How to prevent API attacks: Focus on getting Authentication & Authorization right‍

‍

‍

APIs have been on the rise for some time, but their use has accelerated significantly over the last few years.

With 27% of surveyed enterprises doubling their API count and 25% increasing their API count by 51-100% compared to 2021.

While this adoption is advancing business goals and enhancing customer experiences, significantly increasing the exposed attack surface of applications, making them more susceptible to exploitation by malicious actors.

The surface area that is being successfully exploited as 60% of surveyed organizations experienced an API-related breach in the past two years; 74% experienced at least 3.

While it may be overwhelming to address all underlying reasons for these attacks right away, taking steps against the major ones is certainly fruitful.

This article dives deep into one of the major causes of API-induced breaches—authentication and authorization misconfigurations—and how you can avoid them.

‍

What is an API attack:

In simple terms API attacks are successful attempts to access and exploit sensitive data. Malicious attackers make this possible by exploiting API endpoints that are vulnerable due to:

1. Code flaws
2. Business logic vulnerabilities
3. Weak or absent authentication
4. A gap in authorization mechanisms
5. Misconfigurations in infrastructure controls

‍

While transaction-based breaches like injections, XSS, DDOS, MitM are also on the rise, solutions like gateways and WAFs are capable of detecting and responding to them.

So why is it that, despite the availability of these solutions, API-induced breaches are still increasing?

The answer lies in how APIs are built, integrated, and used within an enterprise—in a radically different way compared to source code and other elements.

APIs have evolved from being primarily internal-facing to forming extensive ecosystems, with most enterprises containing anywhere between 500-10,000 APIs.

Each API endpoint (of which there may be 50-100 per API) provides direct access to internal databases and servers.

Attackers exploit these endpoints to access sensitive customer data, proprietary business information, or even the underlying server infrastructure.

One common method attackers use is to find API endpoints with missing or weak authentication and authorization mechanisms. This tactic is alarmingly effective, as out of the top 50 API-induced breaches in 2023, broken authentication and authorization played a major role in 80% of the attacks.

Endpoints are left unauthenticated and unauthorized due to high deployment rates as well as a lack of API Documentation and Inventory.

As a result, applications with compromised endpoints are made live. Affirmed by 40% of surveyed enterprises that reported having authentication errors in production APIs.

Post-production manually testing of each endpoint to find these misconfigurations is also impractical due to the sheer number of APIs.

Attackers are well aware of this, which is why they continuously probe APIs for authentication/authorization issues, often successfully. In fact, 93% of surveyed enterprises reported experiencing both types of vulnerabilities.

Even if manual testing for select endpoints is initiated, it would likely fail due to:

• The integration of open-source APIs
• The addition of third-party APIs complicating the security landscape

No matter the reason, enterprises end up paying the price through slowed business expansion, reputation damage, or loss of loyal customers.

So what can enterprises do to not only defend against these breaches but avoid them altogether?

Here is a step-by-step approach to ensure that your APIs never succumb to a data breach due to authentication and authorization misconfigurations:

‍

A Step-by-Step Approach to Avoiding Authentication and Authorization Misconfigurations

1. Strengthening Authentication Mechanisms

1. The first step in securing your APIs is to strengthen your authentication mechanisms. This can be achieved by implementing strong password policies that enforce password complexity requirements, regular password updates, and password hashing. This ensures that even if an attacker manages to guess a password, they won’t be able to use it without the corresponding hash.
2. Next, enable multi-factor authentication (MFA). MFA requires users to authenticate using multiple factors such as passwords, SMS codes, or biometrics. This adds an additional layer of security, making it harder for attackers to gain unauthorized access.
3. Finally, consider implementing OAuth or OpenID Connect. These industry-standard protocols provide secure authentication and authorization, especially for third-party integrations. They can help prevent authentication and authorization misconfigurations by providing a standardized way of handling authentication and authorization.

2. Enhancing Authorization Controls

Once your authentication mechanisms are robust, the next step is to enhance your authorization controls.

1. Start by implementing robust role-based access control (RBAC). RBAC allows you to define granular roles and permissions, restricting access to sensitive resources based on users’ roles and responsibilities. This can help prevent unauthorized access due to authorization misconfigurations.
2. Next, enforce the principle of least privilege. This principle ensures that users and applications have only the minimum level of access necessary to perform their tasks. By limiting access rights, you can reduce the risk of an attacker gaining access to sensitive information.
3. Finally, regularly review and update your access controls. Conduct periodic audits to identify and remove unnecessary permissions and privileges. This can help ensure that your authorization controls remain effective and up-to-date.

3. Enhance Logging and Monitoring

1. Last but not least, enhance your logging and monitoring capabilities. Enable comprehensive logging to log all relevant API activities, including authentication attempts, access control decisions, and data modifications. This can provide valuable insights into your API activity and help you identify potential security issues.
2. Implement real-time monitoring to detect and alert suspicious activities or security incidents in real-time. This can help you respond to security issues quickly and effectively.
3. Finally, conduct regular security assessments. Perform penetration testing, vulnerability scanning, and security code reviews to identify and remediate security vulnerabilities proactively. This can help you stay ahead of attackers and prevent security breaches.

Following these steps ensures that your APIs are less likely to succumb to a data breach due to authentication and authorization misconfigurations.

‍

Automate discovery of Authentication & Authorization Misconfigurations with Levo:

While these practices are instrumental in mitigating data breaches, continuously testing your APIs across the SDLC is also a crucial step in addressing misconfigurations before they reach the production environment.

To streamline this process, we at Levo have developed a solution that automatically tests endpoints not just for authentication issues and authorization issues but also for:

1. Business logic flaws
2. OWASP Top 10 issues
3. Bespoke tests tailored to your domain

Sounds too good to be true? Book a demo to see it live in action!

‍