Chapter 80. APIs Are Windows to the Soul
Brook S.E. Schoenfield
Too many times to count, developers, founders, and creators misunderstand the importance of their APIs in application security. “It’s just our API.” An API is the attacker’s gateway to all information processing and storage behind or downstream from the API. If available through the internet, each API routable address will be found, and then the API probed for weaknesses, whether targeted or not. This has been the sad and unfortunate reality on the internet for several decades: all routable addresses receive at least automated attacker attention.
Risks
What can an attacker do with a poorly defended—or worse, undefended—unmonitored API?
Each data mechanism has its own set of issues. Any protocol based on XML will be subject to XML External Entity (XXE) attacks, which can expose information and downstream processing and allow an attacker to redirect processing to their URL. GraphQL might also allow XXE, but GraphQL introspection reveals data, program logic, and data organization (schema). Any API that fails to rigorously disallow unintended data may unwittingly pass attacks to whatever services lie behind the API. Authentication and authorization may not work as intended or include vulnerabilities.
These are just a few examples of the sorts of issues regularly found in APIs.
Orphaned APIs are routinely left receiving ...
Get 97 Things Every Application Security Professional Should Know now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
