What is API Security?

What is API Security?

Application Program Interfaces, or APIs, are nearly everywhere and are a crucial component of the internet as we currently use it. Designed as the bridges between two programs, APIs allow for software systems and applications to interact with each other, share information, allow for users to input information in one application for use in another. They control the types of requests applications make between each other, how those requests are made, and what format those requests will take.

Sadly, they also share many of the same vulnerabilities as web apps.

APIs have facilitated the shift from single, monolithic web applications to microservices where loosely coupled services all interact together to form a cohesive product. This means that APIs play a major role in digital transformation, enabling user-oriented services in B2B applications — most notably including automation and integration. They also offer modern applications of all types the ability to incorporate rich user interfaces within single-page applications moving away from HTML-based backends.

They are a major component in every cloud-native application being used today and they make modern web applications flexible enough to work with the desires of modern web users. Essentially, if you’re using a web application today, it’s probably using one, if not many, APIs.

Click here for the video transcript

SQL Injection Attacks

Structured Query Language (SQL) is now so commonly used to manage and direct information on applications that hackers have come up with ways to slip their own SQL commands into the database. These commands may change, steal or delete data, and they may also allow the hacker access to the root system. SQL (officially pronounced ess-cue-el, but commonly pronounced “sequel”) stands for structured query language; it’s a programming language used to communicate with databases. Many of the servers that store critical data for websites and services use SQL to manage the data in their databases.

An SQL injection attack specifically targets this kind of server, using malicious code to get the server to divulge information it normally wouldn’t. This is especially problematic if the server stores private customer information from the website or web application, such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information, which are tempting and lucrative targets for an attacker.

Successful SQL injection attacks typically occur because a vulnerable application doesn’t properly sanitize inputs provided by the user, by not stripping out anything that appears to be SQL code. For example, if an application is vulnerable to an injection attack, it may be possible for an attacker to go to a website's search box and type in code that would instruct the site's SQL server to dump all of its stored usernames and passwords for the site. 

Learn more about SQL injection attacks.

Cross-Site Scripting (XSS) 

In an SQL injection attack, an attacker goes after a vulnerable website to target its stored data, such as user credentials or sensitive financial data. But if the attacker would rather directly target a website's users, they may opt for a cross-site scripting attack. Similar to an SQL injection attack, this attack also involves injecting malicious code into a website or web-based app. However, in this case the malicious code the attacker has injected only runs in the user's browser when they visit the attacked website, and it goes after the visitor directly.

One of the most common ways an attacker can deploy a cross-site scripting attack is by injecting malicious code into an input field that would be automatically run when other visitors view the infected page. For example, they could embed a link to a malicious JavaScript in a comment on a blog. 

Cross-site scripting attacks can significantly damage a web company’s reputation by placing the users' information at risk without any indication that anything malicious even occurred. Any sensitive information a user sends to the site or the application—such as their credentials, credit card information, or other private data—can be hijacked via cross-site scripting without the owners realizing there was even a problem in the first place. 

Learn more about cross-site scripting attacks.


Cross-Site Request Forgery (CSRF)

A Cross-Site Request Forgery (CSRF) attack is when a victim is forced to perform an unintended action on a web application they are logged into. The web application will have already deemed the victim and their browser trustworthy, and so executes an action intended by the hacker when the victim is tricked into submitting a malicious request to the application. This has been used for everything from harmless pranks on users to illicit money transfers. 

One way website owners can help cut down on their chance of attack is to have advanced validation techniques in place for anyone who may visit pages on their site or app, especially when it comes to social media or community sites. This will enable them to identify the user’s browser and session to verify their authenticity.

While there are a variety of ways a hacker may infiltrate an application due to web application vulnerabilities, there are also a variety of ways to defend against it. There are web application security testing tools specially designed to monitor even the most public of applications. Using these scanners reduce your chances of being the victim of a hack by showing you exactly where to make the changes needed for more secure applications.