Why You Need an API Scanner
API Security Scanning is an essential tool to help you secure IOT devices, mobile backends, and web services. In this post, we provide an in-depth overview of API Scanners along with what they do, why they are important, and what particular vulnerabilities they can protect against.
FOCUS: To address web-based APIs such as web services, REST APIs, IOT Devices, and mobile backend APIs.
Clients ask us often what is an API? An application programming interface (API) is a set of routines, protocols, and tools for building software applications.
— Nozak Consulting (@NozakConsulting) October 2, 2018
What is an API?
Most people reading this article will have an understanding of the answer to this question. However, even within the IT sector, there is still some vagueness about what this term means. An Application Programming Interface is the full term given to an API. The vast majority of corporations will have, at one point or another, build an API for internal use or for their customers.
An API can be both a huge asset and a significant threat. While they offer availability of many key resources to developers, consumers, mobile applications and other organizations, without the correct API security scanning in place, they can equally serve as a valuable gateway for attackers who find a vulnerability that allows them access.
For the company that provide the API, a balanced approach is required. One of the primary functions of an API is to enable developers to get things done without security mechanisms and locked-down features preventing their productivity.
Ease of use is essential to ensure the API is used and that it is of value.
However, for Security Architects and DevOps alike, ensuring the functionality is there and the API is easy to use is one key requirement that requires balance and meticulous attention to detail to ensure that attackers are not given the keys to the door of your company’s data estate.
Common API Threats
One of the most crucial elements of creating an effective API is having thorough security measures in place. APIs are great for giving access to developers so that they can create digital experiences and new apps using the data and functionality you have provided. However, if they are not secured correctly, and the access is not protected, this can cause significant issues.
Having a firm grasp of the threat landscape and understand what threats exist can help to provide a robust and secure API that does not get in the way of productivity. Here are some examples of some of the most common API vulnerabilities that can help your API strike a balanced approach to APIs.
Before we get into the different API vulnerabilities, a key point to mention is unencrypted data. With security concerns escalating, and rightly so, data encryption should be a top priority. Any sensitive information that is captured through transit, all the way through to the consumption of that data should be encrypted.
APIs play an integral role in the process as they form the layer that passes information between the frontend and backend systems. There are typically foundation encryption and protections that are provided by authentication and TLS mechanisms. However, API providers need to:
- Deploy trace tools for debugging issues
- Enforce data masking for logging/trace
- Utilize tokenization for PII and PCI information
Replay/Brute Force Attacks
With APIs that are open to a public audience, they have to contend with the additional challenge of having to ascertain if incoming requests are trusted. While the request might genuinely be from a customer, it could potentially be coming from an attacker.
If the API detects and denies access based on it being deemed an ‘untrustworthy’ request, it could potentially enable that user to retry access continually. This is a good example of a common security oversight which could enable attackers to try to replay or playback a request until such a point the requests are approved. Some of the ways in which you are able to counter-measure such attacks include:
- HMAC Authentication
- Rate-Limitation of Policies to throttle requests
- Short-lived access tokens (OAuth)
One key point for consideration in terms of tracking such an attack would be to ensure that the authentication system tracks and records the volume, type, and the time of any such access requests.
With SOAP, REST, and other APIs making access available to back-end systems without properly considering access control, management and monitoring; Application Scanners for APIs are a crucial security priority.
One of the best countermeasures for this is to implement an access policy to each and every API via a centralized choke point, such as an API gateway.
What can this gateway do?
- Implement and enforce a strict access control policy
- Monitor and mediate any requests for access to the API layer
- Make sure the system does not expose any unsecured assets via APIs
Using dynamic API scanners, you can also look for any APIs that may have become exposed. With continuous scanning, this helps to protect the APIs and better secure the data that sits behind them.
As one of the most typical high-impact attacks, injection vectors can directly lead to security failures and data breaches. With APIs being the gateway to the organizational core, attacks can slip through the net. This is because the primary target is usually the ERP system, back-end database or a directory system. These resources can be leveraged directly or used to propel further instances of attack.
Injections can come in a number of forms, the most common being SQL, XML, and RegEx. Therefore, APIs need to be designed with an appreciation and awareness of such threats. Active monitoring which scans APIs will need to take place once an API is deployed. This will confirm that there are no vulnerabilities within the production code.
Order of Operations
While APIs may appear to be a set of unchanging setters and getters, once they have been in-built into alternative applications, the permutations and combinations can force unpredictable behaviors on the back-end.
APIs can appear to be a static set of getters and setters, but once they are built into other applications, the combinations and permutations can drive unexpected behavior on the enterprise back-end.
The primary countermeasure is a granular control on the server-side for complete session state management. Also known to many as Time-Of-Check, Time-Of-Use (TOCTOU) vulnerabilities, these are probably one of the most challenging API weaknesses to check for due to the dynamic testing at loads that is required.
APIs Devoid of Authentication
APIs are essentially a set of keys that can open the door to organizational databases. This makes the tasks of securing and controlling access paramount. Authorization and authentication mechanisms such as OpenID and OAuth in conjunction with TLS are therefore essential.
However, in authentication protocols, there are still many vulnerabilities, and exploration of the weaknesses that exist must be carried out and include:
- Hard-Coded Secrets
- Open APIs
- Authentication that is password-based
- Guessable tokens and secrets
- Lack of replay protection
While all protocols with have vulnerabilities, any non-standard protocols should come under heavy scrutiny. Even where OAuth and SAML are implemented, stringent testing should be conducted in order to check for session bugs, replayability, scoping issues, storage, and protocol-level weaknesses.
Data in URI
While it has always been assumed that authentication and authorization keys to be sufficient, there is now a genuine concern that keys could become compromised if they are transmitted as an element of the URI. Worryingly, if URI data appears in system or browsers log, this could potentially become accessible to attackers.
Session tokens, including Oath and SAML tokens, one-time-use URLs, and cookies are usually the primary way of letting an API server know who is on the other end. If the tokens become corrupted, spoofed, or replayed, it can be a serious challenge for the API to ascertain genuine requests.
One effective method that can be deployed is to implement schemes for token protection which both sign and hash the tokens as they are issued. The gateway for the API will need to perform signature authentication along with hash verification to make sure the request is coming from a source that is authorized and untampered.
As far as security protocols go, TLS and SSL are widely used, but not always are they deployed in the correct way. The Client needs to create and form TLS/SSL protection that works properly in order to avoid known weaknesses.
Poodle and Beast are just two recent examples of TLS and SSL vulnerabilities. Chain validation, certificate naming, and issues with protocol can also pave the way for Man-In-The-Middle, broken auth, and information disclosure weaknesses.
As a countermeasure, replace SSL with TLS; review and test the provisions, design, implementation, and deployment. While the majority of vulnerability management scanners will test specifically for TLS and SSL weaknesses, API scanning/Application Scanners are essential.
While API security will never fully be solvable with a single solution, and the role of a security architect will never be dull, implementing an API scanner is now considered to be an essential element of any decent corporate security strategy.
In order to do everything that is needed to protect from API threats, architects should also:
- Catalog API endpoints
- Manage API endpoints
- Implement operative access controls
- Make sure API implementation matches the intent of the architecture
- Monitor the API scanner to detect and alleviate threats before they have the opportunity to cause irreparable damage
In taking a systematic manner towards the investigation and adjudication of API threats and deploying an API gateway in order to carry out security tasks, this will ensure that your security team is doing everything needed in order to safeguard the organization, its data, and its users.
What is an API Scanner and What Does API Scanning Do?
If you are considering an IOT Security Scanner or Application Scanners, it is important to know the intricacies of the functions that the API Scanner carries out. In this section, we outline this, along with some of the typical uses the API scan will take care of.
What Does API Scan Cover?
API Security Scanning can detect vulnerabilities in an API along with mobile back-end servers, IOT, and web-connected devices, along with any RESTful APIs.
Security for Web Applications, in general, is fundamentally different to those needed for the effective protection of APIs.
IOT Security Scanner
You need to scan the APIs that power your IOT Devices, including wearables right the way through to power plants; if it utilizes internet connectivity and does not have a front-end, then it will more than likely use an API. Real-time API scanning will check the connectivity of these devices and scan the API for vulnerabilities.
Web Application Scanning Needs More
The creation of web application has gone through a significant evolution and will continue to do so. Gone are the days when CSS and HTML where all that required consideration. Now, web applications are being built upon more complex architectures and require the processing of a web application scanner alongside a dedicated scanner API.
An effective defence is a complex defence.
Enhancing the DevOps Workflow
An API scanner can be utilized by pen testers and security teams in order to help them easily ascertain if there are any vulnerabilities in the APIs that are being tested. This empowers the developer team to become the first line of defense for the APIs and enables them to locate and correct any API vulnerabilities as they produce new APIs and correct and enhance old APIs with ease.
If your DevOps team uses tools such as Jenkins or JIRA, these can be integrated with ease. With the addition of a cURL command, it is simple to replay attacks.
Enhance Mobile App Creation
The Client is usually the focus of most of the mobile security solutions that are considered necessary where mobile apps are concerned. But, this is not where most of the mobile attacks are derived. A back-end API is almost always the place where mobile apps will interact with a server and retrieve their data. An API scanner will ensure the security and consistency of back-end APIs which will help you to create and build a more robust API, that is more secure.
APIs are not typically discoverable, unlike web applications. This means that it is not possible for any type of security scanner to load an API and follow each and every link, discovering along the way each of the endpoints that are in that API, not least all of the different parameters or constraints that would be expected. For this reason, and many others, API Scanning cannot be automated in the same manner that web scanning has been done in the past.
Thankfully, with dynamic API scanning, there is a scanning engine that understands APIs, along with how they are used and how they become vulnerable.