Developers of web and mobile applications are being urged to prioritize security measures, as hackers increasingly target web application programming interfaces (APIs) to gain unauthorized access to cloud and mobile services. In a joint advisory issued by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA), a specific type of API vulnerability called insecure direct object reference (IDOR) was highlighted as particularly concerning due to its potential for abuse on a large scale.
IDOR vulnerabilities occur when an application allows access to information or web resources using a key or identifier without proper authentication or authorization checks. The advisory emphasized that these vulnerabilities are often easy to exploit and can be targeted using automated tools, putting end-user organizations at risk of data leaks and large-scale breaches. The unique nature of each use case makes it challenging to prevent these vulnerabilities outside the development process, ruling out a one-size-fits-all solution.
Several notable cases of lax security in web applications have already resulted in serious consequences. In 2021, vulnerabilities in the API of a popular monitoring application exposed sensitive user data, including call records, messages, and photos. Likewise, the API for Peloton fitness equipment was found to have endpoints that allowed unauthenticated attackers to collect information on subscribers, including high-profile individuals such as the President of the United States.
The prevalence of API vulnerabilities has been on the rise, driven by the widespread deployment of APIs not only on the internet but also as a means of connecting to various IoT devices, cars, and vehicles. Jason Kent, a hacker-at-large for Cequence Security, commented on the rapid adoption of APIs, stating that they have become the foundation of the internet. As a result, the security of APIs has become increasingly important in ensuring the integrity and privacy of user data.
Losses due to insecure web APIs have skyrocketed, with estimates by Marsh McLennan suggesting that US companies could incur losses ranging from $12 billion to $23 billion due to API compromises in 2022. The Open Worldwide Application Security Project (OWASP) released an updated top-10 list of API security issues, with IDOR vulnerabilities, also known as Broken Object Level Authorization (BOLA) flaws, taking the top spot. According to Paulo Silva, co-leader of the OWASP API Security Project, IDOR vulnerabilities account for a significant portion of API vulnerabilities discovered during bug bounty engagements.
Many applications attempt to mitigate IDOR vulnerabilities by making routes and endpoints difficult to guess through the use of randomized keys and identifiers. However, this approach is merely security through obscurity, as attackers who can capture the API address through traffic monitoring or other means can still exploit the vulnerability. Even if an API uses cryptographically strong, random values, the risk remains if the authorization mechanism fails to properly restrict access to users’ private resources.
To address these vulnerabilities, developers are encouraged to educate themselves on secure web application design and utilize analysis tools to identify common API flaws and misconfigurations in their code. Additionally, deployed code should undergo a thorough security analysis process, involving the creation of a security design document, comparison with the application, and testing by real users to ensure its security. Monitoring the application’s live data can provide valuable insights into areas that need improvement and help identify potential leaks of sensitive information.
Implementing a web application firewall (WAF) is another recommended measure to protect against attacks and detect vulnerabilities while waiting for fixes. Tim Erlin, head of product at Wallarm, emphasized the importance of having proactive security measures in place, as security teams often do not have direct control over the application or API code. A WAF can provide an added layer of defense and empower security teams to take action in blocking attacks against APIs.
In conclusion, the growing threat of API vulnerabilities, particularly IDOR flaws, necessitates a comprehensive approach to application security. By prioritizing secure design practices, conducting thorough security analyses, and implementing monitoring tools and firewalls, developers can mitigate the risk of API attacks and safeguard the sensitive data entrusted to their applications.