API(Application Program Interface) is a framework that makes it easy to build HTTP services that reach a broad range of clients, including browsers and mobile devices. Most of the websites provide API so that developers can make application on top of it. For e.g. Facebook graph API, Twitter API, Dropbox API ,Github API etc .
I’ll discuss few basic points about REST architecture that you need to keep in mind regarding API security.
Authentication: There are various ways to authenticate a user for using your API , most commonly used authentication protocols are HTTP Basic Auth and OAuth.
HTTP Basic Auth : Credentials are merely encoded with Base64, no encryption , no hashing. Every request contain encoded value inside header, so using HTTP Basic Auth without HTTPs is suicide.
OAuth : In this case access token is generated by the resource owner for certain sets of scope . With OAuth, leakage of access token can be dangerous as it contains certain permissions to perform action on behalf of user. Even Facebook was once vulnerable to this,you can read more about this facebook bug in this post.
Authorization is as important as authentication.You must check what are the permissions associated with the access token,Facebook was vulnerable to this as well where hacker can delete any facebook album. Facebook paid him $12,500 for reporting this, read more about this on his blog.
User Input: There’s a single rule for maintaining security of applications, never trust user input.This apply to API security as well, most of the time web application filter input but they forget to apply filter on input coming from API. Here’s a example of this, Slack was vulnerable to this.
Sometime error from invalid parameter is reflected back on the page. For e.g. suppose name parameter was expecting a string value,value provided was a integer say 4. it might show some error like “name was expecting a string value, provided integer 4′ , so 4 is reflected back on screen when you change 4 to a XSS vector say alert(document.cookie) it will get executed.
Other case can be you supply same parameter twice say name=”manish”&name=”notmanish” , error may disclose full path of the application like this.
BTW how about performing a DOS or DDOS on a API server ? All you need is a for loop 😛 here’s my python code
for i in range(0,100):
This will print status code (to verify if there’s any protection) and number of attempts.You just have to change range in for loop.
Most of the API do have rate limitation per user/access token for e.g. Twitter API, foursquare . Rate limiting also provide protection against brute force attacks (make sure your tokens are long enough to avoid brute force attacks).
API security is a huge topic, this is just an overview. If you feel like adding something, reach out.
If you want to start your bug bounty career please visit Bug Bounty resources .