As most of the Apps and software development companies are moving to APIs the risk of data breach has increased manifold. This is due to the fact APIs serve the gateways to the application and sensitive customer data it holds. The benefits that APIs provide also becomes a threat due to the data these APIs carry making them vulnerable and invite the attackers.
Recently, McDonalds’ App in India exposed an unprotected, publicly accessible API endpoint leakingevery detail from phone numbers to home addresses of their customers. To note, this app called McDelivery by McDonalds, is a home-delivery app that allows Indian consumers to order their food, pay online, and track their orders.This vulnerability inMcDonalds app is the latest but not the lone in long list of data breaches to numerous companies.
Moreover, API breaches are on rampage and have affected many startups and the small things such as the likes of Facebook, Twitter, Buffer, and Snapchat. It’s evident that these breaches are now substantially affecting established and robust web applications.
To raise a flag for the data breach, Open Web Application Security Project (OWASP)has recently revised their list of top 10 vulnerabilities. They have introduced a substantial entry – Under-protected APIs.
Quoting OWASP for their inclusion of API
Modern applications and APIs often involve rich client applications, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities. We include it here to help organizations focus on this major emerging exposure.
As soon as APIs were officially introduced in OWASP top 10 vulnerabilities, OWASP security experts were quick enough to state 9 major reasons that can make an API vulnerable. In future, the list can get more exhaustive or some reasons can be changed. The current list looks like:
- 1.Improper Data Sanitization
- 2.Insufficient Access Control
- 3.Insecure Direct Object Reference
- 4.Insufficient Transport Layer Security
- 5.Sensitive Data Exposure
- 6.Weak Server-Side Security
- 7.Improper Key Handling
- 8.Inconsistent API Functionality
- 9.Security Misconfiguration
We must work with a handy list of some countermeasures that a developer can consider to allay vulnerabilities in APIs. In most case and attackers can easily control the complete application system once they are inside it. Therefore APIs must-have security priority. In the current industry standards, REST, SOAP, and other APIs (through which user normally reach the back-end data) are weak when it comes to access control andmonitoring.
As we all know that APIs aremore widespread in the web applications than these have ever been. Paradoxically, securing these is often ignored or kept at the back burner. This recognition of APIs in OWASP as a uniqueingredient testifies the need of a more secured web services environment in this changeworld of web applications.