Aug 3, 2023
As per a 2020 report by Gartner, 85% of organizations are anticipated to adopt the 'cloud-first' approach. This implies that APIs are the future as they serve as the backbone of software development. However, the increasing integration and data flow calls for critical responsibility of API security.
APIs are the interface connecting two application servers enabling them to communicate and share data and resources. Hence, they become a vulnerable point of attack. Speaking of which, OWASP Foundation often publishes a list of the top 10 API risks. According to its 2021 published list, 94% of applications were tested for some type of broken access control. A 3.81% incidence rate was recorded for the same.
Let's begin with understanding what broken access control mean, As the name implies, it is a vulnerability that occurs when an API fails to effectively enforce access rules. It happens when an API's access control measures have flaws or are misconfigured, enabling unauthorized users to get access to sensitive resources or carry out unauthorized actions.
Access control is an important aspect of application security as it ensures that users are granted appropriate permissions and privileges based on their roles and responsibilities. When access control is broken, it can lead to severe security threats, including data breaches, unauthorized modifications, and exposure to sensitive information.
There are different scenarios in which unauthorized access can be granted. Below are some common scenarios that can lead to unauthorized access to APIs:
This type of scenario occurs when an API lacks proper access management. Hence, instead of being restricted to specific roles or authorized users, the API is now open to everybody. This further allows, unauthorized users to access critical resources or perform acts that they should not be permitted to carry out. As a result, sensitive information and features may be stolen or misused by unauthorized persons, posing a severe danger to the system's security.
When developing an API, it is essential to ensure that user IDs are properly protected within the URL. Failure to do so can result in a vulnerability in which an attacker tries to guess or modify user IDs to obtain unauthorized access to another user's information or do malicious operations. Let's understand this by one example.
Consider the webpage https://demo.example.com. When a user logs in, the URL changes to http://demo.example.com/user/12345, where “12345” is the user ID.
It shows a security issue if an attacker changes this user ID to http://demo.example.com/user/12344 and successfully gains access to user 12344's information.
CORS (Cross-Origin Resource Sharing) is a mechanism that allows web browsers to make cross-origin requests, enabling communication between different domains or platforms. However, if the CORS configuration is not set properly, it can lead to excessive data exposure to unauthorized users. As CORS is misconfigured, it can allow untrusted origins to gain access to sensitive information.
An API with an unprotected URL can allow attackers to manipulate the URL in such a way that they can acquire higher-level access or able access to unauthorized content.
E.g. URL: http://demo.example.com/users/12345 provide user information. The attacker can change the URL to http://demo.example.com/admin and gain administrator access and can further perform admin-level operations.
Elevation of privilege happens when an attacker acquires more access or rights than they are permitted to, allowing them to undertake unauthorized actions or access restricted resources.
Accessing authenticated pages or privileged sections of an application as an unauthenticated user or with lower privileges bypasses access controls and grants unauthorized access.
HTTP methods such as GET, PUT, POST, and DELETE perform distinct operations and are used to connect with resources via APIs. It is crucial to appropriately manage the access and permissions of these techniques to prevent unauthorized alteration of user information.
For example, the URL: http://demo.example.com/users/12345 provide user information with the GET method. The attacker changed the method to DELETE and there is a possibility that the user gets deleted due to improper handling of APIs or using the PUT method attacker can change the data as well.
Attackers can manipulate the JWT (JSON Web Token) or cookies metadata to allow them authorized access to the resources.
Addressing these vulnerabilities and placing robust access control measures into effect are crucial for guaranteeing API security and preventing unauthorized access to APIs and their associated resources.
Users can use an API gateway to build centralized authentication and authorization processes. The API gateway acts as a centralized entry point for all API requests, allowing you to specify and enforce access control policies for different APIs from a single location. This centralized method reduces the possibility of unauthorized access by establishing consistent and standardized access control across all APIs.
API gateways provide authentication methods such as basic authentication, JWT authentication, and OAuth to ensure properly authorized user login. These methods help verify user identities and authorize access to API resources, enhancing security.
API gateway allows you to set up CORS configuration for your APIs.This centralized method reduces the possibility of unauthorized access by establishing consistent and standardized access control across all APIs.
While configuring CORS in the API gateway, you can configure allowed domains which helps to protect your APIs from cross-domain attacks. CORS configuration also allows you to define exposed headers, which determine which headers are exposed and available to client applications. This helps regulate the information that cross-origin requests can access, reducing the visibility of sensitive headers.
Additionally, CORS settings in the API gateway can specify additional fields like whether credentials (like cookies or authorization headers) should be included in cross-origin requests, allowed methods (HTTP methods that are allowed for cross-origin requests), allowed headers (headers that are allowed in the requests), and more.
Role-Based Access Management helps to define specified rules and permissions for all APIs. This helps to ensure that users can access appropriate information based on their roles.
In an API Gateway, RBAC can be implemented using Access Control Lists (ACLs). With RBAC and ACLs, you can assign users to different roles and associate each role with a set of predefined access permissions. These permissions determine what actions and resources a user can access based on their assigned role and protect resources from unauthorized access.
The API gateway's logging and monitoring are critical for analyzing API performance and detecting potential harmful actions. You can find patterns that assist you in defining common behavior and spot abnormalities that could suggest malicious activity by recording and analyzing API data.
The API gateway's logging module keeps track of incoming requests, responses, failures, and other pertinent metadata. This information can be used to evaluate the entire API infrastructure, pinpoint bottlenecks, and gauge API performance.
API keys are commonly used to verify the validity of requests coming from client applications. You can generate unique API keys in an API gateway for various applications, such as mobile or web applications.
Additionally, you have the freedom to specify whether the API keys should be sent with the request body, in the request headers, or as query parameters. This flexibility ensures the security of the API by allowing specific verification methods for different types of client applications.
Rate limiting and IP restriction are essential security measures that help protect against harmful automated attacks like DDoS (Distributed Denial of Service). These measures restrict the number of requests made within a specific timeframe and block authorized IPs to ensure the safety of the backend server.