Defending APIs

Defending APIs

by Colin Domoney
Released February 2024
Publisher(s): Packt Publishing
ISBN: 9781804617120

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Get up to speed with API security using this comprehensive guide full of best practices for building safer and secure APIs

Key Features

  • Develop a profound understanding of the inner workings of APIs with a sharp focus on security
  • Learn the tools and techniques employed by API security testers and hackers, establishing your own hacking laboratory
  • Master the art of building robust APIs with shift-left and shield-right approaches, spanning the API lifecycle
  • Purchase of the print or Kindle book includes a free PDF eBook

Book Description

Along with the exponential growth of API adoption comes a rise in security concerns about their implementation and inherent vulnerabilities. For those seeking comprehensive insights into building, deploying, and managing APIs as the first line of cyber defense, this book offers invaluable guidance. Written by a seasoned DevSecOps expert, Defending APIs addresses the imperative task of API security with innovative approaches and techniques designed to combat API-specific safety challenges.

The initial chapters are dedicated to API building blocks, hacking APIs by exploiting vulnerabilities, and case studies of recent breaches, while the subsequent sections of the book focus on building the skills necessary for securing APIs in real-world scenarios.

Guided by clear step-by-step instructions, you’ll explore offensive techniques for testing vulnerabilities, attacking, and exploiting APIs. Transitioning to defensive techniques, the book equips you with effective methods to guard against common attacks. There are plenty of case studies peppered throughout the book to help you apply the techniques you’re learning in practice, complemented by in-depth insights and a wealth of best practices for building better APIs from the ground up.

By the end of this book, you’ll have the expertise to develop secure APIs and test them against various cyber threats targeting APIs.

What you will learn

  • Explore the core elements of APIs and their collaborative role in API development
  • Understand the OWASP API Security Top 10, dissecting the root causes of API vulnerabilities
  • Obtain insights into high-profile API security breaches with practical examples and in-depth analysis
  • Use API attacking techniques adversaries use to attack APIs to enhance your defensive strategies
  • Employ shield-right security approaches such as API gateways and firewalls
  • Defend against common API vulnerabilities across several frameworks and languages, such as .NET, Python, and Java

Who this book is for

This book is for application security engineers, blue teamers, and security professionals looking forward to building an application security program targeting API security. For red teamers and pentesters, it provides insights into exploiting API vulnerabilities. API developers will benefit understanding, anticipating, and defending against potential threats and attacks on their APIs. While basic knowledge of software and security is required to understand the attack vectors and defensive techniques explained in the book, a thorough understanding of API security is all you need to get started.

Table of contents

  1. Defending APIs
  2. Foreword
  3. Contributors
  4. About the author
  5. About the reviewer
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Conventions used
    6. Get in touch
    7. Share Your Thoughts
    8. Download a free PDF copy of this book
  7. Part 1: Foundations of API Security
  8. Chapter 1: What Is API Security?
    1. Why API security is important
      1. The growth of the API economy
      2. APIs are popular with developers
      3. APIs are increasingly popular with attackers
      4. Your existing tools do not work well for APIs
      5. Developers often lack an understanding of API security
    2. Exploring API building blocks
      1. Rate limiting
      2. Cryptography
      3. Hashes, HMACs, and signatures
      4. Transport security
      5. Encoding
    3. Examining API data formats
    4. Understanding the elements of API security
      1. DevOps
      2. SAST, DAST, SCA, and WAFs
      3. API management and gateways
      4. API security platforms
    5. Setting API security goals
      1. The three pillars of security
      2. Abuse and misuse cases
      3. Data governance
      4. A positive security model
      5. Risk-based methodology
    6. Summary
    7. Further reading
  9. Chapter 2: Understanding APIs
    1. Understanding HTTP fundamentals
      1. Uniform Resource Locator
      2. Requests
      3. Responses
      4. Methods
      5. Status codes
      6. Sessions
    2. Exploring the types of APIs
      1. REST
      2. GraphQL
      3. RPC
      4. SOAP
      5. WebSockets
    3. Access control
      1. No authentication
      2. HTTP authentication
      3. AWS keyed-HMAC authentication
      4. Session cookies
      5. API keys
      6. OAuth 2.0
      7. Access control best practices and methods
    4. Using JWTs for claims and identity
    5. Summary
    6. Further reading
  10. Chapter 3: Understanding Common API Vulnerabilities
    1. The importance of vulnerability classification
    2. Exploring the Open Worldwide Application Security Project API Security Top 10
      1. Object-level vulnerabilities
      2. Authentication vulnerabilities
      3. Function-level vulnerabilities
      4. Data vulnerabilities
      5. Configuration vulnerabilities
      6. Implementation vulnerabilities
    3. Vulnerabilities versus abuse cases
      1. Exploring abuse cases
    4. Business logic vulnerabilities
    5. Preview of the Open Worldwide Application Security Project API Security Top 10 2023
    6. Summary
    7. Further reading
  11. Chapter 4: Investigating Recent Breaches
    1. The importance of learning from mistakes
    2. Examining 10 high-profile API breaches from 2022
      1. 1–Global shipping company
      2. 2–Campus access control
      3. 3–Microbrewery application
      4. 4–Cryptocurrency portal
      5. 5–Dating application
      6. 6–The All in One SEO WordPress plugin
      7. 7–X account information leakage
      8. 8–Home router
      9. 9–Remote access to two popular vehicles
      10. 10–Smart Scale
    3. Key takeaways and learning
    4. Summary
    5. Further reading
  12. Part 2: Attacking APIs
  13. Chapter 5: Foundations of Attacking APIs
    1. Technical requirements
    2. Understanding API attackers and their methods
      1. Interacting with APIs
      2. Finding API keys
      3. Enumeration and discovery of APIs
      4. Fuzzing API endpoints
      5. Attacking JWTs
    3. Mastering the tools of the trade
      1. CLI clients (HTTPie/cURL)
      2. Postman
      3. Browser tools
      4. Burp Suite
      5. Reverse proxies
    4. Learning the key skills of API attacking
      1. Building a laboratory
      2. Hacking vulnerable APIs
      3. Training courses
    5. Summary
    6. Further reading
  14. Chapter 6: Discovering APIs
    1. Technical requirements
    2. Passive discovery
      1. Google
      2. Offensive security Google database
      3. Other API-specific searchable databases
      4. Code analysis techniques
    3. Active discovery
      1. Network discovery and scan
      2. OWASP ZAP
      3. Burp Suite
      4. Reverse-engineering mobile apps
      5. Postman
    4. Implementation analysis
      1. Verbose error and debug messages
      2. OS and framework enumeration
      3. Timing or volume attacks
      4. Utilizing online tools such as BuiltWith or Wappalyzer
      5. Evading common defenses
    5. Summary
    6. Further reading
  15. Chapter 7: Attacking APIs
    1. Technical requirements
    2. Authentication attacks
      1. Insecure implementation logic
      2. Attacking design weaknesses
    3. Authorization attacks
      1. Object-level authorization
      2. Function-level authorization
    4. Data attacks
    5. Injection attack
      1. Detecting injection vulnerabilities
      2. SQL injection
      3. NoSQL injection
      4. Command injection
      5. Path traversal
      6. Server-side request forgery
    6. Other API attacks
      1. API abuse
      2. Unrestricted access to sensitive business flows
      3. Business logic attacks
    7. Summary
    8. Further reading
  16. Part 3: Defending APIs
  17. Chapter 8: Shift-Left for API Security
    1. Technical requirements
    2. Using the OpenAPI Specification
      1. Data
      2. Security
      3. Generating client and server code
    3. Leveraging the positive security model
    4. Conducting threat modeling of APIs
    5. Automating API security
      1. CI/CD integration
      2. Semgrep
    6. Thinking like an attacker
    7. Summary
    8. Further reading
  18. Chapter 9: Defending against Common Vulnerabilities
    1. Technical requirements
    2. Authentication vulnerabilities
      1. Handling JWTs securely
      2. Implementing OAuth2
      3. Password and token hardening
      4. Securing the reset process
      5. Handling authentication in code
    3. Authorization vulnerabilities
      1. Object-level vulnerabilities
      2. Function-level vulnerabilities
      3. Using authorization middleware
    4. Data vulnerabilities
      1. Excessive data exposure
      2. Mass assignment
    5. Implementation vulnerabilities
      1. Injection
      2. Server-Side Request Forgery
      3. Insufficient logging and monitoring
    6. Protecting against unrestricted resource consumption
    7. Defending against API business-level attacks
      1. Unrestricted access to sensitive business flows
      2. Unsafe consumption of APIs
    8. Summary
    9. Further reading
  19. Chapter 10: Securing Your Frameworks and Languages
    1. Technical requirements
    2. Managing the design-first process in the real world
    3. Using code-generation tools
      1. Swagger Codegen
      2. OpenAPI Generator
    4. Summary
    5. Further reading
  20. Chapter 11: Shield Right for APIs with Runtime Protection
    1. Technical requirements
    2. Securing and hardening environments
      1. Container images
      2. Operating systems
    3. Using WAFs
      1. Understanding the Next-Generation Firewall (NGWAF) and Web Application API Protection (WAAP) products
    4. Using API gateways and API management
      1. Implementing security patterns in the Kong API gateway
      2. Best practices for API gateway protection
      3. Deploying API firewalls
    5. API monitoring and alerting
    6. Selecting the correct protections for your APIs
    7. Summary
    8. Further reading
  21. Chapter 12: Securing Microservices
    1. Technical requirements
      1. Understanding microservices
      2. Securing the foundations of microservices
      3. Securing the connectivity of microservices
      4. Access control for microservices
      5. Running secure microservices in practice
    2. Summary
    3. Further reading
  22. Chapter 13: Implementing an API Security Strategy
    1. Ownership of API security
      1. Understanding your stakeholders
      2. Roles and responsibilities
    2. The 42Crunch maturity model
      1. Inventory
      2. Design
      3. Development
      4. Testing
      5. Protection
      6. Governance
    3. Planning your program
      1. Establishing your objectives
      2. Assessing your current state
      3. Building a landing zone for APIs
    4. Running your program
      1. Building your teams
      2. Tracking your progress
      3. Integrating with your existing AppSec program
    5. Your personal API security journey
    6. Summary
    7. Further reading
  23. Index
    1. Why subscribe?
  24. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Defending APIs
  • Author(s): Colin Domoney
  • Release date: February 2024
  • Publisher(s): Packt Publishing
  • ISBN: 9781804617120