API security is an essential pillar of modern cybersecurity, ensuring systems remain robust against evolving threats. Offensive Security Technical Specialist, Vikas Khanna, leverages his expertise in application security and his hobby of bug bounty hunting to uncover vulnerabilities in high-profile platforms. At Sekurokon 2024, Vikas explains why API security is so important, and some ways attackers use to perform breaches. He then delved into two critical flaws he identified within Apple’s ecosystem, authentication bypass and access control vulnerabilities, shedding light on their implications and sharing strategies to strengthen API defences.
Watch the full presentation below or read the detailed insights in our blog to dive into Vikas’s findings and best practices for API security.
Importance of API Security
Vikas highlighted the pivotal role APIs play in modern applications:
- APIs are the backbone of mobile and web applications, enabling them to retrieve data, authenticate users, and connect to back-end services.
- They act as bridges, allowing different software systems to communicate and share data seamlessly, regardless of the underlying technology or platform.
- APIs empower organisations to leverage external functionalities, like Google Maps or payment gateways, without building them from scratch.
Some consider APIs the future of the internet, but with great power comes great responsibility. Vikas shared alarming statistics underscoring the risks:
Firetail API Security Report reveals an 80% increase in API breaches in 2024
A staggering 108 billion API attacks were recorded from January 2023 through June 2024, underscoring the relentless assaults on this critical digital interface. Such breaches can result in data theft, reputational damage, regulatory fines, and significant financial losses
Authentication and authorisation remain the top two primary attack vectors
These statistics underscore the urgency of fortifying API security. Sekuro provides tailored services to help organisations address these threats and safeguard their digital assets. Learn more here.
Firetail API Security Report reveals an 80% increase in API breaches in 2024
Authentication and authorisation remain the top two primary attack vectors
A staggering 108 billion API attacks were recorded from January 2023 through June 2024, underscoring the relentless assaults on this critical digital interface. Such breaches can result in data theft, reputational damage, regulatory fines, and significant financial losses
These statistics underscore the urgency of fortifying API security. Sekuro provides tailored services to help organisations address these threats and safeguard their digital assets. Learn more here.
Common API Security Concerns
Vikas identified several prevalent API security concerns, explaining their risks and potential impacts:
Broken User Authentication
This is the top API threat, occurring when attackers bypass authentication mechanisms. Once inside, they gain unauthorised access to sensitive organisational data.
Broken Object Level Authorisation (BOLA)
This arises when users can access data belonging to other users due to improper authorisation checks, leading to potential data breaches.
Excessive Data Exposure
When APIs or applications are misconfigured, they might expose excessive data. For example, instead of returning only requested user data, they may inadvertently include information from other users. This often occurs due to client-side filtering, which attackers can bypass to access restricted data.
Lack of Rate Limiting
Without proper rate limiting, attackers can overwhelm systems by sending numerous requests. This can result in:
- A poor user experience for legitimate customers.
- Denial of Service (DoS) attacks, disrupting operations.
- Unexpected costs for organisations with subscription-based or per-request billing services.
Security Misconfigurations
Misconfigurations, such as an improperly set Same Origin Policy (SOP), can allow attackers to access data across different origins, exposing sensitive information.
Broken User Authentication
This is the top API threat, occurring when attackers bypass authentication mechanisms. Once inside, they gain unauthorised access to sensitive organisational data.
Broken Object Level Authorisation (BOLA)
This arises when users can access data belonging to other users due to improper authorisation checks, leading to potential data breaches.
Excessive Data Exposure
When APIs or applications are misconfigured, they might expose excessive data. For example, instead of returning only requested user data, they may inadvertently include information from other users. This often occurs due to client-side filtering, which attackers can bypass to access restricted data.
Lack of Rate Limiting
Without proper rate limiting, attackers can overwhelm systems by sending numerous requests. This can result in:
- A poor user experience for legitimate customers.
- Denial of Service (DoS) attacks, disrupting operations.
- Unexpected costs for organisations with subscription-based or per-request billing services.
Security Misconfigurations
Misconfigurations, such as an improperly set Same Origin Policy (SOP), can allow attackers to access data across different origins, exposing sensitive information.
By addressing these concerns, organisations can strengthen their defences and reduce vulnerabilities in their API ecosystems.
Real-World Case Studies: Apple Bugs
Vikas shared his experience uncovering critical vulnerabilities in Apple’s systems, using two impactful cases:
Case 1: Vikas discovered a flaw in a specific Apple subdomain that allowed him to access sensitive data belonging to various organisations. (For the detailed walkthrough, skip to 11:16 in his presentation.)
Case 2: While purchasing items like the “Apple Pay Decals Kit” and “Apple Pay Signage Kit” from the “Apple Pay Supplies” app, Vikas manipulated the order ID string and exploited a lack of rate limiting. This enabled him to send multiple requests, resulting in access to the data of 500 users. Exposed details included names, addresses, telephone numbers, product information, and order dates. (For the detailed walkthrough, skip to 15:57 in his presentation.)
Lessons Learned and Best Practices
Vikas presented these key takeaways to strengthen API security:
Authentication and Authorisation:
APIs should require proper authentication and enforce strict authorisation checks to prevent unauthorised access.
Rate Limiting and Throttling:
Implementing rate limiting can protect against abuse and brute force attacks.
Encryption:
Data transmitted through APIs should be encrypted to prevent interception and tampering.
Error Handling:
APIs should not expose sensitive information in error messages, which can be exploited by attackers.
Regular Audits:
Regular security audits and penetration testing of APIs can help identify vulnerabilities before they are exploited.
Learn more about adopting a Zero Trust approach to secure your organisation’s APIs and infrastructure.
