It's now well known that Equifax's recent high-profile, high-impact data breach was due to an exploit of a vulnerability in an open-source component, Apache Struts CVE-2017-5638. Struts is a mainstream web framework, widely used by Fortune 100 companies to create web applications and APIs.
To date, such API attacks have largely flown under the radar of security professionals, who have been focused on attack vectors known to do significant damage: ransomware, distributed denial of service (DDoS), and malware, among others. But what many security and IT leaders fail to recognize is that APIs inherently lack security, making them a prime target for the next big wave of cyberattacks. In fact, the Open Web Application Security Project (OWASP) in May added "underprotected APIs" to its proposed list of top 10 application vulnerabilities.
Equifax executives paid a high price for failing to ensure that Apache Struts had been patched. The company's CEO, CIO, and CSO all stepped down after the scope of the damage became known, with the hackers getting access to Social Security numbers, birth dates, and other personally identifiable information (PII) for more than 143 million people.
Equifax is not alone. API attacks are on the rise. Instagram recently became a victim, and past targets have included PayPal and Amazon.
The average web application or API has 26.7 serious vulnerabilities, and organizations can have hundreds or even tens of thousands of applications. Determining the potential damage that a well-executed API attack can achieve comes down to basic math: Multiple vulnerabilities + countless applications - adequate security = easy picking for hackers
Yet those responsible for managing these risks have simply looked the other way instead of securing their APIs.
APIs: Here, there, and everywhere
APIs are finding their way into almost every application we use on our laptops, smartphones, tablets, etc. Most mobile applications have APIs embedded in them. These APIs are usually not exposed to the user; instead, the app uses the API to perform various machine-to-machine functions. These functions help make the app more useful, interactive, intuitive, and attractive to the consumers who use them.
Anyone who has downloaded a free app has seen APIs at work if the app scrolls advertisements as a way for the developer to make money. Clearly, the user isn’t asking for advertising content from a back-end server directly—the app is. The app makes an API call to a back-end server, and the server replies with new ad content.
Since most apps are publicly accessible, hackers can easily reverse engineer them and manipulate the app to perform a host of cyberattacks. In the past, most hackers used prepackaged tools, homegrown scripts, and other exploitation kits directly from their PCs to compromise endpoints, servers, and networks to steal data and cause disruptions. Today, hackers can do the same thing from an app running on just about any device.
Although the concept of API security is somewhat new to many security-minded people, the attacks that can be performed through APIs are not. Most organizations have been dealing with many of the attacks listed below against their networks and web-based applications for years. Now they must shift their focus to apps, APIs, and back-end servers being attacked by similar methods that have been seen in the past.
API security's 3 areas of concern
API security issues can be broken down into three different areas of concern, which break down like this:
APIs can be used to expose sensitive data
- App impersonation: Hackers can reverse engineer a secret key assigned to an app and use it to call an API by pretending to be the legitimate app. Often the back-end servers are not aware of the malicious app and will freely interact with it.
- Client-side phishing: Hackers can redirect a legitimate app's API to a malicious site without users' knowledge. The app then prompts users to enter their credentials, which are then stolen.
- Brute-force attacks: Hackers can manipulate an app's API and attempt to gain access to other users' data (pictures, phone numbers, email addresses, contact lists, etc.) from back-end servers. Hackers continue to repeat the process in hopes of gaining access to more of these other users' data.
- Code injection attacks: Hackers can inject code into the back-end servers by way of an app's API. SQL injection, remote code execution, and other exploitation attempts can be performed quite effectively through the APIs, in the same fashion as traditional web application attacks.
- Unauthorized access attacks: Hackers can manipulate an app's API to gain access to critical data (lists of stored credit card numbers, user credentials, PII, etc.)
API communications can be intercepted
Insecure and unencrypted communications between an app and the back-end servers (via an API) often traverse the open Internet. Hackers can eavesdrop or even intercept an app’s API communication with the back-end servers.
Back-end servers can be taken offline due to DoS attacks through an API
- Single app, repetitive action: Hackers can cause an app (installed on a single mobile device) to make repetitive, resource-intensive API calls on the back-end servers. This can cause service outages or increase latency.
- Multiple instances of an app, single action: Hackers can cause multiple instances of an app (on many mobile devices at once) to make a single API call that is very resource-intensive on the back-end server. This too can cause service outages or increases in latency. This would be considered a DDoS attack.
When apps attack
In the last year or so, hackers have changed tactics, going from launching traditional cyberattacks from their own computers to launching attacks from infected IoT and other devices that were conscripted into sizable bot armies. Now organizations need to worry about their own compromised apps, installed on considerable numbers of mobile devices, launching attacks against their back-end servers.
Organizations that take advantage of apps, APIs, and back-end servers to enhance their business offerings and grow revenues need to take a long, hard look to determine where hackers can take advantage of the vulnerabilities that have been introduced. Although some of the approaches to solve the API issues discussed above are rather primitive, others are developing more technical solutions. Organizations must address these issues ASAP, or face the consequences.
Keep learning
Take a deep dive into the state of quality with TechBeacon's Guide. Plus: Download the free World Quality Report 2022-23.
Put performance engineering into practice with these top 10 performance engineering techniques that work.
Find to tools you need with TechBeacon's Buyer's Guide for Selecting Software Test Automation Tools.
Discover best practices for reducing software defects with TechBeacon's Guide.
- Take your testing career to the next level. TechBeacon's Careers Topic Center provides expert advice to prepare you for your next move.
