Over the last few decades, mobile devices have become an increasingly popular way of browsing the Internet. As mobile data and wireless access have become more common, more people connect to the Internet via handheld devices than computers. This change in how people use the Internet has also driven a change in how the web works. Traditional web applications typically perform the bulk of their processing on the server. Users connect via a website and click through prompts to access the data or services that they are seeking.
This model doesn’t work as well on mobile phones. Traditional websites designed for computers are a pain to view and navigate on phone screens. While many organizations have deployed mobile-specific websites, smartphone apps have become a more common way to use common services.
With an app, most of the processing is performed on the client device. Instead of requesting and responding to web pages, apps interact with the server via application programming interface (API) functionality. As a result, API security has become an increasingly important component of securing an organization’s web presence.
The API Security Landscape
While many organizations primarily focus their web security efforts on web application security, web API security is becoming more visible to the public. The Open Web Application Security Project (OWASP) is an organization that is best known for their list of the top ten web application security threats. However, in 2019, OWASP announced their intention to begin publishing a top ten list that specifically addresses web API security vulnerabilities.
The creation of a standalone list for web API security threats acknowledges the growing threat of attacks against organizations via their APIs. By 2022, attacks designed to abuse web API functionality are expected to be the leading cause of data breaches within enterprises’ web applications.
APIs are designed to expose the inner functionality of an organization’s web presence in a way that is friendly to smartphone apps, scripts, and other programs. While this is valuable for legitimate users, it benefits attackers as well. Some of the most common threats associated with APIs are the exposure of sensitive data, the risk of communications being intercepted, and Denial of Service (DoS) attacks against back-end systems.
Exposing Sensitive Data
With the transition from web applications and processing being performed on the server to API-based systems and processing on the client comes a change in how state is maintained in web-based applications. Instead of the server tracking the current state of operations, this role is now the job of the client or smartphone app.
With the client responsible for tracking the current state of operations, it is necessary for the client to keep the server informed of where a user may be in the process. As the client calls various API functions on the server, it may need to pass state information to these functions.
This information is potentially in danger of exposure in this process, depending on how the functionality is implemented. If state data is passed unencrypted in HTTP URLs or similar means, then this information could be visible to an eavesdropper regardless of whether or not TLS is used for encryption of the traffic.
Another risk associated with the use of apps and APIs is the possibility of communications interception. When users are interacting with a web server via the browser, they have a reasonable level of visibility into how communications are being performed. A simple check of the address bar at the top of the browser window reveals whether or not the website is using TLS encryption and if the certificate presented by the site checks out.
With a smartphone application, this same level of visibility is not available to the user. A web application may be making API requests via unencrypted HTTP traffic and/or failing to check certificate validity. Under these circumstances, an attacker may be able to eavesdrop upon and possibly modify communications without the knowledge of the user.
Denial of Service (DoS) Attacks
The intention of a web API is to expose the functionality of an organization’s back-end infrastructure in a way that makes it easier for apps and other programs to interact with it. This is accomplished by providing external users with a set of functions that they can use without going through a web page.
This exposure of functionality via an API can also expose back-end servers to Denial of Service (DoS) attacks. Direct access to the API could allow an attacker to make requests designed to overwhelm the capacity of the server, degrading or destroying accessibility and usability for legitimate users if appropriate throttling and other protection measures are not in place.
Securing the API
Web APIs represent a powerful tool for organizations since they provide a direct connection between external applications and an organization’s back-end systems. This connection can be used to more efficiently perform operations that are common or require significant resources without forcing a user to go through the organization’s web application.
However, web APIs can also represent a significant threat to an organization’s security. An attacker can take advantage of the direct access that an API provides to attack an organization in a variety of different ways. Protecting an organization’s Internet presence and the security of its back-end systems requires deploying an API security solution capable of identifying and blocking common types of attacks against web APIs.