If we look closely, there are lessons to be learned from these five fateful API attacks that can help any organisation secure its APIs better.
The scenario: The helpdesk ticketing platform Zendesk was exposed to attackers thanks to a SQL injection vulnerability in a GraphQL endpoint.
No sensitive data was exposed, but had the vulnerability been discovered and exploited by malicious actors, customer comments, conversations, email addresses and tickets could have been compromised.
The solution: GraphQL is susceptible to injection attacks for a number of reasons.
It introduces new processing steps - the parser, the gateway and the sub-graph resolvers - which can each be exploited as an attack vector.
It also turns multiple API calls into a single call, so more SQL injection damage can be done with a single stroke.
The scenario: This notable API attack started out as a phishing scam.
Most important of all was the way the API keys were ultimately stored.
It is best practice to not hardcode API keys and other credentials directly into the source code, for this very reason.
The scenario: This API hack led to the breach - and sale - of millions of Twitter users' personal information online.
Ultimately resulting in 5.4 million breached records, this zero-day attack was followed by another, bringing the total count to nearly 7 million records.
The solution: To solve systemic API problems, systematic solutions are needed.
Organisations need an API security program that regularly scans for vulnerable APIs, including those that are open source and public facing, in real-time.
Rather than simply build a firewall around them, the next step would be to continuously test, verify, and triage these APIs at runtime so that the company is confident of the safety of their release.
As APIs continue to grow, evolve, and spread, so do API attacks.
Traditional rule-based and signature-based technologies fall short of catching attacks that work via subtle malicious behaviours, poking around at weak spots undetected for months.
Attackers have time on their hands, and they're willing to wait for Big Game.
Businesses have been quick to cash in on the API goldrush, but the speed of adoption has left API security behind.
From simple exploits to more advanced reconnaissance tactics, attackers have not hesitated to fill those gaps.
By learning from the API mistakes of the past - and anticipating the attacks of the future - we can scale API security to fit the demands of its growth.
This Cyber News was published on www.itsecurityguru.org. Publication date: Mon, 11 Mar 2024 15:43:07 +0000