Beginner’s Guide to API(REST) security

API security


API(Application Program Interface) is a framework that makes it easy to build HTTP services that reach a broad range of clients, including browsers and mobile devices. Most of the websites provide API so that developers can make application on top of it. For e.g. Facebook graph API, Twitter API, Dropbox API ,Github API etc .

I’ll discuss few basic points about REST architecture that you need to keep in mind regarding API security.

Authentication: There are various ways to authenticate a user for using your API , most commonly used authentication protocols are HTTP Basic Auth and OAuth.

HTTP Basic Auth : Credentials are merely encoded with Base64, no encryption , no hashing. Every request contain encoded value inside header, so using HTTP Basic Auth without HTTPs is suicide.

OAuth : In this case access token is generated by the resource owner for certain sets of scope . With OAuth, leakage of access token can be dangerous as it contains certain permissions to perform action on behalf of user. Even Facebook was once vulnerable to this,you can read more about this facebook bug in this post.
Authorization is as important as authentication.You must check what are the permissions associated with the access token,Facebook was vulnerable to this as well where hacker can delete any facebook album. Facebook paid him $12,500 for reporting this, read more about this on hisĀ  blog.

User Input: There’s a single rule for maintaining security of applications, never trust user input.This apply to API security as well, most of the time web application filter input but they forget to apply filter on input coming from API. Here’s a example of this, Slack was vulnerable to this.
Continue reading