Web API Security

What is an API

An Application Programming Interface (API) is a software intermediary that allows your applications to communicate with one another. It provides routines, protocols, and tools for developers building software applications, while enabling the extraction and sharing of data in an accessible manner.

Web APIs connect between applications and other services or platforms, such as social networks, games, databases and devices.

Additionally, Internet of Things (IoT) applications and devices use APIs to gather data, or even control other devices. For example, a power company may use an API to adjust the temperature on a thermostat to save power.


SOAP and REST are two popular approaches for implementing APIs.

SOAP (Simple Object Access Protocol) is an XML-based messaging protocol for exchanging information among computers. SOAP's built-in WS-Security standard uses XML Encryption, XML Signature, and SAML tokens to deal with transactional messaging security considerations. SOAP also supports OASIS and W3C recommendations.

SOAP's built-in standards and envelope-style of payload transport require more overhead compared to working with other API implementations, such as REST. However, organizations that require more comprehensive security and compliance may benefit from using SOAP.

REST (Representational State Transfer) uses HTTP to obtain data and perform operations on remote computer systems. It supports SSL authentication and HTTPS to achieve secure communication.

REST uses the JSON standard for consuming API payloads, which simplifies data transfer over browsers. REST is stateless – each HTTP request contains all necessary information, meaning that neither the client nor the server are required to retain any data to satisfy the request. Unlike SOAP, which requires parsing and routing for each request to function on a local web service, REST leverages standard HTTP requests and does not require the repackaging of data.

API Security Threats

APIs often self-document information, such as their implementation and internal structure, which can be used as intelligence for a cyber-attack. Additional vulnerabilities, such as weak authentication, lack of encryption, business logic flaws and insecure endpoints make APIs vulnerable to the attacks outlined below.

Man in the Middle (MITM)

A man in the middle (MITM) attack involves an attacker secretly relaying, intercepting or altering communications, including API messages, between two parties to obtain sensitive information.

For example, a perpetrator can act as a man in the middle between an API issuing a session token in an HTTP header and a user’s browser. Intercepting that session token would grant access to the user’s account, which might include personal details, such as credit card information and login credentials.

API Injections (XSS and SQLi)

In a code injection attack, malicious code is inserted into a vulnerable software program to stage an attack, such as cross site scripting (XSS) and SQL injection (SQLi).

XSS attack targeting a web APIPerforming a browser XSS injection through an API

For example, a perpetrator can inject a malicious script into a vulnerable API, i.e., one that fails to perform proper filter input, escape output (FIEO), to launch an XSS attack targeting end users’ browsers. Additionally, malicious commands could be inserted into an API message, such as an SQL command that deletes tables from a database.

Any web API requiring parsers or processers is vulnerable to attack. For example, a code generator that includes parsing for JSON code, and doesn't sanitize input properly, is susceptible to the injection of executable code that runs in the development environment.

Distributed Denial of Service (DDoS)

In a distributed denial-of-service (DDoS) attack, multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. A DDoS attack on a web API attempts to overwhelm its memory and capacity by flooding it with concurrent connections, or by sending/requesting large amounts of information in each request.

For example, a DDoS attack on the FCC website in early 2017 used commercial cloud services to issue a massive amount of API requests to a commenting system. This consumed available machine resources and crowded out human commenters, eventually causing the website to crash.

API Security Best Practices

Securing your API against the attacks outlined above should be based on:

  • Authentication – Determining the identity of an end user. In a REST API, basic authentication can be implemented using the TLS protocol, but OAuth 2 and OpenID Connect are more secure alternatives.
  • Authorization – Determining the resources an identified user can access. An API should be built and tested to prevent users from accessing API functions or operations outside their predefined role. For example, a read-only API client shouldn’t be allowed to access an endpoint providing admin functionality.

Additional best practices include validating your API calls against API schemas that clearly describe expected structures. Scanning payloads and performing schema validation can prevent code injections, malicious entity declarations, and parser attacks. Assigning an API token for each API call validates incoming queries and prevents attacks on endpoints.

Lastly, it’s important to secure all of your webpages using TLS/SSL, which encrypts and authenticates transmitted data, including that sent via web API. Doing so helps mitigate the threat of MITM attacks by preventing the interception of site traffic.

WAF and API Security

A web application firewall (WAF) applies a set of rules to an HTTP/S conversations between applications. WAFs are commonly used to secure API platforms, as they are able to prevent misuse and exploitation and helps mitigate application-layer DDoS attacks.

In addition, WAFs use a list of regularly-patched, strict signatures and SSL/TLS encryption to block injection attacks and prevent the interception of site traffic in MITM attacks.

Incapsula's cloud-based WAF uses signature recognition, IP reputation and other security methodologies that identify and block code injections on APIs. SSL/TLS certificates are hosted on the Incapsula CDN to prevent attacks and ensure compliance.

Using Incapsula dashboard, security teams can enforce SSL/TLS security across multiple subdomains to further secure APIs from protocol downgrade attacks and cookie hijacking attempts.

Finally, Incapsula also offers multiple security-centric monitoring services and a SIEM integration option. These provide valuable real-time insights about API usage, enabling early detection of attack attempts against API assets.