Contact us
Request demo →
Contact us
German website
search
close

Defend yourself against a coming wave of API cyberattacks

by Cybersprint Blog 11 Jan 2022

APIs (Application Programming Interfaces) are used by countless businesses. By defining the rules that programmers must follow to interact with a programming language or software tool, they play a key role in enabling organisations to connect with services and transfer data.

Unfortunately, although APIs may be ubiquitous, API security is not. Despite the fact that APIs are used to connect you to your bank, social network, or news outlets (whether you’re using a mobile app or a web browser), several security issues are commonly found. These include the half-hearted implementation of authentication protocols, the easy access to API keys, or the absence of authentication functionality altogether.

If APIs are to continue playing such a prominent role in the digital ecosystem, the defences protecting them need to be tightened up.

API attack methods

Although vulnerabilities are certainly present within APIs, they don’t yet appear to represent a significant proportion of the most common attack vectors. This is probably because although cybercriminals may be innovative, they like to optimise their return on investment. So, with other methods (ransomware, phishing, Man-in-the-Middle attacks, etc.) proving effective, there is little desire to explore the opportunities provided by API vulnerabilities. Not yet, anyway.

However, it is likely that cybercriminals will eventually start to make greater use of API security flaws - with potentially devastating impacts for businesses and individuals. EU regulations mandate a high level of security control from organisations – over both their own infrastructure as well as their supply chain. Based on our research, we estimate API breaches and data leaks could result in GDPR fines worth tens of millions of dollars or euros. This was based purely on the API vulnerabilities we discovered in a 20-hour window; the true financial and reputational impact is likely to be much greater.

Looking just at Swagger APIs, where the Swagger file provides a description of the entire API, such as available endpoints, operations on each endpoint, operation parameters input, and output for each operation, we found many with security failings. Assessing a total of 13,041 Swagger APIs, we discovered APIs with sensitive internal data regarding employees, clients, and invoice data that was exposed to the public. The presence of hardcoded keys, as well as broken login protocols, meant APIs were widely accessible, presenting significant data leaks.

Boosting your API security

As the awareness around API security risks grows, we expect businesses and developers to prioritise their defences in this area. Managing your API traffic, putting robust identification protocols in place, and employing anomaly detection are all approaches that organisations can take to shut down API vulnerabilities.

Attack surface management is another method businesses can use to detect and eliminate the misconfigurations and process failures that grant attackers access to APIs. Cybersprint’s Attack Surface Management platform automatically and continuously detects, monitors and correlates digital assets - including APIs - related to your brand. The platform’s AI tools automatically assess your assets to identify weaknesses, errors, vulnerabilities, or threats. What’s more, the platform’s outside-in approach eliminates any blind spots and exposes the misconfigurations missed during the development process.

Don’t wait around. Tackle any vulnerabilities lurking within your APIs now - before threat actors identify them first.  

See how our Attack Surface Management platform finds risky assets in our data sheet.

View Data Sheet API Security

Editorial: Why your brand DNA is the foundation of your security posture

Finding and verifying all of a company’s web assets across the entire internet is a massive undertaking. You essentially need to filter the whole internet and try to pick out what is relevant, and then set about detecting the risks – or even potential risks – within what you have found. This isn’t a process that can be managed manually. The staff-hours alone would make this hugely prohibitive, and that’s without taking into account the potential margin for error. Instead, it requires a different approach, one based around automation. In this editorial, Cybersprint's Lead Data Science & Analytics, Willem van Zwieten, explains how algorithms and automation helps your organisation stay secure.

read more

How to find and mitigate the recent WordPress CVE-2022-21661

A few days ago, WordPress released a patch for their software. This patch updates WordPress to version 5.8.3, and addresses four vulnerabilities. Three of these vulnerabilities have been rated as ‘high importance’ with two CVSS scores of 8.0, a 7.4, and a 6.6, as they allow for different kinds of attacks. This article explains how the different vulnerabilities could be abused, and how we were able to find the relevant WordPress software to check for risks.

read more

Defend yourself against a coming wave of API cyberattacks

APIs (Application Programming Interfaces) are used by countless businesses. By defining the rules that programmers must follow to interact with a programming language or software tool, they play a key role in enabling organisations to connect with services and transfer data.

read more

Do you have a question?

Our experts have the answers

Contact us