APIs allow all computer platforms and operating systems to access data in different formats, such as tracking APIs that can enable users to track the location of goods purchased online.
Many organizations focus more on fast delivery of APIs and applications rather than safeguarding security, contributing to API attacks and data breaches in recent years.
The table lists three API call scenarios:
API Type
Description
Security Status Quo
Public API
Public APIs are exposed on the Internet, allowing anyone to access services from anywhere. Callers can schedule data and processes by passing necessary fields into APIs. Such APIs require the highest level of security and usability monitoring.
While there are few restrictions on public APIs, such as authorization restrictions, loopholes are frequent to detect in business authentication logic, and attackers prefer to target and bypass these APIs through automated fuzz testing and targeted testing.
Internal API
Internal APIs are usually deployed and operated in a data center or private cloud network for internal use, mainly for operation management and internal services.
Using internal APIs has more restrictions, such as authentication restrictions, with low authentication and security strength. Such APIs are vulnerable to targeted attacks and thus have become the culprit for data breaches.
Channel API
Channel APIs are usually deployed and operated in a data center or private cloud network, providing specific external partners and suppliers with limited access to internal APIs to extract and manage data. Such APIs are more sensitive to data leakage than data extraction.
The access control level is higher than internal APIs but lower than external APIs. It’s the same case with security control, which is guaranteed mainly through API gateway. When supply chain attacks happen, channel APIs are easily utilized for data abuse due to the lack of monitoring and supervision mechanisms.
Why API Sensitive Data Discovery Matters
According to the Salt Labs State of API Security Report, Q1 2023, 43% considered zombie APIs the most concerning API security risk and 22% were worried about account takeover/abuse; 83% lacked confidence in organizations’ API inventory.
Enterprises are so concerned about API assets as security risks are often hidden in the unknown zombie APIs, unknown shadow APIs, and unknown sensitive data exposure, all rooted in the lack of comprehensive asset visibility. Through such APIs, attackers are likely to launch targeted attacks to extract and expose sensitive data, and even expand the attack surface to gain unauthorized access to servers and databases.
Even if enterprises have begun managing zombie APIs, zombie parameters can be easily overlooked and pose a huge security threat. Zombie parameters may exist in APIs and can be called by attackers even though they are not exposed in the API release. Common zombie parameters include debugging parameters and system property parameters configured during the development and testing cycle. Once attackers successfully exploit vulnerabilities such as batch allocation to obtain unauthorized responses, enormous amounts of business data and user data can be easily collected.
Directions
Step 1: Discover API assets
1. Log in to the WAF console and select API Analytics on the left sidebar.
Notes
API Analytics is currently in beta testing and only supports 3 domain names. To use this feature, submit a ticket.
2. On the page that appears, select a domain name to protect and toggle on the switch
.
3. When it's on, you can view related information on the API details page.
Step 2: Enhance API security
1. On the Basic Security page, select the API security tab and create rules.
2. On the CC protection tab, configure capacity protection settings based on relevant APIs.
3. On the Access control tab, click Add rule to implement protection for sensitive operations based on relevant APIs.
4. On the Bot and Application Security page, configure settings to detect API behavior exceptions.
Yes
No
Was this page helpful?