API Breaches: What Should I Know and How Can I Prevent Them?
According to recent studies, two-thirds of cloud security incidents are due to misconfigured APIs. And thanks to GDPR rules, data leaks can be disastrous. API breaches are even more dangerous than other data leaks because once an API is compromised, an attacker can not only steal your data but potentially do even more damage. Erasing your whole database can be painful, for example, even if you have backups. Therefore, proper API security is more crucial than ever. In this post, you'll learn what API breaches are and how to prevent them.
What's an API Breach?
Let's start with the basics. Simply put, an API breach occurs when an API is used in a manipulative or abusive way. This can include using an API to access your database to steal data or manipulating user sessions. There are many possible attacks that can target your front end, and there are others that don't use any of your software components, such as phishing or old-school password cracking.
Types of API Breach
There are many ways to breach an API. They differ by the attack method used and by the desired output. The point of some API attacks is simply to gain access to the database, so the API itself is just a stepping-stone. Other attacks specifically focus on the API in order to take your API down and cause downtime. Not all API breaches results in a data leak, but most attackers target APIs in order to gain access to data.
So, what are the most common API attacks?
Broken Access Control or User Authentication
One of the most common API attack vectors is broken access control or broken user authentication. As the name suggests, this type of attack tries to use bugs in your user authentication or access control mechanisms in order to bypass them. As you know, in order to get access to someone's account, you need their username and password. But there is another way. By leveraging broken user authentication, an attacker can gain access to someone's account without knowing their password. Also, even if an attacker doesn't target specific users, broken access control can, for example, give the attacker admin rights or access to resources that regular users shouldn't have access to.
Data Exposure
Another common way of abusing an API is passive and easy. Data exposure happens when you send too much data from an API. Why would you do that? Perhaps because you expect your front end to do the data filtering. Let me give you an example. Imagine that users on your website can create profiles and that other users can see each other's profiles. Of course, in such a case, we want profiles to show only basic information. You probably don't want to reveal things like phone numbers, emails addresses, home addresses, or other sensitive information. Ideally, your API would only extract these fields from a user profile when strictly necessary.
However, developers often send all user data to the front end and only allow it to show the nonsensitive fields. The problem is that it's easy for an attacker to bypass the front end and see data that is supposed to be hidden. Therefore, this type of API breach is low-hanging fruit for an attacker.
Too Much Error Information
Another example of overexposing data is showing too much information on an error page. By default, when an API crashes, it will probably show you exactly what crashed. Sounds great, right? The more information you have about the error, the quicker you'll be able to fix it. Well, yes, but all this information is also valuable to a hacker.
If they know, for example, the type of API server you're using and the exact version (which is commonly displayed on error pages), they can directly search for vulnerabilities and exploits instead of blindly trying different exploits over time and risking detection. In extreme cases, unfiltered error messages can show server paths or pieces of code that include IP addresses or even passwords.
How to Prevent API Breach
Now that you're familiar with a few common types of API breaches, it's time to discuss how to prevent them. There are best practices to follow for each attack vector discussed earlier. For example, to avoid data exposure, make sure the front end only receives the information it needs from an API rather than filtering it. To avoid broken access control, don't build custom authentication solutions. Instead, use well-known authentication libraries and ideally top it up with 2FA mechanisms.
It's difficult to implement all the best practices for every possible attack vector, especially since new vulnerabilities are always being discovered. That doesn't mean you shouldn't try. Many best practices protect you from a few vulnerabilities at the same time. It also doesn't take much effort to build a reasonable level of security from nothing. If you want to learn more about securing APIs in practice, you can read Traceable's Practical Guide to API Security. Once you have the basics covered, there is an extra step that you can take to drastically decrease your chances of suffering from an API breach.
Cloud-Native API Security
In order to secure an API, you need two main things. Your API code must be secure, which means implementing security best practices, using well-known libraries, and keeping everything up to date. Once the API is running, you can't forget the basics like firewalls and limiting access to the API. You'll need to check and update everything each time a new vulnerability appears in the wild, but using a tool like Traceable can change everything.
Traceable is a modern API security tool that approaches security in a cloud-native way. It uses AI to continuously scan and analyze APIs. Therefore, it can even protect you from brand-new, unknown API threats. Traceable can also understand and follow user sessions, which is crucial if you want to secure distributed applications. By following user sessions, Traceable can detect malicious activities that span multiple APIs, things that are usually undetected by traditional tools when a chain of actions comprise an attack.
Observability
Having a comprehensive overview of your APIs is a good step toward avoiding API breaches. This is especially important for modern applications that are decentralized and can consist of dozens of APIs. If you don't know what's happening on your network, what your APIs are connecting to, and which are APIs handling internet traffic, you might not even realize if and when an API breach occurs.
Traceable has built-in API discovery, which constantly inventories all your APIs. It can notify you about any changes and even draw a map of dependencies. All this means that Traceable will not only protect you from threats, but it will also help you understand your APIs.
Summary
An API breach can happen for many different reasons. Some will lead to data leaks, and others may result in application downtime. No matter the kind of API breach, it's better to have no breach at all, so start by securing them. For that, remember to read the Traceable Practical Guide to API Security. Securely written APIs, however, only gets you halfway there. You still need constant monitoring and protection against new and unknown threats.
Traceable identifies all of your APIs, and evaluates your API risk posture, stops API attacks that lead to incidents such as data exfiltration, and provides analytics for threat hunting and forensic research. With the Traceable solution, you can confidently discover, manage and secure all of your APIs, quickly deploy, and easily scale to meet the ongoing needs of your organization.
Depending on your role and the needs at your organization, there are multiple options to get started with observability and API security:
- If you’re a CISO or DevSecOps security leader and want to evaluate your API security risks, try the API Security Posture Assessment.
- To start your journey, sign up to learn all about your APIs — internal, external, third-party, and even the shadow or rogue APIs you may not even be aware of.
- If you want to compare different API security solutions in the market, check out an API Security Tools comparison guide.
You can also view a demo or book a meeting to learn more and ask your questions on how Traceable AI can meet your API catalog, observability, and security requirements.
This post was written by Dawid Ziolkowski. Dawid has 10 years of experience as a Network/System Engineer at the beginning, DevOps in between, Cloud Native Engineer recently. He’s worked for an IT outsourcing company, a research institute, telco, a hosting company, and a consultancy company, so he’s gathered a lot of knowledge from different perspectives. Nowadays he’s helping companies move to cloud and/or redesign their infrastructure for a more cloud native approach.
The Inside Trace
Subscribe for expert insights on application security.