APIs – Security

5 Myths of API Security
Source: http://www.moneygossips.com

Securing your APIs is the most important part of the API design process to prevent hijackers from performing malicious activities via your APIs on your infrastructure and data.

Here are 4 sections we will discuss:

  • Use HTTPs/TLS for data in motion
  • Authentication
  • Authorization
  • Functional Attacks

Use HTTPs/TLS For Data In Motion

HTTPs (Hypertext Transfer Protocol Secure) is an extension of the HTTP, it is used to secure communication over a computer network. In HTTPs, the communication protocol is encrypted using TLS (Transport Layer Security), or, formerly, its predecessor, SSL (Secure Sockets Layer).

The goal here is to prevent man in the middle attacks on the data from your APIs by implementing HTTPs on your API servers. This encrypts the data and make it useless for the man in the middle.

Authentication

Here are some known ways to implement authentication for APIs:

  • Basic Authentication : this is done by using the HTTP Authorization header with a base64 encoded value (username:password) in this format – Basic {base64-encoded-value}
  • Token Based Authentication : this is done by making an initial request with your username and password to get a token. This token is then used for subsequent requests to the API server.
  • API Keys and Secret : this is usually generated by the API provider via a platform/portal for each consumer, the consumer uses this to make subsequent request to the API server.

Authorization

One very popular way of implementing API authorisation (and also authentication) is via the OAUTH authorization framework.

OAUTH defines four roles:

  • Resource Owner
  • Resource Server
  • Client/Consumer
  • Authorization Server

There are different ways to implement the OAUTH framework depending on the use case of your consumers.

There are 5 grant types in the OAUTH Framework:

  • Authorization Scope Grant : best used when resource owner data is needed, resource owners can also specify which sections of their data they want available to the consumer.
  • Client Credentials Grant : best used to access only public data.
  • Implicit Grant : used for single page type of applications, a more secure way to implement this is to use the Authorization Code flow.
  • Resource Owner Credentials Grant : this should be used when the application is trusted, the resource owner credentials is used directly here.

Functional Attacks

  • SQL Injection : this is a way to append sql queries to parameterised inputs to your API server. It is a good practice to always sanitise user inputs before using.
  • Fuzzing : this is a way to send malformed data repeatedly to your APIs with the hope of possibly returning an error from the API server that could help further exploit your APIs. It is really important to handle errors properly in your APIs to prevent this kind of attack.
  • Token Hijacking : avoid using tokens as a query parameters because urls are usually logged and could lead to a malicious stealing it with access to the API server’s filesystem. It is preferable to use them via HTTP headers.
  • OWASP : follow OWASP (Open Web Application Security Project) to keep up with best security practices.

References and More Resources: