APIs are 'rich targets' for hackers, warn security researchers

Researchers at F5 Labs claim that APIs have become an easy target for hackers.

A combination of factors makes application programming interfaces (APIs) "rich targets" for cyber criminals.

That's according to the 2019 Application Protection Report from cyber security firm F5 Labs, which explores the various attack techniques that can be used to compromise APIs.

According to researchers at the lab, one of the biggest factors that make APIs easy targets is excessively broad permissions. "Because they are not intended for human use, APIs are often set up to access any data within the application environment," wrote researchers Ray Pompon and Sander Vinberg in a blog post.

Permissions are used for making user requests and passing them on to the API, but the problem is that these can be easily compromised by hackers.

Because the API has unrestricted access, attacks through the API provide attackers with visibility into everything

They continued: "That is all well and good, until an attack bypasses the user authentication process, going directly to the downstream app. Because the API has unrestricted access, attacks through the API provide attackers with visibility into everything."

F5 Labs described APIs as an "easy target" for the "old, dirty tricks" of cyber criminals, pointing out that their use of URIs [uniform resource indicators], methods, headers and other parameters can be abused in attacks.

"In fact, most typical web attacks, such as injection, credential brute force, parameter tampering, and session snooping work surprisingly well," said the researchers.

Another key issue, according to the researchers, is visibility. They claim that the industry lacks situational awareness of APIs and their security risks.

"They are supposed to run behind the scenes; this is great until they are compromised behind the scenes, and all of our valuables get stolen behind the scenes," added the researchers.

The industry lacks situational awareness of APIs and their security risks

"As we noted in our API follow-up to last year's report, APIs often connect to ports other than 80/443. They are frequently buried in deep paths somewhere on web servers, and the details of their architecture are often known only by development teams."

They added that the reality is that "security teams may be unaware that connections with that potential impact are even possible in their environment".

To mitigate these threats, F5 said organisations should:

  1. Create an inventory for their APIs and understand their implications to their architecture and failure modes;
  2. Require authentication for APIs; restrict permissions for APIs;
  3. Encrypt API connections;
  4. Use API-specific tools such as proxies or firewalls; and,
  5. Test APIs using perimeter scans, vulnerability assessments, and penetration tests

The report comes as prosecutors in the Capital One hacking case revealed last month claimed that the alleged hacker, Paige Thompson, may have compromised more than 30 other organisations. They added, though, that there is no evidence that she sought to sell or distribute the compromised data in any way.