This content originally appeared on DEV Community and was authored by jmau111⭐⭐⭐
Whether you maintain RESTful APIs or a GraphQL endpoint, there are known vulnerabilities and common misconfigurations attackers can exploit.
As a developer, you have constraints: time, budget, limited knowledge.
Why bother with security?
The "from scratch" approach is not necessarily evil. Experienced devs know how to build robust APIs.
In doubt or to save some time, there are frameworks and standardized solutions, like API platform.
This bundle is incredible and can even enable additional security layers using the Security Component of Symfony.
As I've mentioned in this post, the problem is that it's quite often skipped, probably because the top priority is to deliver the fabulous feature.
Whether you rely on existing resources (e.g., open-source, proprietary solutions) or you build everything on your own, your endpoints will be put to the test sooner or later.
Because of the current state of the web, APIs contain ever more sensitive data, sometimes leading to massive leaks.
Flawed APIs can literally kill the business and even expose web agencies and developers to law suits in the worst-case scenario.
I've read about a similar case recently where a company sued its "supplier" (web agency) for a flawed API that led to serious damages.
The supplier did not get paid and was held responsible for the attacks.
What could possibly go wrong?
In short:
- data leaks/exfiltration
- various kinds of malicious injections (e.g., XSS, SSTI)
- broken access control
- broken authentication (e.g., stolen credentials, like API keys)
- broken authorization
- broken validation
- path traversals
- data losses (e.g., massive delete)
- private endpoints exposure
- DoS/DDoS attacks
And many more...
What tools attackers can use?
For example:
- simple but powerful OSINT (e.g., Google/Shodan dorks but not only)
- Discovery tools like the legendary Nmap
- The legendary BurpSuite and its proxy
- All kinds of fuzzing techniques and wordlists (e.g., SecLists)
- Maybe graphql voyager
- Maybe swagger.txt
- Some race conditions against specific URLs for motivated adversaries
Fuzzing tools and wordlists allow automating many attacks. There are indeed plenty of free automated tools to hack APIs.
While these are hacking tools, it's still possible to only use legitimate dev tools:
- Postman and similar clients
- Debug tools in browser (e.g, the network tab)
Most common paths
APIs URLs are very predictable, especially RESTful APIs.
That's pretty much the point. The following paths may look like those found in basic examples and other "hello world," but are actually quite often used in production:
/api/graphql/v1/v2/rest/swagger/api/login
Modifying default paths may look like security by obscurity to you, and it is, but you may still avoid lots of basic/massive automated scans.
What can you do to secure your APIs?
- never ever rely on default rules and settings, regardless of the tool used to expose your endpoints
- Check the top 10 API security by OWASP
- disable swagger documentation on production
- set CORS rules carefully
- provide visibility and granularity to your users (registered devices, 2FA, recent account activity, ability to renew/revoke credentials, etc)
- LOG everything
- throttle and rate-limit (ban spammers)
- test your own endpoints (pen-tests, vulnerability scans)
- if you use API Platform, take the time to learn and enable the security mechanisms you need (the Symfony Security Component)
Wrap up
APIs are a common security concern, as more and more sensitive data get exposed.
In most cases, user accounts are protected by several security layers, like login/password, 2FA (two-factor authentication), MFA (multi-factor authentication), cryptographic keys
However, simple API keys can still grant advanced capabilities and privileged access to sensitive data.
An API key is only one layer (1FA)...
This content originally appeared on DEV Community and was authored by jmau111⭐⭐⭐
jmau111⭐⭐⭐ | Sciencx (2023-05-14T14:20:21+00:00) What’s the problem with my API?. Retrieved from https://www.scien.cx/2023/05/14/whats-the-problem-with-my-api/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.