In general, most API data breaches are usually the result of one or a combination of four different attack scenarios.
Over the last several years, attackers have changed their tactics, focused on identifying and exploiting business logic gaps by manipulating and abusing APIs.
Why are we seeing such a constant stream of API-based attacks? Quite simply, APIs are lucrative for attackers.
Salt Labs researchers investigated a large B2B FinTech platform that offers financial services in the form of API-based mobile apps and SaaS to SMB and commercial brands.
Salt Labs researchers investigated a large business-to-consumer (B2C) online platform that provides API-based mobile applications and software as a service to millions of users globally.
Insufficient logging and monitoring combined with missing or ineffective integration with incident response, allows attackers to perform reconnaissance, exploit or abuse APIs, compromise systems, maintain persistence, advance attacks, and move laterally across environments without being detected.
Maintaining a complete, up to date API inventory with accurate documentation is critical to understanding potential exposure and risk.
Injection flaws are very common in the web application space, and they carry over to web APIs.
This issue is a catch-all for a wide range of security misconfigurations that often negatively impact API security as a whole and introduce vulnerabilities inadvertently.
API security solutions must be able to identify anomalous API activity where attackers send manipulated API requests with unauthorized parameters.
API security solutions must be able to identify and prevent attackers or unauthorized users from accessing administrative level capabilities or unauthorized functionality.
API requests consume resources such as network, CPU, memory, and storage. The amount of resources required to satisfy a request greatly depends on the input from the user and the business logic of the endpoint.
Exploitation of Excessive Data Exposure is simple, and is usually performed by sniffing the traffic to analyze the API responses, looking for sensitive data exposure that should not be returned to the user.
Authentication in APIs is a complex and confusing topic. Software and security engineers might have misconceptions about what the boundaries of authentication are and how to correctly implement it.
APIs often expose endpoints that handle object identifiers, creating a wide potential attack surface. Object level authorization is an access control mechanism usually implemented at the code level to validate a user’s ability to access a given object.
In this post and subsequent additions to the series, we dig into each of the Open Web Application Security Project (OWASP) API Security Top 10 in detail.
Episode number 4 of API Security With A Pinch Of Salt is here. In this episode Chris and Ran talk about what attackers are going after when they target APIs and what they can do if they find and successfully exploit a vulnerability.
If you didn’t make it to OWASP Global AppSec Tel Aviv last month I wanted to share that the team recently published videos from the event...…you can check out the entire lineup of 44 videos in the playlist here.