Risk
APIs are another channel into an organization’s resources and information. Most organizations are accustomed to exposing a web interface, with good control over what information is released via that interface. APIs offer direct, machine to machine access to resources and information, which makes it less obvious when information is incorrectly exposed. It becomes increasingly important for internal business stakeholders to decide what information and resources should be released via this channel, and to whom.
The security risks that APIs introduce will be similar to the traditional risks experienced on any web channel (websites and web applications), except there is:
- Increased attack surface due to more ways in, multiple services to potentially exploit
- Risk of inadvertently exposing back-end data, back-end architecture, and back-end applications
Risks posed by APIs include loss of integrity, confidentiality, and availability of data, for example:
- Loopholes retrieving API resources may offer access to more information than was intended (especially if fields requested are built straight into a DB query)
- Write operations offer a means of polluting data stores, feeding misinformation into a system
- Write operations could be used to form a Denial of Service attack by overloading the server or data store
- Use of wildcards in search fields can shut down APIs and back-end applications
- Cross-site scripting attacks made possible by consuming applications not checking user inputs
- SQL injection into consuming applications which cause database damage at the API backend
- Parameter attacks such as HTTP Parameter Pollution (HPP)
- Man-in-the-middle attacks, modifying API requests or responses leading to data eavesdropping or misinformation insertion
- Subverting authentication or authorization mechanisms to spoof messages from legitimate consumers
- Stealing authentication tokens to obtain information illicitly
- System information leakage through API error messages revealing details about an API’s construction or underlying system makeup
- Broken Session IDs, Keys and authentication create exposure to unauthorized access through authentication factors that are not functioning because of poor security design or technology bugs.
Updated less than a minute ago