An Application Programming Interface (API) facilitates service communications between two or more applications. APIs are vital in today's highly digitised world as they provide flexibility by simplifying software design, administration and use.
This exponential increase in the use of APIs widens the attack surface area. APIs are also the most commonly exposed component of a system. This advisory serves to inform users and administrators of APIs on how to better secure the APIs in their systems.
Examples of Common Attacks on APIs
In order to understand how to secure an API, it is important to know the different types of attacks that are employed against it. Some examples of common attacks on APIs are shown below:
Poor implementation of an API such as the lack of input sanitisation could cause the API to process malicious SQL commands or code, possibly resulting in data breaches or system compromise.
Man-in-the-Middle (MITM) attacks
Interception of an API request or response between an end user and an API could allow an attacker to steal information such as credentials or modify the content of the request or response.
An attacker can overload an API's processing capabilities which leads to a denial-of-service condition.
RBAC and ABAC exploits
Poorly defined Role-based access control (RBAC) and attribute-based access control (ABAC) could be exploited by an attacker to escalate privileges and steal or modify data
Leaked or stolen credentials obtained from past data breaches may be leveraged to ‘stuff’ into the login pages of online services. This method takes advantage of end users who use the same username and password combinations across different accounts.
Best Practices for API Security
Users and administrators may wish to consider several best practices for API security as illustrated (non-exhaustive) below to mitigate cybersecurity incidents involving APIs.
Institute Diligent Documentation
Each API used should have an accompanying document or manual that contains all technical requirements, including the functions, classes, return types, arguments and integration processes of the API. This repository should be regularly updated according to established change management policies to allow users and administrators to take stock of APIs which exist in their system and how best to secure and manage them.
Encrypt all API Traffic
APIs should also use and require Hypertext Transfer Protocol Secure (HTTPS) as it provides stronger guarantees that a client is communicating with the real API and receiving back authentic contents. All API traffic should also be encrypted using Transport Layer Security (TLS) encryption to prevent MITM attacks.
Use a Strong Authentication and Authorisation Solution
Since APIs provide an entry point to an organisation’s databases, it is critical that organisations strictly control access to them. API users and administrators should use proven authentication and authorisation mechanisms such as OAuth2.0 and OpenID Connect to control, where feasible.
Implement Rate Limiting
Implement rate limiting and limit payload sizes based on established rules/policies to defend against denial-of-service attacks or brute force attacks.
Use a Web Application Firewall
Web application firewalls protect web applications and APIs from attacks. It also enables the configuration of a web access control list (ACL) to allow, block or count web requests based on customisable web security rules and conditions defined by the user or administrator.
Monitor and Log API Activities
Threat detection tools could be used to detect any anomalous behaviour in API traffic and facilitate the implementation of appropriate mitigation measures. Log data could also be used to understand the root cause of any security incident and help in the implementation of any hardening measure.
API Penetration Testing
Engage credible cybersecurity vendors to perform periodic penetration testing to assess the security of the API design. The API tests usually involve attempting to exploit identified vulnerabilities and reporting them to system users and administrators. By assessing the risks and weaknesses in the design and implementation of the API, appropriate mitigation measures can be incorporated to ensure the security of the API.
Practice the Principle of Least Privileges
The principle of zero trust and least privileges should be consistently practiced, with each API given the minimum privileges and access necessary to perform its functions.
Use prepared statements, parameterised queries or stored procedures whenever possible to mitigate potential attacks like cross-site scripting and SQL injection.
Minimise Data Exposure
Any API response should only include the specific information requested or the success/failure of the request. All related passwords and keys used during development should also be removed before making the API publicly available.
Review RBAC and ABAC Rules Regularly
RBAC and ABAC rules should be reviewed whenever any updates are made to the application to ensure that no security regression is introduced with the update.
Conduct Regular Security Audits
Regular security audits should be conducted to ensure that appropriate measures are in place to prevent any potential abuse of deployed APIs.
Reporting a Compromise
If your organisation is a victim of any cybersecurity incident involving APIs or otherwise, you are encouraged to report the incident at https://go.gov.sg/singcert-incident-reporting-form