Data Structure
Networking
RDBMS
Operating System
Java
MS Excel
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
Physics
Chemistry
Biology
Mathematics
English
Economics
Psychology
Social Studies
Fashion Studies
Legal Studies
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
Types of Application Programming Interface (API) and their Security vulnerabilities.
What Is Application Programming Interface.
API is the acronym for Application Programming Interface, API is a set of defined rules that explain how computers or applications communicate with one another. APIs implemented between application and web server, acting as an intermediary layer that processes data transfer between systems.
Types of API’s
They are four main types of API’s
Open APIs− Open-source application programming interfaces Also known as Public API, there are no restrictions to access these types of APIs because they are publicly available.
Open APIs can been can been access by any developer.
Partner APIs− This API exposed to a particular person. A developer needs specific rights or licenses in order to access this type of API because they are not publicly available.
Partner APIs can been access by only authorized developers.
Internal APIs− Also known as Private APIs, This type of api’s will remain hidden from external users. Internal API’s are implemented for internal use within a company. Many orginasation uses this type of API among the different internal teams to improve its products and services.
Internal APIs can been access by only internal teams.
Composite APIs − This type of API uses to combines different data and service APIs. By using this services developers can access several endpoints in a single call. Its main uses are to speed up the process of execution and improve the performance of the end user at the web interfaces.
Composite APIs are used to combine multiple APIs.
Types of API Architectures and Protocols
We have three various types of APIs.
REST (Representational State Transfer) − REST is not a protocol like the other web services, It is a set of guidelines for scalable, lightweight, and easy-to-use APIs. A REST API will follows REST guidelines and is used for transferring data from a server to a requesting user.
Representational State Transfer is a collection of guidelines for lightweight, scalable web APIs.
SOAP (Simple Object Access Protocol) − It is a protocol for transfering data across networks and can be used to build APIs. SOAP is standardized by the World Wide Web Consortium (W3C) and uses XML to encode data.
This makes SOAP APIs more secure than REST APIs, although the guidelines make them more code-heavy and harder to implement in for casual use. SOAP is used for internal data transfers that require high security.
SOAP is one of the stricter protocol for more secure APIs.
RPC (Remote Procedural Call)− It is used for communication between two computers. If a service running on one machine requests data from another. This is a API that helps you to call on any remote procedure and get results from it.
XML-RPC− It also known as extensible markup language in Remote Procedure Calls. This protocol uses a particular XML form to transfer data and is older and simpler than SOAP. A end user performs a RPC by transmitting an HTTP request to a server that develops XML-RPC and receives the HTTP as a response.
JSON-RPC− It is likely to XML-RPC in that they work the same way except this protocol uses JSON format instead of XML format.
Vulnerabilities in an API
Vulnerability− A vulnerability is a loophole or error in a system or device’s code. It is exploited to compromise the CIA (confidentiality, integrity and availability) of data stored in the system through unauthorized access to cause denial of service or to theft the data.
List of owasp top 10 api of vulnerabilities
Broken Object Level Authorization
Broken object-level authorizations (BOLA) is also known as insecure direct object reference (IDOR). This issue occurs when the server does not properly verify if the currently authorized user or an unauthorized user is accessing data to read, update or delete an object to which they are not having the rights.
Broken User Authentication
Poor implementation of API authentication allows attackers to predict other users identities. In more general terms, broken user authentication occurs when an API having an authentication system but does not in working, or that the implemented authentication system fails in some cases, allowing attackers to project himself as an authenticated user.
Excessive Data Exposure
API should be limited to provide access for the data to the front-end clients but sometimes developers will make a mistake or take the some easy shortcut and develop the APIs that provide access for all data to the client. When these API's provide access too more data then the user needs, we call it as a Excessive Data Exposure.
Lack of Resources & Rate Limiting
If the API is not protected against an excessive amount of requests or payload sizes. There will be a possiblility for an attackers to use this for Denial of Service (DoS) and authentication flaws like brute force attacks.
Broken Function Level Authorization
If the API provide access to the client to use user level or admin level APIs as appropriate. If attackers figure out the “hidden” admin API methods of admin access and access them directly.
Mass Assignment
If the API takes data from the client and stores it without proper filtering for whitelisted properties or guidelines. There is a possibility that attackers can try to predict object properties or add additional object parameters in their requests, to read the documentation, or check out weather the API endpoints for clues where to find the openings to modify parameter that they are not supposed to impact the data objects stored in the backend.
Security Misconfiguration
Lack of security configuration and providing access of the API servers to clients, which allows attackers to exploit the vulnerabilities to gain access into the server.
Injection
Attackers will been able to construct API calls that include SQL, NoSQL, LDAP, OS, or other commands on that the API request and the backend behind it blindly executes that api request leads to the injection.
Improper Assets Management
Attackers find an un-updated versions of the API (for example, staging, testing, beta, or earlier versions) that are not well protected or secured as the production of API, and attacker use those to launch their attacks.
Insufficient Logging & Monitoring
Lack of proper monitoring of data and traffic of the network passing into the server and logging activities and alerting incase case of unauthorized access or activity will open doors for an attacker.
734 Views
