CSJ4.1Think Like A Hacker Reducing Cyber Security Risk by Improving Api Design and Protection
CSJ4.1Think Like A Hacker Reducing Cyber Security Risk by Improving Api Design and Protection
Gerhard Giese
Senior Manager, Akamai Technologies, Germany
Gerhard Giese is Industry Strategist at Akamai Technologies. Gerhard started at Akamai in 2010 and
is now manager in the Financial Sector, responsible for customer advisory, information sharing and
consulting. With more than 20 years’ experience in the security field, Gerhard has accumulated in-depth
expertise in network security as well as distributed denial of service (DDoS) mitigation and data theft
prevention. He continues to interact directly with clients as a trusted security adviser, to identify the
most pressing challenges for online businesses. In addition, Gerhard regularly delivers talks at industry
conferences and works as an independent consultant for federal state authorities such as the German
Ministry of IT Defence. Prior to Akamai, Gerhard was a senior network engineer at McAfee. Gerd holds
CISSP and CCSP certifications and is a certified ethical hacker.
Akamai Technologies GmbH, Parkring 20–22, 85748 Garching bei München, Germany
Tel: +49 89 94006-0; E-mail: [email protected]
Abstract Application programming interface (API) traffic now dominates the Internet.
Unlike traditional web forms, APIs are faster and more powerful, but often do not get the
correct protection — expanding the security risk for organisations. APIs connect people,
places and things to create seamless integrations, richer experiences and new revenue
models. This paper deals with when an API is misused, and stipulates how the exposure
to an organisation can be significant. The paper discusses why it is no longer safe to
assume APIs will be used as intended or remain hidden to prevent unauthorised access
or abuse. To stay ahead of the next cyber security exploit, API developers need to start
thinking like a hacker. The paper promotes a proactive approach to identifying, designing,
managing and protecting APIs which will minimise the attack surface and prevent
damaging data breaches.
KEYWORDS: API, attack surface, apps, Internet of Things (IoT), pen testing, hacking,
web security
48 Cyber Security: A Peer-Reviewed Journal Vol. 4, 1 48–57 © Henry Stewart Publications 2398-5100 (2020)
Reducing cyber security risk by improving API design and protection
Figure 1: Fake order calls yielded order number to expose store sales
Source: Akamai (2019)
requests for fake orders were being sent to revenue models. When an API is misused,
the API to solicit the confirmation response the exposure can be significant.
that included a sequential order number — a Responding to the Cambridge Analytica
simple piece of information revealing the scandal which affected as many as 50m
sales at each store to the competition or a profiles, Facebook made several API changes
potential thief. to better protect user information.3 Even as
breach after breach is disclosed, companies
are still not doing enough to limit API
API GROWTH AND IMPORTANCE abuse. A computer science student scraped
API use has exploded. Today, there are 7m Venmo transactions to show that public
more than 22,000 APIs searchable on activity can still be easily obtained, a year
ProgrammableWeb.1 The glue that holds the after a privacy researcher downloaded
connected world together, APIs have grown hundreds of millions of transactions.4
rapidly in number and capabilities. Unlike
traditional web forms, they are faster, more
powerful and harder to protect, expanding OVERLOOKED BY SECURITY
the security risk for organisations. Organisations go to great lengths to secure
Gartner predicts that API abuses will be their applications and web pages but leave
the most frequent attack vector resulting in the backdoor wide open to valuable data
data breaches for enterprise web applications with unfettered API access. A false sense
by 2022.2 Usually well documented, of security exists that assumes APIs will be
APIs provide instructions for connecting used as intended by only their mobile apps.
people, places and things to create seamless Just because an API is not directly exposed,
integrations, richer experiences and new however, does not mean it is not vulnerable
© Henry Stewart Publications 2398-5100 (2020) Vol. 4, 1 48–57 Cyber Security: A Peer-Reviewed Journal 49
Giese
50 Cyber Security: A Peer-Reviewed Journal Vol. 4, 1 48–57 © Henry Stewart Publications 2398-5100 (2020)
Reducing cyber security risk by improving API design and protection
© Henry Stewart Publications 2398-5100 (2020) Vol. 4, 1 48–57 Cyber Security: A Peer-Reviewed Journal 51
Giese
52 Cyber Security: A Peer-Reviewed Journal Vol. 4, 1 48–57 © Henry Stewart Publications 2398-5100 (2020)
Reducing cyber security risk by improving API design and protection
(GUI) for the keyboard challenged. The use organisations can put the appropriate security
is simple: with one line of bash code, the measures in place.
tool can quickly scan an entire network to
determine if any vulnerabilities exist.
Part of a standard administrator Shodan
toolbox, Nmap was used inconspicuously While most search engines only index
until recently. While Nmap is helpful in the web, Shodan finds, indexes and makes
preventing attacks, it has also been frequently searchable all connected things — from web
misused — allowing attackers to discover cams to traffic lights. Paid members even
insecure entry points. The abuse has put this create alerts when new devices are added to
valuable tool at the centre of a general debate their monitored subnets. Organisations can
of the legality of port scanning tools.13 Given block Shodan from crawling their networks,
the controversy surrounding port scans, it is but attackers will find other ways to exploit
prudent to first understand the potential legal vulnerable devices.14
ramifications and obtain prior authorisation Shodan is another helpful tool for finding
before using Nmap to avoid any unintended insecure pathways, especially in an era
consequences. of shadow IT where companies are not
always aware of what has been developed
or connected to their networks. It boosts
Fierce awareness around security risks as more and
While Nmap is a helpful solution for more things come online — exposing what
identifying APIs, it lacks speed and provides hackers already know to the rest of the world
little intelligence. For further reconnaissance, — displaying the scale of the attack surface
Fierce is a more aggressive intelligence to encourage safer practices.
collection tool. Where Nmap stays passive,
Fierce actively tries to exploit domain name
system (DNS) servers (although no actual Sentry MBA and SNIPR
exploitation is performed with the tool Widely available and easy-to-use account
itself) by using a common misconfiguration: checking tools like Sentry MBA and SNIPR
unrestricted zone transfer information. enable online threats to launch credential abuse
Zone transfer information contains the attacks without much technical expertise.
complete zone configuration including all Based on a program originally developed
registered devices as well as their names and with a disclaimer for users to only run it
IP addresses. This intelligence is of great against their own sites, Sentry MBA is a
value for attackers plotting anything from a popular tool in the underground cracking
simple DDoS to a direct web attack. If the community. Sentry MBA uses hard-coded
DNS is set up correctly, the tool will begin and outdated HTTP User-Agents, which
scanning for typical hostnames such as auth., makes it easier to detect by defenders.15 But
api. or developer., which results in a list of it can still cause significant damage, especially
names and IP addresses. In a second step, the for APIs, where it can take control and
tool executes a reverse lookup by using IPs in automate attacks.
the +/- range of the found addresses, which SNIPR is the most advanced toolkit for
results in a list of new hostnames — attractive checking credentials against popular websites.
targets to attack. It offers support, tutorial videos and an active
Fierce users are rarely administrative or community that contributes new public
well-meaning, as this tool is mostly used by configurations, credential leaks, proxy lists,
aggressors. By understanding the intelligence bug reports and enhancement requests. To
Fierce will yield about the network, minimise exposure, it is imperative that
© Henry Stewart Publications 2398-5100 (2020) Vol. 4, 1 48–57 Cyber Security: A Peer-Reviewed Journal 53
Giese
organisations check SNIPR configuration Once the audience and uses are defined,
repositories for their websites to fend off any developers need to create additional data
further abuse.16 points within the API to help differentiate
users. With better user identification, it
is easier to track anomalous behaviour
DESIGNING SAFER APIS that could lead to exploitation. To collect
To design APIs that are less likely to become additional data about API use, organisations
a conduit for attacks, developers should should require users to register, issue API
start considering the usage model, user keys and deploy traffic segregation.
and operational role of each API. Running
mobile apps on web APIs is not a good idea
as they are two completely different use MANAGING API TRAFFIC
cases. The same goes for powering multiple Sometimes legitimate API users can
user experiences with one API — user and cause unpredictable load, knowingly or
management interfaces for internal and unknowingly. In an example of API overuse,
external users, for example. Sometimes a company in Asia started receiving an
regulations, such as the revised Payment abnormal amount of traffic to one of its web
Services Directive (PSD2) and Open Banking, addresses, reaching 875,000 requests per
stipulate that use cases be kept separate. second at one point. An initial assessment
To understand the API usage model, showed all the hallmarks of a major DDoS
developers need to identify and prioritise attack; however, the incident was not an
users and use cases to more easily spot attack at all. The spike was actually the result
suspicious activity. For example, a partner of a warranty tool gone haywire. When
placing an order should not have the same security started filtering traffic, the tool kept
access as a university student. Some questions visiting the destination. As subsequent visits
to answer include: did not alter anything in the headers (such
as the User-Agent) to bypass mitigations,
• What are the use cases for the API?; the intent was not malicious. The company
• Who are the intended users?; and tool vendor verified this conclusion
• Who are the actual and current users?; and a fix was pushed within hours to the
• Which users are more important? affected systems.18
54 Cyber Security: A Peer-Reviewed Journal Vol. 4, 1 48–57 © Henry Stewart Publications 2398-5100 (2020)
Reducing cyber security risk by improving API design and protection
© Henry Stewart Publications 2398-5100 (2020) Vol. 4, 1 48–57 Cyber Security: A Peer-Reviewed Journal 55
Giese
• Identify potential security risks: Understand a public network mapping tool. Once the
if an API can be accessed with a simple threat landscape is known, the use cases and
telnet (no encryption), the information users for every API must be defined and
retrieved and if the systems used to serve appropriate security measures put in place.
up that information are patched. Finally, recognising the dynamic nature
of API development and threats, a layered
security approach reduces cyber security risk.
Within three months Like a fresh pot of coffee brewing, keeping
• Understand who accesses APIs: Determine good traffic flowing and filtering out bad
the use case (internal, business-to-business, actors, a secure API will not let another
business-to-consumer) of the API and perfectly good cup go to waste.
whether it is serving multiple purposes
and audiences;
• Define appropriate security measures: Examine References
encryption and authentication options 1. ProgrammableWeb, available at https://www.
programmableweb.com/apis/directory (accessed 21st
as well as whether there is an organic
February, 2020).
infrastructure behind an API that needs 2. Bussa, T., Young, G., Girard, J., Zumerle, D.,
to be cleaned up, especially for customer- O’Neill, M., Orans, L., Hils, A., D’Hoinne, J.
facing APIs. and Perkins, E. (November 2017), ‘Predicts 2018:
Infrastructure Protection’, Gartner, available at
https://www.gartner.com/en/documents/3830086
(accessed 21st February, 2020).
Within six months 3. Hartmans, A. (March 2018), ‘It’s impossible to know
exactly what data Cambridge Analytica scraped from
• Select a security solution that allows Facebook — but here’s the kind of information apps
proactive API protection tailored to the could access in 2014’, Business Insider, available
organisation’s needs; at https://www.businessinsider.com/what-data-
did-cambridge-analytica-have-access-to-from-
• Set up a proof of concept to confirm
facebook-2018-3?utm_content=buffer069cc&utm_
functionality and usability; medium=social&utm_source=facebook.
• Drive a project to protect all APIs, both com&utm_campaign=buffer-bi (accessed 22nd
public and private; August, 2019).
4. Whittaker, Z. (June 2019), ‘Millions of Venmo
• Establish an annual external penetration transactions scraped in warning over privacy settings’,
test to ensure API security posture is TechCrunch, available at https://techcrunch.
continuously maintained at the highest com/2019/06/16/millions-venmo-transactions-
scraped/ (accessed 22nd August, 2019).
level. 5. McKeay, M., Fakhreddine, A. and Ragan S.
(February 2019), ‘[State of the Internet] / Security:
Retail Attacks and API Traffic’, Vol. 5, No. 2, p. 16,
CONCLUSION Akamai, available at https://www.akamai.com/us/
en/multimedia/documents/state-of-the-internet/
API proliferation benefits enterprises and state-of-the-internet-security-retail-attacks-and-
consumers with faster, value-added services api-traffic-report-2019.pdf (accessed 21st February,
for better user experiences and additional 2020).
6. Ibid., note 5.
revenue streams. The increasing threat 7. Ibid., note 6, p. 15.
of API exploitation also introduces new 8. Ibid., note 5, p. 13.
security challenges. API developers need to 9. Ibid., note 5, p. 13.
10. McKeay, M. and Fakhreddine, A. (September 2018),
start thinking like a hacker when designing, ‘[State of the Internet] / Security: Credential Stuffing
managing and protecting these valuable and Attacks’, Vol. 4, No. 4. p. 13, available at https://
vulnerable integrations. To reduce the attack www.akamai.com/us/en/multimedia/documents/
state-of-the-internet/soti-2018-credential-stuffing-
surface, organisations must first identify the
attacks-report.pdf (accessed 21st February, 2020).
threat vectors with the same visibility as an 11. Barnett R. (April 2018), ‘The Dark Side of APIs,
attacker, starting with an external view from Part 2’, The Akamai Blog, available at https://blogs.
56 Cyber Security: A Peer-Reviewed Journal Vol. 4, 1 48–57 © Henry Stewart Publications 2398-5100 (2020)
Reducing cyber security risk by improving API design and protection
© Henry Stewart Publications 2398-5100 (2020) Vol. 4, 1 48–57 Cyber Security: A Peer-Reviewed Journal 57