Issue 243: Economics of API attacks, understanding CORS, blocking compromised API tokens


This week, we have articles on the economics of API attacks, and how developers can prevent them, and how to create an API solution wishlist with developers in mind. We also have technical articles on understanding cross-origin resource sharing (CORS) for APIs and how to secure APIs by blocking compromised tokens. We also have a double-header from Dana Epp to conclude this edition.

Article: The economics of API attacks

First up this week are the thoughts of The New Stack on the economics of API attacks and how developers can stop these attacks. According to the author, APIs have become a prime target for hackers, with 80% of internet traffic flowing through them. Attackers employ an economic model to assess the cost of an attack against the potential returns, which can include data theft, fraud, or the deployment of ransomware. Traditionally, organizations have prioritized securing infrastructure and end-user web applications, inadvertently leaving APIs vulnerable. The rapid pace of development and the shift towards microservices have further emphasized the need for an API-focused security posture.

The report suggests that organizations implement an active, persistent, and consistent discovery and inventory process to map applications and maintain an up-to-date list of APIs, as unmanaged APIs present the highest risk. The author also cautions against the unsafe consumption of third-party APIs and emphasizes the importance of API security across various domains, including mobile, Internet of Things (IoT), and Operational Technology (OT) applications.

Organizations can leverage tools such as API inventory products and API compliance products to identify and assess APIs within their footprint, while API threat detection response solutions can help block API attacks in real time. By investing in comprehensive API security strategies, regular security audits, and continuous employee training, organizations can proactively defend against the ever-evolving landscape of API threats.

Article: API solution wishlist for developers

The second article this weeks comes courtesy of Forbes and features the thoughts of Steve Rodda (CEO of Ambassador Labs) and emphasizes the importance of selecting the right API solutions for modern enterprises, particularly those operating in complex development environments such as those using Kubernetes.

Rodda’s viewpoint is that traditional generic API solutions may not be adequate to meet the unique demands of these environments, as they often have limitations such as poor performance, lack of customization, scalability issues, suboptimal security, limited monitoring and analytics, and reduced flexibility in policy enforcement. According to him, traditional solutions present the following problems to organizations, specifically to development teams:

  • Poor performance
  • Lack of customization
  • Scalability issues
  • Suboptimal security
  • Limited monitoring and analytics
  • Reduced flexibility in policy enforcement

Given these challenges, Rodda suggests adopting specialized API solutions that can provide critical features such as:

  • Stronger performance
  • High customization
  • Advanced security features
  • Comprehensive monitoring and analytics
  • Flexible policy enforcement

However, before making the shift to developer-first solutions, Rodda advises considering potential challenges. These include integration issues with existing technology stacks, the need for thorough security assessments, and conducting a detailed cost analysis. It’s crucial to involve all relevant stakeholders in the decision-making process, including developer team leads, CTOs, product managers, support heads, technical writers, and business representatives.

A very interesting read, and I’d strongly recommend curious readers to explore the likes of Ambassador Labs, Solo.io, and Traefik Labs to see the state of the art in API management platforms.

Article: Understanding CORS 

In my recent experience of writing a book on API security, I found that one of the least well-understood concepts around API (and web) security is cross-origin resource sharing (CORS). I’m pleased to be able to include this well-written guide to this seemingly challenging topic.

Simply put, CORS is a security mechanism that regulates communication between different websites and APIs. To understand how CORS works, let us consider a typical flow:

  1. Before any API call to a server, the browser sends a preflight request to check if the requesting website is allowed to access the server’s resources.
  2. The server responds with CORS headers, which act as permission slips, specifying the allowed origins, methods, headers, and credentials.
  3. CORS configuration is done on the server side, where developers specify the allowed origins, methods, headers, and credentials.
  4. Postman, a standalone API client, does not enforce CORS policies, allowing requests to any server without considering the CORS policy.
  5. Web browsers strictly enforce CORS policies to prevent unauthorized access to sensitive resources.

In conclusion, CORS errors mostly occur in browsers when one domain tries to access resources from another domain. CORS plays a crucial role in ensuring secure communication between websites and APIs while preventing unauthorized access to sensitive data. CORS is one of those security configurations that should be simple to implement, but often trips up organizations — make sure you test your CORS regular as part of your testing regime.

Article: Securing APIs to block compromised tokens

One of my predictions for 2024 was that API token leakage or theft would continue to proliferate, and there has been no shortage of high-profile incidents in 2024 already. The next article from Security Boulevard discusses four different approaches for dealing with compromised tokens.

Government bodies are clamping down heavily on institutions that handle sensitive customer data. Tokens are used to authenticate users for APIs. Companies with 10,000+ employees have at least 250 APIs actively deployed, and this number is set to increase by 100% by the end of 2027.

The author recommends the following approaches:

  • Token Revocation Lists (TRLs) are central repositories of invalid tokens and are used to deny access to compromised tokens. They require diligent management and careful consideration to avoid operational burdens.
  • Token blacklisting involves a mechanism where compromised tokens are blacklisted within an authentication system or server and prevent further usage.
  • Token Expiration and Renewal: For organizations with limited IT resources, setting expiration dates for critical tokens is recommended. This forces users to periodically renew tokens to maintain access, preventing unauthorized control.
  • Token-based Access Control: Token-based access control systems enhance security by adding a layer of protection beyond token validation. Users are authenticated and issued new tokens granting ecosystem-wide access, which can be easily revoked to prevent misuse.

This is not an easy problem to solve at scale, but this is certainly a good starting point.

Article: Using Nuclei any good for API hacking?

In the first of two articles from Dana Epp, he looks at using Nuclei for API hacking. For the unaware, Nuclei is a cutting-edge, template-based vulnerability scanner widely used by bug bounty hunters to scan for low-hanging vulnerabilities. 

Dana highlights four ways in which Nuclei can aid in API security testing:

  • Detecting technology in use: Nuclei has templates that can detect the web server delivering content, the programming language being used, and even the type of WAF in place.
  • Finding secondary apps that might provide a foothold: Nuclei can help locate common login pages, admin panels, and portals, which can be valuable for gaining access to API artifacts and conducting reverse engineering and taint analysis.
  • Advanced app detection: The author suggests using Nmap to scan all responding ports on a target, creating a targets.txt file, and then running Nuclei with the -silent switch to efficiently detect exposed secondary apps.
  • Testing leaked API tokens: When potentially leaked API keys are discovered during recon or reverse engineering, Nuclei’s token-spray templates can help determine the service the key belongs to and whether it is valid.

Dana also describes how to integrate Nuclei with Burp Suite … of course. Dan’s conclusion is that Nucei is potentially a useful tool in the armoury of offensive teams.

Article: Five more Burp extensions for API hacking

In the final article this week, Dana features five more Burp Suite extensions that he recommends for API hacking. The extensions are as follows:

  1. JS Miner: Automatically scans for hardcoded secrets, credentials, and subdomains and can reconstruct source code from JavaScript Source Map Files. This allows for source code-level access to the front end, enabling the use of code analysis tools to detect potentially dangerous functions.
  2. GAP: Helps find potential endpoints and parameters through the web app’s JavaScript, and can generate a custom target wordlist based on the collected data. It can also detect suspect parameters and map them to vulnerability classes.
  3. VPS Proxy: Allows for the automatic creation and deletion of an upstream SOCKS5 proxy on popular cloud services, masking the actual testing host’s IP address from the target. This is useful for preventing blacklisting by WAFs during penetration testing and bug bounty hunting.
  4. Bypass WAF: Designed to trick WAF devices into believing a request is from itself by adding specific headers, modifying the Host Header, performing HTTP Parameter Pollution attacks, and changing the encoding to bypass the WAF in use.
  5. Nuclei Burp Integration: Integrates the Nuclei vulnerability scanner into Burp Suite, automatically pushing detected findings into the Issues panel in the Burp Suite dashboard. This extension allows for tailored scans and easy review of logs within the Burp environment.

Another one for the offensive teams out there. Thanks again, Dana.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy