Defending APIs: Uncover advanced defense techniques to craft secure application programming interfaces

Cover....1

Title Page....2

Copyright and Credits....2

Foreword....4

Contributors....6

Table of Contents....10

Preface....18

Part 1: Foundations of API Security....24

Chapter 1: What Is API Security?....26

Why API security is important....26

The growth of the API economy....27

APIs are popular with developers....29

APIs are increasingly popular with attackers....29

Your existing tools do not work well for APIs....30

Developers often lack an understanding of API security....30

Exploring API building blocks....31

Rate limiting....31

Cryptography....31

Hashes, HMACs, and signatures....32

Transport security....33

Encoding....33

Examining API data formats....34

Understanding the elements of API security....38

DevOps....39

SAST, DAST, SCA, and WAFs....40

API management and gateways....40

API security platforms....41

Setting API security goals....42

The three pillars of security....42

Abuse and misuse cases....42

Data governance....43

A positive security model....43

Risk-based methodology....44

Summary....45

Further reading....45

Chapter 2: Understanding APIs....48

Understanding HTTP fundamentals....48

Uniform Resource Locator....49

Requests....49

Responses....51

Methods....52

Status codes....53

Sessions....54

Exploring the types of APIs....54

REST....54

GraphQL....56

RPC....58

SOAP....58

WebSockets....59

Access control....59

No authentication....59

HTTP authentication....59

AWS keyed-HMAC authentication....64

Session cookies....64

API keys....65

OAuth 2.0....65

Access control best practices and methods....71

Using JWTs for claims and identity....72

Summary....74

Further reading....74

Chapter 3: Understanding Common API Vulnerabilities....76

The importance of vulnerability classification....76

Exploring the Open Worldwide Application Security Project API Security Top 10....81

Object-level vulnerabilities....81

Authentication vulnerabilities....83

Function-level vulnerabilities....84

Data vulnerabilities....85

Configuration vulnerabilities....89

Implementation vulnerabilities....91

Vulnerabilities versus abuse cases....93

Exploring abuse cases....93

Business logic vulnerabilities....94

Preview of the Open Worldwide Application Security Project API Security Top 10 2023....95

Summary....97

Further reading....97

Chapter 4: Investigating Recent Breaches....98

The importance of learning from mistakes....98

Examining 10 high-profile API breaches from 2022....99

1–Global shipping company....100

2–Campus access control....103

3–Microbrewery application....105

4–Cryptocurrency portal....107

5–Dating application....108

6–The All in One SEO WordPress plugin....110

7–X account information leakage....112

8–Home router....114

9–Remote access to two popular vehicles....116

10–Smart Scale....118

Key takeaways and learning....123

Summary....124

Further reading....124

Part 2: Attacking APIs....126

Chapter 5: Foundations of Attacking APIs....128

Technical requirements....128

Understanding API attackers and their methods....129

Interacting with APIs....129

Finding API keys....131

Enumeration and discovery of APIs....132

Fuzzing API endpoints....133

Attacking JWTs....135

Mastering the tools of the trade....137

CLI clients (HTTPie/cURL)....137

Postman....138

Browser tools....142

Burp Suite....143

Reverse proxies....148

Learning the key skills of API attacking....150

Building a laboratory....150

Hacking vulnerable APIs....151

Training courses....152

Summary....153

Further reading....153

Chapter 6: Discovering APIs....154

Technical requirements....155

Passive discovery....155

Google....155

Offensive security Google database....157

Other API-specific searchable databases....157

Code analysis techniques....161

Active discovery....163

Network discovery and scan....163

OWASP ZAP....166

Burp Suite....167

Reverse-engineering mobile apps....167

Postman....167

Implementation analysis....167

Verbose error and debug messages....168

OS and framework enumeration....169

Timing or volume attacks....172

Utilizing online tools such as BuiltWith or Wappalyzer....172

Evading common defenses....172

Summary....178

Further reading....179

Chapter 7: Attacking APIs....180

Technical requirements....181

Authentication attacks....181

Insecure implementation logic....181

Attacking design weaknesses....194

Authorization attacks....196

Object-level authorization....196

Function-level authorization....197

Data attacks....198

Injection attack....202

Detecting injection vulnerabilities....202

SQL injection....203

NoSQL injection....203

Command injection....204

Path traversal....205

Server-side request forgery....205

Other API attacks....206

API abuse....206

Unrestricted access to sensitive business flows....206

Business logic attacks....206

Summary....207

Further reading....207

Part 3: Defending APIs....210

Chapter 8: Shift-Left for API Security....212

Technical requirements....212

Using the OpenAPI Specification....213

Data....214

Security....220

Generating client and server code....224

Leveraging the positive security model....226

Conducting threat modeling of APIs....228

Automating API security....229

CI/CD integration....230

Semgrep....232

Thinking like an attacker....234

Summary....235

Further reading....236

Chapter 9: Defending against Common Vulnerabilities....238

Technical requirements....239

Authentication vulnerabilities....239

Handling JWTs securely....239

Implementing OAuth2....242

Password and token hardening....243

Securing the reset process....244

Handling authentication in code....245

Authorization vulnerabilities....247

Object-level vulnerabilities....247

Function-level vulnerabilities....248

Using authorization middleware....249

Data vulnerabilities....254

Excessive data exposure....255

Mass assignment....257

Implementation vulnerabilities....257

Injection....258

Server-Side Request Forgery....258

Insufficient logging and monitoring....259

Protecting against unrestricted resource consumption....259

Defending against API business-level attacks....260

Unrestricted access to sensitive business flows....260

Unsafe consumption of APIs....261

Summary....261

Further reading....262

Chapter 10: Securing Your Frameworks and Languages....264

Technical requirements....264

Managing the design-first process in the real world....265

Using code-generation tools....267

Swagger Codegen....267

OpenAPI Generator....270

Summary....286

Further reading....286

Chapter 11: Shield Right for APIs with Runtime Protection....288

Technical requirements....289

Securing and hardening environments....289

Container images....289

Operating systems....291

Using WAFs....291

Understanding the Next-Generation Firewall (NGWAF) and Web Application API Protection (WAAP) products....293

Using API gateways and API management....293

Implementing security patterns in the Kong API gateway....296

Best practices for API gateway protection....309

Deploying API firewalls....312

API monitoring and alerting....318

Selecting the correct protections for your APIs....321

Summary....322

Further reading....322

Chapter 12: Securing Microservices....324

Technical requirements....325

Understanding microservices....325

Securing the foundations of microservices....330

Securing the connectivity of microservices....333

Access control for microservices....337

Running secure microservices in practice....340

Summary....343

Further reading....343

Chapter 13: Implementing an API Security Strategy....346

Ownership of API security....346

Understanding your stakeholders....348

Roles and responsibilities....350

The 42Crunch maturity model....352

Inventory....352

Design....352

Development....353

Testing....354

Protection....354

Governance....355

Planning your program....355

Establishing your objectives....356

Assessing your current state....356

Building a landing zone for APIs....357

Running your program....358

Building your teams....358

Tracking your progress....359

Integrating with your existing AppSec program....360

Your personal API security journey....361

Summary....362

Further reading....363

Index....364

Other Books You May Enjoy....381

Along with the exponential growth of API adoption comes a rise in security concerns about their implementation and inherent vulnerabilities. For those seeking comprehensive insights into building, deploying, and managing APIs as the first line of cyber defense, this book offers invaluable guidance. Written by a seasoned DevSecOps expert, Defending APIs addresses the imperative task of API security with innovative approaches and techniques designed to combat API-specific safety challenges.

The initial chapters are dedicated to API building blocks, hacking APIs by exploiting vulnerabilities, and case studies of recent breaches, while the subsequent sections of the book focus on building the skills necessary for securing APIs in real-world scenarios.

Guided by clear step-by-step instructions, you'll explore offensive techniques for testing vulnerabilities, attacking, and exploiting APIs. Transitioning to defensive techniques, the book equips you with effective methods to guard against common attacks. There are plenty of case studies peppered throughout the book to help you apply the techniques you're learning in practice, complemented by in-depth insights and a wealth of best practices for building better APIs from the ground up.

By the end of this book, you'll have the expertise to develop secure APIs and test them against various cyber threats targeting APIs.

What You Will Learn:

• Explore the core elements of APIs and their collaborative role in API development
• Understand the OWASP API Security Top 10, dissecting the root causes of API vulnerabilities
• Obtain insights into high-profile API security breaches with practical examples and in-depth analysis
• Use API attacking techniques adversaries use to attack APIs to enhance your defensive strategies
• Employ shield-right security approaches such as API gateways and firewalls
• Defend against common API vulnerabilities across several frameworks and languages, such as .NET, Python, and Java

Who this book is for:

This book is for application security engineers, blue teamers, and security professionals looking forward to building an application security program targeting API security. For red teamers and pentesters, it provides insights into exploiting API vulnerabilities. API developers will benefit understanding, anticipating, and defending against potential threats and attacks on their APIs. While basic knowledge of software and security is required to understand the attack vectors and defensive techniques explained in the book, a thorough understanding of API security is all you need to get started.