Unsafe consumption of APIs is one of the vulnerabilities highlighted in the OWASP API Top 10. It refers to the inadequate or insecure use of the data in API responses by API clients, leading to the potential of a significant security incident such as data breaches, unauthorized access, and other malicious activities.
How does unsafe consumption of APIs happen?
APIs facilitate communication between software components. Many applications, sometimes including APIs themselves, request data from APIs. They then take actions based on that data or present that data to their own users and clients. Unsafe consumption of APIs occurs when the connection to an API and the data returned from an API is naively trusted by the API client more than it should be. This trust can lead to using weaker security requirements related to transport security, authentication, and data validation. If attackers identify and target these interconnected services, they might exploit them to compromise the main API.
There are several bad practices that a client can unsafely use in consuming an API. These include the following:
- Communication over unencrypted channels
- Blind redirection following
- Lack of data validation and sanitization
- No resource limits for third-party responses, such as in CPU or RAM usage
- Absence of interaction timeouts while waiting for a response
To prevent unsafe consumption of APIs, it is crucial to implement secure API consumption practices, such as strong authentication, encryption, input validation, and resource limits on the API client in addition to the API server.
Examples of unsafe consumption of APIs.
An API client is badly coded and does not terminate the communication with the API properly. This leaves the API client still running after the API communication is completed. Slowly, this fills up the memory on the computer running the API client until the operating system becomes slow or crashes.
An API client requests data from an API, then uses that data to execute a local shell command using string concatenation. If the API responds with data that contains a command injection attack such as “; rm –rf /”, the API client will execute that command.
An API server receives an authentication token from its users and then, in turn, connects to a different API using an unencrypted communication channel such as HTTP without TLS. This exposes the users’ tokens to interception by any device on the networks used by that communication channel.
How unsafe consumption of APIs impacts your business.
The effects of unsafe API consumption vary based on the API’s role and how the data from the API is used. Without secure means to consume APIs, companies face numerous risks, including data breaches, unauthorized access, and service disruptions due to attack vectors like denial-of-service (DoS) attacks. An incident involving unsafe consumption of APIs can lead to regulatory fines, lawsuits, customer churn, loss of revenue, and damaged business reputation.
Fixing insecure API consumption.
Businesses can take several measures to identify and mitigate risks with unsafe API consumption.
- Perform code review for API clients focusing on data validation, networking communications, and output to other processes such as system calls or other APIs.
- Using system libraries and functions for API clients that have built-in limitations such as timeouts, process management, and resource consumption.
- Perform network analysis to understand if the communications channel to an API is secure. This involves both passive capture of API network traffic and active vulnerability scanning of the API.
- Build an inventory of APIs that are authorized for use as part of a Software Bill of Materials (SBOM) and evaluate the security of any new API or API client.
Solve tomorrow’s API problems today.
Unsafe API consumption arises from a series of individual vulnerabilities that often remain undetected in most API clients. Each of these issues, while minor on its own, can collectively compromise the security of API use, leading to potential data breaches and exploits. As they lurk in the background, these vulnerabilities can go unnoticed until they are exploited, highlighting the critical need for robust security measures and continuous scrutiny in API implementations.
By addressing these vulnerabilities that lead to unsafe consumption of APIs, businesses can mitigate the impact of unsafe API use, protect sensitive data, and prevent security breaches that could harm their operations, revenue, and profitability.
Read the blog post How to Mitigate API Vulnerabilities for best practices.
How Vercara can help.
Vercara’s UltraAPI solution is a purpose-built security suite designed to protect APIs and the use of them. It has 3 main components:
UltraAPI Discover actively and continuously identifies and evaluates APIs and vulnerabilities in them to detect unsafe, unprotected, and undocumented APIs.
UltraAPI Comply monitors API traffic across the network to identify unsafe consumption of both internal and external APIs. It also identifies data types, out-of-specification APIs, and compliance violations. It can help security and development teams to remediate vulnerabilities in APIs.
UltraAPI Bot Manager protects APIs from cybersecurity attacks and automated bots using machine learning to fingerprint API client behavior and if that behavior is malicious or abusive.
To find out more, contact our sales team.
