In January of 2023, Twitter suffered a data breach that exposed the usernames and emails of 235 million users. The cause of the attack? A zero-day API vulnerability. Although Twitter reported that additional personal information was most likely not exposed, the concern at the time was that malicious actors would use the names and emails of anonymous Twitter users to expose their anonymous identity – a particularly dangerous scenario for online activists living in countries that could take advantage of the opportunity to crack down on political dissent.
According to Wallarm, an API security solution, there were over 677 million API attacks in 2022, and Salt Labs reported a 400% increase in API attacks in December of 2022 alone. As the proliferation of APIs contributes to the expanding attack surface of organizations, API attacks will only continue to rise.
In light of these facts, it’s crucial to understand what API attacks are and what your organization can do to defend against them.
What is an API Attack?
An API, or application programming interfaces attack, is the hostile usage of an API to gain unauthorized access and obtain sensitive and personal information such as private health information (PHI), credit card information, steal or predict authentication tokens, and cause data breaches.
APIs are used to connect applications and transmit data between customers, employees and third parties and serve as the foundation for communications in IoT infrastructure. When they are used to transfer sensitive data, however, attackers may target them to exploit their vulnerabilities.
5 of the Most Common Types of API Attacks
With Akamai estimating 83% of website traffic to originate from APIs, they have become one of the most frequent attack vectors targeted by attackers over the last decade. As a result, API security is now a key component of cybersecurity. However, as you’ll see below, organizations must apply different security measures to different API attack types.
These attacks and their security protocols include:
- Man-in-the-middle (MITM)
In a Man-in-the-Middle API attack, a malicious attacker intercepts the communication between the API endpoint and a third party. They occur when unencrypted messages are transmitted, sessions are not configured securely, and when the network fails to use secure protocols. Simply making sure your API uses Transport Layer Security (TLS) and using Secure Sockets Layer (SSL) is a good way to keep Man-in-the-Middle attackers at bay. Verification of the use of these protocols can be detected by checking for the lock icon on the HTTP header of the organization’s browser.
- SQL injection attacks
In these attackers, malicious SQL is injected into an API request. This allows the attacker to steal and exploit data from the SQL database or even use access to the database to launch more harmful attacks, such as a data breach. WAFs (web applications firewalls) analyze and block malicious traffic and API gateways help defend against these types of attacks by enforcing authorization, authentication and employing methods to limit excessive user requests to a system (e.g. rate limiting).
- DoS or DDoS attack
In a denial of service or a DoS attack, malicious attackers overload an API endpoint with requests, disrupting or halting service completely. Sometimes it is a distraction while the malicious attacker launches an even more damaging attack. An attacker may also launch a ransomware attack in exchange for halting the DoS attack. WAPs, request verification, penetration testing and rate limiting all help protect against these attacks. In contrast with a DoS attack, in a distributed denial of service attack (DDoS), however, requests overwhelm an API endpoint from a distributed network of computers rather than a single computer.
- Brute force attacks
Attackers target APIs by combining all possible usernames and passwords to gain access to an unauthorized account or sensitive data. These brute force attacks can be prevented by employing rate-limiting policies which can be applied to either the entire system or to a specific IP address or timeframe. Other commercial solutions enable organizations to detect suspicious user behavior (such as many failed logins from the same IP address or excessive bandwidth usage from a single use) and automatically send alerts of the behavior to the security team.
- Session hijacking
Also known as session theft, this type of attack occurs when attackers steal or predict a session token to gain unauthorized access to an organization’s system. Website servers usually rely on tokens as the main method of authentication sent to the client browser after authentication is successful. Encryption of data, using SSH and passing cookies over a secure HTTPS connection all help defend against this type of attack.
Defend Your API Endpoint Against Exploitation of Sensitive Data
According to Google Cloud’s 2022 report on API security, 60% of organizations don’t have a specific API security strategy in place. This is critical because traditional defense mechanisms such as firewalls, WAFs, and API gateways aren’t foolproof against newly evolving threats.
API security best practices include:
- Implementing zero trust. Every user must be regarded as a potential threat, with access to only the services and information necessary to execute their daily tasks.
- Use the right secure protocols for communication. Although HTTP protocols are used for REST APIs, SOAP XML-based protocols are used for additional security since they include authentication and encryption. GraphQL is another security protocol that might be relevant.
- Conducting regular penetration tests. This proactively defends against API attacks by discovering vulnerabilities before a product is released, giving organizations time to mitigate by fixing broken and insecure authentication, ensuring error messages are generic and improving code quality.
- Third-party risk management. Since many APIs vulnerabilities are developed or can be exploited by third parties, organizations also need to also employ third-party risk management.
How Panorays Can Improve Your API Security
Panorays delivers a 360-degree view of your third-party security with a full attack surface assessment of your suppliers. Its customized automated security questionnaires provide information on supplier and third-party risks, evaluating each risk according to its proper context. Panorays also evaluates third-party compliance with the latest regulations and their policies on how APIs handle user data, such as GDPR, HIPAA and PSD2. Panorays’ Cyber Risk Rating includes a risk assessment of the multiple layers of your third parties, including the network, application and human layers to ensure suppliers, contractors, partners and third parties are following the latest best practices related to API security.
An API attack is the exploitation of a vulnerability in an API. This could include misconfigurations, bad patches, weak authentication, or excessive data exposure. Attacks exploit API vulnerabilities to gain access to sensitive data, cause data breaches, disrupt or half services, or use it to gain access to additional areas of an organization’s network or services. Common types of API attacks are man-in-the-middle, session hijacking, DoS or DDoS attacks and brute force attacks.
API hijacking usually refers to session hijacking or session theft. It occurs when an attacker attempts to steal or predict a token, the main method web servers use for client-server authentication. When API hijacking is successful, the attacker gains unauthorized access to an organization’s system. This can compromise user accounts and expose sensitive data, resulting in a data breach and the need to pay regulatory fines.
An API injection attack is when an attacker injects malicious code into an API request. SQL or cross-site scripting (XSS) are the most common methods of this attack. It does this by discovering vulnerabilities in the API, such as broken authentication or insufficient authorization controls. The injected code can send commands to the server to delete or manipulate files from the server. New files executed on the server as a result of API injection can completely compromise an organization’s system.