Web applications are a major component of organizations’ Internet presence and threat surface. However, many organizations focus solely on securing against high-level attacks (like the OWASP Top Ten) and miss other important aspects like API security. A solid understanding of API security is essential to an organization’s network and data security, and learning to hack your own API is an effective way to learn this and test your API security at the same time.
What is an API?
A company’s website commonly acts as the gatekeeper for a large amount of useful data. This could be details of user’s accounts that they can access and manipulate after authenticating to the service. Or it could be large datasets that companies can use for research purposes (potentially after buying a subscription).
Especially with this second type of data, the website owner will not limit users to manual interactions with the webpage. If a customer wants to automate queries, the website owner may expose an application programming interface (API) that has a set of potential commands for direct access to the data backend without requiring interaction with the website itself. This benefits everyone involved since API queries limit the load on the owner’s webservers and are much easier to interact with using a script than a traditional website.
Why is API Security So Important?
APIs are designed to act as a direct connection between external users and a company’s backend data store. While this is extremely valuable to legitimate users, it’s also great for hackers. The growing value of data (the “new oil”) means that cyberattacks are typically intended to steal data. By creating a direct connection to their database, organizations are essentially painting a target on their API. And, since the average web application or API has 26.7 serious vulnerabilities, that target couldn’t be painted in a worse place.
One high-profile example of where an insecure API lead to data breach is the infamous Equifax hack of 2017. Equifax was using Apache Struts, a widely-used open-source web server. Their issue wasn’t the use of Struts (many organizations use Struts) but their failure to appropriately keep it patched and up to date.
A well-known vulnerability in Struts had been discovered a few months before the Equifax hack and was known to be actively exploited by hackers in advance of the Equifax hack. However, Equifax did not apply the available patch for Struts, allowing hackers to gain access to their network and steal the personal credit information of over 147.7 million American citizens. This attack was entirely preventable and could have been avoided by applying the patch available two months before the hack began.
Hacking Your Own API
API security is a big deal, and the only way that an organization can be as secure as possible is if it makes every effort to secure their web presence. Often, when attempting to secure an application, taking an adversarial perspective is an effective tactic. By thinking and acting like a hacker would, a security analyst is more likely to find the same vulnerabilities that would be found by an attacker, allowing them to fix them. By iterating through this process multiple times, the team can discover increasingly obscure vulnerabilities in the system, decreasing its threat surface dramatically. This is the logic between penetration testing, and it works just as well for API security.
Before you can hack your own API, you need to understand how an attacker would approach the attack. A few attack vectors against APIs include:
- Reverse Engineering: Hackers will interact with an API in unexpected ways to try to find error messages or hidden functionality.
- User Spoofing: Attackers will pretend to be another user on the service and attempt to gain access to their data.
- Man-in-the-Middle (MitM): If an API is designed to interact with a certain client application, hackers will interact the client-server traffic in hopes of finding useful data.
- Session Hijacking: If an API maintains state between requests, attackers will try to steal session credentials to authenticate as another user.
These are only some of the potential attack vectors against APIs. Any vulnerability that an API has may be exploited as part of an attack. Troy Hunt (the created of HaveIBeenPwned) has a course on Pluralsight about hacking your own API that demonstrates how to test for and exploit some of the most common API attack vectors. Learning how to hack your own API is useful both for testing its security and learning about secure API development practices.
Improving API Security
APIs represent a significant threat to API and data security. They are designed to provide easy access to sensitive or valuable data, making them a logical target for hackers. Failing to secure your organization’s API can lead to a data breach like the Equifax one: expensive, embarrassing, and damaging to your organization and its customers.
Any organization with an API needs to take the appropriate steps to secure it. Learning to hack your own API is an effective way to identify basic threat vectors and vulnerabilities in it and gain an understanding of fundamental API security. However, truly securing an API also requires deployment of a solution designed to protect APIs. No matter how good the API hacking training course, hackers are likely to think of more or different attack vectors, and you need a solution in place to protect your organization against all of them.