How to Protect Yourself from Attacks via This Poorly Monitored Vector
API security is an “excellent entry point” into a pentesting career, says industry expert Corey J. Ball.
INTERVIEW
Securing web APIs requires a different approach from traditional web application security because standard testing methods usually miss the most common vulnerabilities that occur when working with APIs.
This is the view of API security expert Corey J. Ball, who warns that methods not calibrated for web APIs can produce too many false negatives for pentesters.
Ball began learning the art of web application pentesting in 2015 using hacking books and platforms like HackTheBox and VulnHub. He later honed his skills working with technologies such as ColdFusion, WordPress, Apache Tomcat, and other enterprise-oriented web applications.
He went on to earn certifications including CEH, CISSP, and OSCP, and eventually was invited to take a leadership role in pentesting at the public accounting firm Moss Adams, where he currently serves as a lead web application pentester.
Recently he has focused on a narrower area: web API security, which is often treated as an afterthought. As a result, Ball launched a free online course on the topic and published the book Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).
In an interview with The Daily Swig, Ball explains why the growing use of web APIs requires rethinking traditional approaches to web application security.
---
An Attractive Attack Vector
In recent years, web APIs have been rapidly adopted across many industries. In 2018, Akamai reported that 83% of web traffic consisted of API calls.
“Businesses realized they no longer need to build every part of a web application themselves—maps, payment processing, communications, authentication, etc.,” Ball says.
“Instead, they can use APIs and leverage what third-party developers have already built while focusing on their own specialization.”
API stands for Application Programming Interface. It is a set of definitions and protocols for building and integrating application software.
Web APIs, accessed via the HTTP protocol, have created numerous API services that allow companies to monetize their technology, infrastructure, functionality, and data. But APIs have also attracted the attention of cybercriminals.
“Through insecure APIs, attackers can compromise the confidentiality, integrity, and availability of data,” Ball says. “The risk is especially concerning because many APIs are exposed directly to the internet. That makes vulnerable APIs one of the most convenient attack vectors.”
---
Different Rules Apply
APIs can cause fewer security issues if security specialists are involved during the design stage. These specialists can promote secure development practices, conduct regular security assessments, and monitor whether API calls are being abused.
Ball believes that protecting web APIs requires a new approach compared to classical web application security.
“If you rely only on standard web application testing techniques, many vulnerabilities in APIs will go undetected,” he explains. “Tools and techniques not specifically calibrated for APIs will miss most common API vulnerabilities.”
A notable vulnerability was discovered in the USPS Informed Visibility API, first reported by security researcher Brian Krebs.
One month before Krebs publicly disclosed the data leak, the application had undergone thorough testing using tools like Nessus and HP WebInspect. These tools performed general security scans, which is why the serious API vulnerability went unnoticed.
This gap in the USPS API allowed any authenticated user to access email addresses, usernames, package updates, mailing addresses, and phone numbers of 60 million customers stored in the database.
“This case perfectly demonstrates what can happen when traditional web application testing techniques are applied to APIs,” Ball says. “It shows how important it is to use the right tools and techniques when testing APIs.”
---
Side-Channel Attacks Against APIs
Ball himself has discovered numerous vulnerabilities while focusing on API pentesting. One of his favorite findings involved a timing side-channel attack used to extract information from an administrative API designed to search customer accounts.
Normally, an API should reject unauthorized requests and return the HTTP status code 401 Unauthorized. Because the API lacked rate limiting, Ball was able to send numerous requests testing different IDs and usernames gathered through passive reconnaissance.
He noticed that some responses contained slightly more bytes than others.
“Upon closer inspection using Comparer, it became clear that middleware headers revealed how much extra time the server spent processing certain requests,” Ball explains.
“I discovered that requests referencing existing records took five times longer to process than requests referencing non-existent records.”
By combining small pieces of information, Ball was able to reconstruct sensitive data and map users to their IDs, ZIP codes, phone numbers, medical policy numbers, and Social Security numbers.
“I didn’t have to breach the network perimeter, bypass firewalls, navigate the internal network, or break into a database,” Ball concludes. “I simply used the web API and stole the crown jewels through it.”
---
The Cost of Opportunity
Despite APIs becoming a major attack vector, Ball notes that resources for learning API security testing were scarce when he began specializing in the area.
“There were no books focused on API security testing, no certifications, almost no blog posts or videos,” he says.
“I would attend conferences and ask speakers presenting new web hacking techniques how they tested APIs. Most either had no idea or had at best one person in their team responsible for API testing.”
One of the managing partners at Moss Adams encouraged Ball to become an expert in API security. Within a few months he had compiled about 150 pages of notes, realizing he had essentially written half a book.
“I saw an opportunity to share my research, equip testers with knowledge, and help prevent the next data breach through an API,” he says.
Ball later released a free online course on APIsec University, covering phases of API pentesting, lab setup, reconnaissance, endpoint analysis, and building attack chains step by step.
---
The “UnAPI” Era
Resources and standards for API security are slowly emerging. In 2019, the OWASP API Security Top 10 list of vulnerabilities was published.
However, Ball still observes widespread design mistakes in APIs.
“Authorization problems remain the most common security issue with APIs in the wild,” he says.
He frequently encounters:
Broken Object Level Authorization (BOLA)
Broken Function Level Authorization
Both appear in the OWASP Top 10.
In many cases, the vulnerability works like this:
an authenticated user gains access to other users’ data through the API.
“With so many authorization vulnerabilities, it seems we simultaneously trust authenticated users too much while failing to properly verify whether specific users or groups should access or modify each other's data,” Ball explains.
---
A Gateway Bug
As APIs become more widespread, the demand for API security experts continues to grow.
“I think APIs are actually an excellent entry point for anyone interested in becoming a pentester,” Ball says. “Modern hackers often try to break APIs first.”
Where to Learn API Security
Ball recommends the following resources:
API Penetration Testing course at APIsec University
Web Security Academy by PortSwigger
OWASP API Security Project
“Become very familiar with Postman and the Burp Suite toolkit,” Ball advises.
“And of course, if you want all the information in one place, check out my book Hacking APIs.”
API security is an “excellent entry point” into a pentesting career, says industry expert Corey J. Ball.
INTERVIEW
Securing web APIs requires a different approach from traditional web application security because standard testing methods usually miss the most common vulnerabilities that occur when working with APIs.
This is the view of API security expert Corey J. Ball, who warns that methods not calibrated for web APIs can produce too many false negatives for pentesters.
Ball began learning the art of web application pentesting in 2015 using hacking books and platforms like HackTheBox and VulnHub. He later honed his skills working with technologies such as ColdFusion, WordPress, Apache Tomcat, and other enterprise-oriented web applications.
He went on to earn certifications including CEH, CISSP, and OSCP, and eventually was invited to take a leadership role in pentesting at the public accounting firm Moss Adams, where he currently serves as a lead web application pentester.
Recently he has focused on a narrower area: web API security, which is often treated as an afterthought. As a result, Ball launched a free online course on the topic and published the book Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).
In an interview with The Daily Swig, Ball explains why the growing use of web APIs requires rethinking traditional approaches to web application security.
---
An Attractive Attack Vector
In recent years, web APIs have been rapidly adopted across many industries. In 2018, Akamai reported that 83% of web traffic consisted of API calls.
“Businesses realized they no longer need to build every part of a web application themselves—maps, payment processing, communications, authentication, etc.,” Ball says.
“Instead, they can use APIs and leverage what third-party developers have already built while focusing on their own specialization.”
API stands for Application Programming Interface. It is a set of definitions and protocols for building and integrating application software.
Web APIs, accessed via the HTTP protocol, have created numerous API services that allow companies to monetize their technology, infrastructure, functionality, and data. But APIs have also attracted the attention of cybercriminals.
“Through insecure APIs, attackers can compromise the confidentiality, integrity, and availability of data,” Ball says. “The risk is especially concerning because many APIs are exposed directly to the internet. That makes vulnerable APIs one of the most convenient attack vectors.”
---
Different Rules Apply
APIs can cause fewer security issues if security specialists are involved during the design stage. These specialists can promote secure development practices, conduct regular security assessments, and monitor whether API calls are being abused.
Ball believes that protecting web APIs requires a new approach compared to classical web application security.
“If you rely only on standard web application testing techniques, many vulnerabilities in APIs will go undetected,” he explains. “Tools and techniques not specifically calibrated for APIs will miss most common API vulnerabilities.”
A notable vulnerability was discovered in the USPS Informed Visibility API, first reported by security researcher Brian Krebs.
One month before Krebs publicly disclosed the data leak, the application had undergone thorough testing using tools like Nessus and HP WebInspect. These tools performed general security scans, which is why the serious API vulnerability went unnoticed.
This gap in the USPS API allowed any authenticated user to access email addresses, usernames, package updates, mailing addresses, and phone numbers of 60 million customers stored in the database.
“This case perfectly demonstrates what can happen when traditional web application testing techniques are applied to APIs,” Ball says. “It shows how important it is to use the right tools and techniques when testing APIs.”
---
Side-Channel Attacks Against APIs
Ball himself has discovered numerous vulnerabilities while focusing on API pentesting. One of his favorite findings involved a timing side-channel attack used to extract information from an administrative API designed to search customer accounts.
Normally, an API should reject unauthorized requests and return the HTTP status code 401 Unauthorized. Because the API lacked rate limiting, Ball was able to send numerous requests testing different IDs and usernames gathered through passive reconnaissance.
He noticed that some responses contained slightly more bytes than others.
“Upon closer inspection using Comparer, it became clear that middleware headers revealed how much extra time the server spent processing certain requests,” Ball explains.
“I discovered that requests referencing existing records took five times longer to process than requests referencing non-existent records.”
By combining small pieces of information, Ball was able to reconstruct sensitive data and map users to their IDs, ZIP codes, phone numbers, medical policy numbers, and Social Security numbers.
“I didn’t have to breach the network perimeter, bypass firewalls, navigate the internal network, or break into a database,” Ball concludes. “I simply used the web API and stole the crown jewels through it.”
---
The Cost of Opportunity
Despite APIs becoming a major attack vector, Ball notes that resources for learning API security testing were scarce when he began specializing in the area.
“There were no books focused on API security testing, no certifications, almost no blog posts or videos,” he says.
“I would attend conferences and ask speakers presenting new web hacking techniques how they tested APIs. Most either had no idea or had at best one person in their team responsible for API testing.”
One of the managing partners at Moss Adams encouraged Ball to become an expert in API security. Within a few months he had compiled about 150 pages of notes, realizing he had essentially written half a book.
“I saw an opportunity to share my research, equip testers with knowledge, and help prevent the next data breach through an API,” he says.
Ball later released a free online course on APIsec University, covering phases of API pentesting, lab setup, reconnaissance, endpoint analysis, and building attack chains step by step.
---
The “UnAPI” Era
Resources and standards for API security are slowly emerging. In 2019, the OWASP API Security Top 10 list of vulnerabilities was published.
However, Ball still observes widespread design mistakes in APIs.
“Authorization problems remain the most common security issue with APIs in the wild,” he says.
He frequently encounters:
Broken Object Level Authorization (BOLA)
Broken Function Level Authorization
Both appear in the OWASP Top 10.
In many cases, the vulnerability works like this:
an authenticated user gains access to other users’ data through the API.
“With so many authorization vulnerabilities, it seems we simultaneously trust authenticated users too much while failing to properly verify whether specific users or groups should access or modify each other's data,” Ball explains.
---
A Gateway Bug
As APIs become more widespread, the demand for API security experts continues to grow.
“I think APIs are actually an excellent entry point for anyone interested in becoming a pentester,” Ball says. “Modern hackers often try to break APIs first.”
Where to Learn API Security
Ball recommends the following resources:
API Penetration Testing course at APIsec University
Web Security Academy by PortSwigger
OWASP API Security Project
“Become very familiar with Postman and the Burp Suite toolkit,” Ball advises.
“And of course, if you want all the information in one place, check out my book Hacking APIs.”
