized. Most users (over 70%) even continued to use a compromised password for up to a year after it was known to be breached, so the window for exploitation by hackers is a large one. The security of a very sensitive service or web API may be compromised by the breach of the list of user credentials on a third-rate travel forum.
In a credential stuffing attack, a hacker takes a password breached from one account and tries to use it to authenticate to another service. If the attack is successful, the attacker has access to the user’s account and, if the service relies solely on passwords for authentication, the service cannot differentiate the hacker from the legitimate user.
For a web API, the password-based authentication system is often designed to protect extremely valuable data or functionality. If an attacker successfully gains access to a web API via compromised usernames and passwords, it may enable a data breach or the use of the compromised account as a launching point for further attacks.
- Distributed Denial of Service (DDoS) Attacks
Distributed Denial of Service (DDoS) attacks are designed to hurt an organization by denying its customers access to the organization’s website and other Internet-based resources. This is accomplished by flooding the service with more data and requests than the service is capable of managing. As a result, its ability to receive and process legitimate requests is degraded or destroyed.
Users of an organization’s web API expect access to the functionality that they signed up and/or paid for. If an attacker makes it impossible for them to access it at a certain time, the customer may stop doing business with the organization out of annoyance.
Protecting Web APIs
An organization’s web presence, and more specifically their web APIs, are an important component of their business strategy and also a common target of attack by hackers. Since these systems are exposed to the organization’s customers, are the public face of the organization on the Internet, and often safeguard sensitive information, compromising or even temporarily degrading access to them can have a significant impact on the organization.
For this reason, investing in a strong web API security solution is an important priority for any organization that is reliant on its web presence as a core part of its business strategy. Such a solution should have the capability to detect attempted credential stuffing attacks by identifying anomalies in authenticated users’ behavior and to identify and block attempted DDoS attacks. By deploying these defenses, an organization can greatly bolster its cybersecurity and protect its ability to operate competitively in its field.