We all know how a computer user interface (UI) works — at least in general terms. Humans interact with digital machines using input devices, and we watch everything real-time on computer monitors. When we think of user input, we usually think of Input devices like a mouse, keyboard, touchscreen, trackball, or pointing stick. But we can also interact with computers through such things voice input, scanners, barcode readers, and digital cameras. In fact, there are quite a few ways for humans to communicate with and through their computers. But how do the machines talk to each other? One way is by using an application programming interface (API). And like the rest of cyberspace, APIs are vulnerable to attack.
To get an idea of how they can be attacked, first let’s take a closer look at what an API is. Techopedia defines an application programming interface as “a set of protocols, routines, functions and/or commands that programmers use to develop software or facilitate interaction between distinct systems”.
Links between operating systems, databases, or software applications are possible with APIs with no graphical user interface (GUI) at all. In fact, these interfaces can be established through the command line interface (CLI) or through an executed program that gives little to no visibility to users or operators. Remember, the developer just needs to make the machines or programs talk to each other. No human interaction is required.
APIs can come in many different forms and have many different purposes. Web APIs can easily extend the functionality of internet software. The Facebook login is one example. You probably know that many websites have a relationship with Facebook that allows users to authenticate using their Facebook ID and password. It’s quick and easy. Some people are calling 2017 “the year of the API”. The number of cross-platform API links on the internet is growing exponentially.
That’s all fine until you realize that the bad guys are figuring out how to attack even these machine-to-machine conversations. According to OWASP, “Attackers can reverse engineer APIs by examining client code, or simply monitoring communications. Some API vulnerabilities can be automatically discovered, others only by experts.” It seems that hackers are relentless.
An article from Kemp Technologies warns about the problem: “All the APIs used to build an application need to be tested for vulnerabilities just like all other components used to deliver web-based applications.” Their list of API threats sounds familiar:
It sounds a lot like some of the other web security issues already discussed in this forum. Underprotected APIs barely made the OWASP Top Ten list in 2017, but even at #10, it’s an issue that developers shouldn’t overlook. Anyone who can send a request to your API is vulnerable.
Let’s look at two scenarios given by OWASP. The first one suggests an XML API used for bank transactions. Through reverse engineering, an attacker discovers another user’s account number. Then he uses his own valid login to access the other user’s account. The second scenario asks us to imagine an API for text messages on a startup’s webpage. In this case, the hacker infiltrates the server through SQL injection on the API.
What can a savvy hacker do with an underprotected API? Pretty much anything he wants, according to OWASP. “The full range of negative outcomes is possible, including data theft, corruption, and destruction; unauthorized access to the entire application; and complete host takeover.”
Compound that with the growth of API implementation. Tech Crunch contributor Chet Kapoor made has strong views about it. Consider the name of his 2015 article, which we will set apart here for emphasis:
The Future Of Coding Is Here, And It Threatens To Wipe Out Everything In Its Path
It sounds a bit dramatic though, doesn’t it? Kapoor says that APIs — not user interfaces — “will upend software for years to come”. Anyone who is not using APIs will be left behind. Here he’s not taking about hacker threats so much as the growing prevalence of machine-to-machine interfaces. Basically, the machines are taking over — and he doesn’t seem too worried about it.
For some reason the word Skynet suddenly comes to mind. That’s the fictional network of self-aware artificial intelligence computers in the Terminator movie series. Let’s hope it doesn’t come to that. Nobody wants to lose control of their computer interfaces. It’s bad enough that hackers are finding their way into the APIs of today.
The articles from Kemp Technologies and OWASP cover mitigation of this issue fairly well. They include many of the same security strategies applicable to other vulnerabilities: encryption keys, access control, comprehensive testing, web application firewall (WAF). OWASP then adds this for emphasis: “Be sure your security analysis and testing covers all your APIs and your tools can discover and analyze them all effectively.”
Of course, the best prevention is good programming. Every developer should be familiar with this vulnerability and how to overcome it with solid coding. Ultimately, programmers have a lot to think about.
The first step to solving any problem is to become aware of it. If you didn’t know that you needed to protect your APIs before, at least you know it now. And as they say, knowledge is power.
If you’re worried about computer hackers, you should be worried about SQL injection (SQLi). It keeps showing up on the top ten list of the Open Web Application Security Project (OWASP). In 2013, the year of their latest approved list, OWASP put injection at the top of the list. “Injection flaws such as SQL, OS, […]
As we talk to people during the week, we periodically make suggestions for using Cloud Load Balancing or Failover that are often met with surprise, such as “Oh, I didn’t know it could be used for that”. So we thought it might be helpful to compile a list of 8 potential uses. Of course, it […]
Imagine that a smooth operator convinces Barney Fife — the famous sheriff’s deputy on TV — to unlock a Mayberry jail cell. Barney has the keys. He has the authority. He wants to do the right thing, but he’s easily confused and manipulated. Your web browser has authority too. It can do a lot of […]