How to Secure API Endpoints: 9 Tips and Solutions Posted in Security Gilad David Maayan January 20, 2021 Why is it Important to Secure API Endpoints? API endpoints are typically a URL exposed by a server, allowing other systems to connect and consume its services. API endpoints are entry points into corporate networks and often provide valuable or sensitive information. This makes them an attractive target for attackers. In this article, we’ll discuss cybersecurity attacks that target poorly secured endpoints. We’ll provide practical tips to improve API endpoint security to help prevent the next data breach. API Attack Types Below are several cyberattacks that specifically focus on API endpoints or their weaknesses. Distributed Denial of Service It is becoming more common for attackers to generate a stream of fake requests to an API, to overwhelm it and deny access to legitimate users. This is known as a Denial of Service (DoS) attack. When the attack is performed by an extensive network of compromised machines (known as a botnet), it is known as a Distributed Denial of Service (DDoS). Traditional DDoS attacks were based on simple network techniques like TCP amplification. These are less effective against API endpoints. However, modern denial of service attacks uses full HTTP GET/POST requests to mimic legitimate user traffic (HTTP flooding). Web APIs running on the HTTP layer are vulnerable to these attacks since each API request requires more resources on the server to parse and respond. Because the attack sends traffic similar to legitimate API traffic, it is difficult to determine an attack. Data Exfiltration Attacks A data exfiltration attack attempts to extract more information from the API than the user account is authorized to receive. These attacks range from manipulating search filters to return out-of-range records to brute-force guessing URLs searching for data. It is relatively easy for attackers to carry out this type of attack because the API is designed for automated access. Attackers can carry out many automated attempts to get data and still appear to be a legitimate user. Attackers also do not have to make special efforts to gain automated access as they would with a web application or web form. Functionality and Resource Attacks APIs expose the basic functionality of a service. This primary function itself may be very important to cybercriminals. Often, the attack involves using legitimate functions provided by the API in an unexpected way that benefits the attacker. Below are some common functional areas of APIs that are often abused and should be carefully monitored: Email sending — spammers often attempt to break into legitimate APIs with a communication or notification mechanism and use them to send spam email. If your API sends email, you should limit the email subject and content to allow only specific, predefined messages meant to be sent by your system. Content publishing — some APIs allow users to modify or publish web content. This is becoming very common with the advent of user-generated content. However, allowing users to adjust content is extremely risky and can easily be exploited by attackers. File upload — the ability to upload files is often abused by people who want to distribute unethical content or improve search rankings. For years, black hat SEOs tried to upload HTML files containing links to their websites. A more severe attack involves hackers uploading malware to a server to infect the server itself or the devices of users who download the content. In many cases, even a failed upload performed through an API leaves a file that is accessible over the network, allowing attackers to use it. 9 Best Practices for Securing API Endpoints Use the following best practices to improve API endpoint security, reduce your attack surface, and reduce the likelihood of successful attacks. User Authorization with API Keys An essential part of API security is the use of API keys. API keys are used to control access to public REST services. Public web service operators can use API keys to rate-limit API calls and reduce denial of service attacks. For paid API services, API keys also allow you to provide access based on the access plan purchased. HTTPS Always If your API endpoint allows API users to communicate over HTTP or any other unsecured protocol, you are at high risk. Passwords, private keys, and credit card information are easily stolen because they can be read in plain text by packet sniffers or other types of Man-in-the-Middle (MitM) attacks. To secure your API, make HTTPS the only communication option available, even if the content or functionality provided by the API seems to be trivial. One-Way Password Hashing In case of a security breach, all user accounts are at risk, so never store passwords in cleartext. You should also avoid using symmetric encryption methods (in which the same encryption key can be used to lock and unlock the content) because sufficiently sophisticated, persistent attackers can break them. The recommended option for securing passwords is one-way encryption, also known as hashing. This applies a mathematical function to scramble the data so that no one can reverse it. This way, they are secure against attackers, and no one within your network, not even server administrators, can view user passwords. Apply Rate Limiting Whatever the volume of requests served by your API, it is best to limit the number of calls users can make over a given period of time. This can prevent DoS attacks in which bots send hundreds of concurrent requests per second (although it will not be effective against massive DDoS attacks). In addition, for every user operation, limit the number of requests or the amount of data retrieved to a reasonable maximum. You can also specify hourly, daily, or monthly usage limits per user. Most web development frameworks have built-in rate limiting features. Consider IP Address Filtering If only select business partners use your API, consider adding a layer of security that limits the IP addresses that can access it. In this scenario, verify the IP address in each new location and for each new client. This makes it more difficult to onboard new customers but leads to much tighter security compared to other methods. Validate Input While this best practice is well known, a vast number of APIs fail to sanitize their inputs, allowing attackers to perform a range of code injection attacks. When verifying inputs, ensure data is received in the correct format, and strip characters that may be part of malicious code. The OWASP Code Injection Cheat Sheet provides clear guidelines on how to prevent most kinds of injection attacks. API Client Filtering To minimize security risks, limit client permissions and capabilities to the minimum required to consume the API service. First, restrict HTTP access to ensure that malicious or misconfigured clients receive nothing except the API specs and an access code. Ensure that the API rejects improper requests with a 405 response code (method not allowed). Geo Filtering A large fraction of cyberattacks originate from certain countries. One practice is to block access to your API from any region in which you do not do business. In addition, if you detect an attack, blocking GET/POST requests from that region can stop it in its tracks. Being able to quickly block countries/regions making GET/POST requests to your API might be the fastest way to stop an ongoing attack. Consider XDR (Extended Detection and Response) Traditional security tools, including firewalls and intrusion protection/detection systems (IPS/IDS), are deployed by most organizations but are not explicitly designed to protect APIs. A new type of security technology, called XDR, provides holistic protection across the IT environment, including API endpoints. It provides security teams with real-time alerts of malicious behavior, enabling them to contain and investigate attacks quickly. XDR secures API endpoints in the following ways: HTTPS monitoring — XDR can manage security certificates, inspect HTTPS communications. When it identifies an anomaly, it can instantly terminate the connection or take other automated action. API call monitoring — XDR can monitor the number of API calls and alerts security teams about suspicious behavior, even if the rate limit is not exceeded. IP address filtering — XDR integrates with threat intelligence databases and can check if an incoming request has a legitimate IP address or originates from a malicious server. JSON Web Token (JWT) — a standard method (RFC 7519) used to securely represent a user’s identity when communicating between two parties. If two systems are exchanging data, XDR can identify users via JWT. The XDR system can use JWT to identify the user without having to transmit credentials. This makes it possible to identify user accounts in API traffic and analyze their behavior compared to known baselines. Input validation — even if the underlying application code does not sanitize inputs correctly, XDR solutions analyze SQL or other queries to detect code injection attacks, block them, and alert security teams. Conclusion APIs are a central part of the modern digital economy. They are extremely vulnerable to attacks and should be protected with as much care as (if not more than) traditional IT systems like servers and networks. This article covered several ways you can improve the security of your API endpoints: Authorize users using API keys. Enforce HTTPS for all APIs, even if they appear to be trivial. Use one-way password hashing with strong encryption to protect passwords. Use rate limiting to prevent unreasonable access and block DoS attacks. Validate inputs to avoid code injection attacks. Filter client requests and block unwanted geographies. Consider using XDR systems, a new type of security system that provides holistic protection for APIs. Hopefully, this will help you design more secure APIs, which can provide great value to users without exposing your organization to attacks.