API makes it easy to do business, and hackers think so too. Today, when the digital transformation of enterprises is in full swing, APIs have gone far beyond the scope of technology. Both Internet business innovation and the digital transformation of traditional enterprises are inseparable from the API economy or API strategy. APIs connect not only systems and data, but also corporate functional departments, customers and partners, and even the entire business ecosystem. At the same time, with increasingly severe security threats, APIs are becoming the next frontier of network security. We have compiled the top five API security weaknesses and patching suggestions that security experts have given to enterprises.
APIs make everything easier, from data sharing to system connectivity to the delivery of critical functions, but APIs also make it easier for attackers, including malicious bots. The proliferation of API applications is stimulating cybercriminals to increasingly exploit API security vulnerabilities to commit fraud and steal data.
Below, we will discuss five API vulnerabilities that are easily exploited by hackers and share mitigation and hardening suggestions given by security experts.
1. Too easy to be discovered
If you are a hacker and are going to attack a company, the first thing you need to do is to identify as many APIs as possible . I first use the target application in the normal way, opening the web application in a browser or downloading and installing the mobile application on the phone, and then use an interception proxy to monitor the communication.
Intercepting proxies are capable of capturing all requests made by a browser or mobile application to a backend web server, allowing an attacker to catalog all available API endpoints. For example, most APIs have API/V1/login as the authentication endpoint.
If the target is also a mobile app, then unpack the app and look at the API calls available inside the app. Taking into account all possible activities, attackers can search for common configuration errors or APIs that fail to properly protect user data.
Finally, the attacker looks for API documentation. Some organizations publish API documentation for third parties but use the same API endpoints for all users.
With a good endpoint list, attackers can test standard user behavior and abnormal behavior testing, two methods that can find interesting vulnerabilities.
Workaround: To make the API more difficult for attackers to discover, be sure to control access to the API documentation through permission management that only allows valid users to access. While pinning the certificate to the mobile app doesn't completely hide the API endpoint, and it's not perfect, it does add an extra step to the attack. API requests to the web server should be obfuscated and controlled as much as possible.
2. Overly detailed error messages
Recently, attempts by attackers to take over accounts have been increasing. Error messages that are too "detailed" tend to make such attacks easier. The lengthy error message guides the attacker on what changes they need to make to appear as a legitimate request. The API is designed for high-speed transactions under low load, allowing attackers to use high-performance systems to identify valid accounts and then attempt to log in and change passwords for exploitation.
Solution: Don’t use user experience as a shield. Some practices that seem to be beneficial to user experience may not be beneficial to security. The error message returned by the system should not include a wrong username or wrong password, or even the category of the error message (wrong username or password). The same goes for error messages used to query data, if the query/search is malformed or cannot be executed for some reason, it should return the most "unnutritious" error message: "Oops, something went wrong".
3. Too Many Parameters
When attackers traverse the attack system through API calls, they must figure out what they can send to obtain data. Attackers "believe" in the fact that the more complex the system, the more things can go wrong. Once the attacker identifies the API, they will catalog the parameters and then attempt to access the administrator's (vertical privilege escalation) or another user's (horizontal privilege escalation) data to collect additional data. Often, too many unnecessary parameters are exposed to the user.
In a recent research project, our API calls to the target service returned a large amount of data, much of which was unnecessary data information, such as payment gateway processor keys and available discount information. This "reward information" allows attackers to better understand the context and syntax of these API calls. It doesn't take much imagination for the attacker to figure out what to do next. These additional parameters provide attackers with a rich attack data set.
Solution: If you limit the scope of content users see to required content, restrict the transmission of critical data, and make the data query structure unknown, it will be difficult for attackers to know about them parameters for brute force cracking.
4. Too much data
Again, with so many parameters available, collecting data will be the obvious next step. Many enterprise systems support anonymous connections and tend to leak additional data that the average user does not need. Additionally, many businesses prefer to store data that can be accessed directly.
Security professionals are grappling with the challenge of API requests often exposing where data is stored. For example, when I view video from a security camera, I can see that the information comes from an Amazon S3 repository. Often, those S3 repositories are not well protected and anyone's data can be retrieved.
Another common data challenge is data overload. Many businesses are like chipmunks before winter, storing far more data than they need. A lot of expired user data has no commercial value or preservation value, but if leaked, it will bring huge brand and compliance risks to the enterprise.
Solution: For businesses that store user data, not just PII or PHI, a thorough data review is required. After examining the stored data, data access rules should be developed and tested. Ensure that data that can be accessed anonymously does not involve any sensitive data.
5. Too little security design
For many years, application design has always prioritized functionality and usability, with little regard for security. Many CISOs say that API security in particular is not taken seriously, or is even completely excluded from the security design process. Usually, after developers have completed development and deployment, they only try to find problems after the API is put into production and frequently attacked. Security (including API security) needs to be part of the product design and implemented as one of the first considerations, rather than filling in holes after the fact.
Solution: Reviewing the security architecture of your application is an important first step toward a secure system. Remember, APIs enable attackers to attack or exploit your system more efficiently. The goal of designing security is to make the API an efficient tool for users rather than attackers.
The above is the detailed content of What are the five common vulnerabilities of APIs?. For more information, please follow other related articles on the PHP Chinese website!

提到API开发,你可能会想到DjangoRESTFramework,Flask,FastAPI,没错,它们完全可以用来编写API,不过,今天分享的这个框架可以让你更快把现有的函数转化为API,它就是Sanic。Sanic简介Sanic[1],是Python3.7+Web服务器和Web框架,旨在提高性能。它允许使用Python3.5中添加的async/await语法,这可以有效避免阻塞从而达到提升响应速度的目的。Sanic致力于提供一种简单且快速,集创建和启动于一体的方法

XXL-JOB描述XXL-JOB是一个轻量级分布式任务调度平台,其核心设计目标是开发迅速、学习简单、轻量级、易扩展。现已开放源代码并接入多家公司线上产品线,开箱即用。一、漏洞详情此次漏洞核心问题是GLUE模式。XXL-JOB通过“GLUE模式”支持多语言以及脚本任务,该模式任务特点如下:●多语言支持:支持Java、Shell、Python、NodeJS、PHP、PowerShell……等类型。●WebIDE:任务以源码方式维护在调度中心,支持通过WebIDE在线开发、维护。●动态生效:用户在线通

随着网络技术的发展,Web应用程序和API应用程序越来越普遍。为了访问这些应用程序,需要使用API客户端库。在PHP中,Guzzle是一个广受欢迎的API客户端库,它提供了许多功能,使得在PHP中访问Web服务和API变得更加容易。Guzzle库的主要目标是提供一个简单而又强大的HTTP客户端,它可以处理任何形式的HTTP请求和响应,并且支持并发请求处理。在

机器人也能干咖啡师的活了!比如让它把奶泡和咖啡搅拌均匀,效果是这样的:然后上点难度,做杯拿铁,再用搅拌棒做个图案,也是轻松拿下:这些是在已被ICLR 2023接收为Spotlight的一项研究基础上做到的,他们推出了提出流体操控新基准FluidLab以及多材料可微物理引擎FluidEngine。研究团队成员分别来自CMU、达特茅斯学院、哥伦比亚大学、MIT、MIT-IBM Watson AI Lab、马萨诸塞大学阿默斯特分校。在FluidLab的加持下,未来机器人处理更多复杂场景下的流体工作也都

前言对于第三方组件,如何在保持第三方组件原有功能(属性props、事件events、插槽slots、方法methods)的基础上,优雅地进行功能的扩展了?以ElementPlus的el-input为例:很有可能你以前是这样玩的,封装一个MyInput组件,把要使用的属性props、事件events和插槽slots、方法methods根据自己的需要再写一遍://MyInput.vueimport{computed}from'vue'constprops=define

本篇文章给大家带来了关于API的相关知识,其中主要介绍了设计API需要注意哪些地方?怎么设计一个优雅的API接口,感兴趣的朋友,下面一起来看一下吧,希望对大家有帮助。

当您的WindowsPC出现网络问题时,问题出在哪里并不总是很明显。很容易想象您的ISP有问题。然而,Windows笔记本电脑上的网络并不总是顺畅的,Windows11中的许多东西可能会突然导致Wi-Fi网络中断。随机消失的Wi-Fi网络是Windows笔记本电脑上报告最多的问题之一。网络问题的原因各不相同,也可能因Microsoft的驱动程序或Windows而发生。Windows是大多数情况下的问题,建议使用内置的网络故障排除程序。在Windows11

SpringBoot的API加密对接在项目中,为了保证数据的安全,我们常常会对传递的数据进行加密。常用的加密算法包括对称加密(AES)和非对称加密(RSA),博主选取码云上最简单的API加密项目进行下面的讲解。下面请出我们的最亮的项目rsa-encrypt-body-spring-boot项目介绍该项目使用RSA加密方式对API接口返回的数据加密,让API数据更加安全。别人无法对提供的数据进行破解。SpringBoot接口加密,可以对返回值、参数值通过注解的方式自动加解密。什么是RSA加密首先我


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

Dreamweaver Mac version
Visual web development tools

Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

Zend Studio 13.0.1
Powerful PHP integrated development environment

SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.

SublimeText3 English version
Recommended: Win version, supports code prompts!
