Best practices for web API security | API security standards

Most of the organizations today offering API as their products, not realizing potential risk of ignoring the web API security precautions. Just like SQL injection were popular 5 to 10 years ago, we could break into any company. Vulnerable APIs are nowadays popular among hackers.

Recently, in one of the tweet by @jae_hak99 shows, how easy it is to change the email of an account by just passing an extra parameter through URL POST request. (Good old days, right?)

These types of API vulnerability may happen if you don’t follow the web API security precautions. In today’s article, I will share some improvements to increase your web API security. Also, at the end, I will share some GitHub repositories containing more information about the web API security precautions, you should keep those precautions in mind, while or after developing web APIs.

Authentication

During the authentication don’t use Basic Authentication. Basic Authentication means passing username and password encoded in base64 encoding to the server. You should use JWT(JSON web token) or OAuth for authentication. If you use basic authentication, your API is vulnerable to attacks like BOLA(Broken Object Level Authorization).

Also, use max retry and jail features in Login and use encryption on all sensitive data.

JWT security precautions

If you are already using JWT for authentication, you should keep the following points in mind:-

  • Use random complicated key (JWT secret) to make brute forcing token very hard.
  • Don’t extract the algorithm from the payload. Force algorithm in the backend (HS256 or RS256).
  • Make token expiration (TTL, RTTL) as short as possible.
  • Don’t store sensitive data in the JWT payload, it can be decoded easily.

OAuth security precautions

  • Always validate redirect_uri on server side to allow only whitelisted URLs.
  • Always try to exchange for code not tokens (don’t allow response_type=token).
  • Use state parameter with a random hash to prevent CSRF on OAuth authentication process.
  • Define default scope, and validate scope parameter for each application.

Using HMAC web API security

HMAC(Hash-based message authentication code) provides digital signatures using shared secretes instead of public key encryption. There are two versions of HMAC (Static and Dynamic).

Also read: Google is helping phishing links to pass through security filters.

Using Security testing tools

There are some testing tools to check for web API security.

OWASP Risk Assessment Framework(Free)

You can use OWASP’s Risk Assessment Framework to improve web API security. This is a free tool, but make sure to donate to the developer. Visit GitHub repository of Risk Assessment Framework for user manual. Again I am requesting you to donate to help the developer.

Approov.io (Paid)

Approov.io is a significant expertise in mobile operating systems and runtimes, having delivered advanced analysis tools and contract services to optimize performance of both consumer and highly secure system platforms.

GIXY (Free)

Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.

Conclusion

It is nearly impossible to make anything perfect. Every developer should follow API design standards in order to improve their web API security. Internet has vast information about any topic. We should keep on improving ourselves every day.

Useful links:-

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.