This document discusses how to design APIs to be rugged and resilient against threats. It recommends threat modeling to understand vulnerabilities and abuse cases. It also suggests implementing authorization for every endpoint, explicit anonymous access, and pinning certificates for mobile apps. Runtime protections like rate limiting, JWT validation, and security headers are also advised. Monitoring APIs in a SIEM and leveraging cloud platform protections can help detect and block attacks.

1. 42Crunch.com
Are Your APIs Rugged?
7 April 2022
Colin Domoney
@colindomoney
colin.domoney@42crunch.com

2. 2 │ 42Crunch.com
Agenda
● Why be rugged?
● What are the threats?
● Rugged by design
● Rugged by implementation
● Rugged at runtime
● Learning more

3. 3 │ 42Crunch.com
The need for rugged software
https://ruggedsoftware.org/
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with this foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed,
and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten
our physical, economic, and national security.

4. 4 │ 42Crunch.com
Beyond secure … becoming rugged
Secure Rugged
• Using transport security
• Authenticate users via standard methods
• Authorize access to:
Functions
Objects
• Validate input data
• Use standard methods for token exchange
• Use API gateways
• Eliminate common coding vulnerabilities
• Everything included by being secure !
• Use standard libraries and components
• Use defense-in-depth
• Manage your API inventory
• Manage access and abuse cases via:
Rate limiting
Quotas
• Restrict access via risk factors:
Known bad IP addresses
Common attack methods
• Attack your own APIs
“What you do to satisfy your regulators” “What you do to delight your customers”

5. 5 │ 42Crunch.com
What are the threats?

6. 6 │ 42Crunch.com
Vulnerabilities vs. abuse/misuse
Vulnerabilities Abuse/misuse
• Attacks on APIs by exploiting vulnerability
in the API itself
• Causes misoperation of the API resulting in
a vulnerability
• Attacks by automating API traffic to impersonate
a genuine source
• Use the API in a way in which it was not
intended, or for an alternate purpose

7. 7 │ 42Crunch.com
Threat actors
● “Script kiddies”
● Curious hackers
● Malicious groups
● Criminal gangs
● Scrapers
● Bots
● Nation states
https://nostarch.com/hacking-apis

8. 8 │ 42Crunch.com
Tools of the trade
● Kiterunner
● RESTler
● Gobuster
● Fuzz-lightyear
● Wfuzz
● Burp Suite
https://github.com/arainho/awesome-api-security

9. 9 │ 42Crunch.com
Rugged by design

10. 10 │ 42Crunch.com
Threat modelling
● Establish your attack surface
● Understand the:
Use cases
Abuse cases
● Mitigations and compensating
controls
● Expose assumptions and
misunderstandings
● Put the Sec into DevOps !

11. 11 │ 42Crunch.com
Think like an attacker

12. 12 │ 42Crunch.com
Understand your data
● Privacy requirements
● What is your PII ?
● Handling privacy requests
● Data ownership
● Expose the bare minimum of data !

13. 13 │ 42Crunch.com
Understand your environments
● Secret storage
● Token exchange
● Device integrity
● Channel integrity
● Assume your environment is hostile

14. 14 │ 42Crunch.com
Rugged by implementation

15. 15 │ 42Crunch.com
Boss your JWT validation
https://42crunch.com/7-ways-to-avoid-jwt-pitfalls/
1. Use a Static Algorithm Configuration
2. Use Explicit Typing
3. Go All Out on Metadata
4. Treat your Secrets as Secrets
5. Bring Down the Testing Hammer
6. Encapsulating Security Behavior
7. Rely on Static Code Analysis

16. 16 │ 42Crunch.com
Authorize every function endpoint
A REST API endpoint restricted to users with the specific "deleteTask"
permission
1
2
3
4
5
6
7
8
9
app.delete('/tasks/:taskId', auth.hasPermission('deleteTask'), function(req, res) {
Task.remove({
_id: req.params.taskId
}, function(err, task) {
if (err)
res.send(err);
res.json({ message: 'Task successfully deleted' });
});
};
Check permissions explicitly for every
function access to prevent broken
function-level authorization
vulnerabilities

17. 17 │ 42Crunch.com
Be explicit about intended anonymous access
Explicitly declare methods with intended
anonymous access with appropriate
decorator or notation
A REST API endpoint to get a task
1
2
3
4
5
6
7
app.get('/tasks/:taskId', auth.allowPublicAccess(), function(req, res) {
Task.findById(req.params.taskId, function(err, task) {
if (err)
res.send(err);
res.json(task);
});
};

18. 18 │ 42Crunch.com
Be wary of your Object Relational Mapper
● ORMs are a massive development
convenience speeding up coding
effort
● ORMs are a leading cause of:
Excessive data exposure
Mass assignment
● Always understand what your ORM
is doing for you, and decouple
from direct API access

19. 19 │ 42Crunch.com
Explicitly enable methods, prevent unused methods
Explicitly specify the methods to be
used, and prevent unused methods in
the framework used
A Python Flask API endpoint
1
2
3
4
5
@app.route('/', methods=['POST'])
def my_first_api_endpoint():
json_data = json.loads(request.data)
...
return "", 200

20. 20 │ 42Crunch.com
Certificate pinning for mobile applications
https://approov.io/blog/man-in-the-middle-myths-and-legends
● Your mobile application is one of
your top attack vectors
● Without certificate pinning your
backend APIs can be easily reverse
engineered
● Tokens and secrets can easily be
exfiltrated via a proxy

21. 21 │ 42Crunch.com
Use standard libraries and components
● NEVER write your own cryptography
functions or methods
● Use standard libraries for common
functionality (and scan them for
vulnerabilities)
● Stand on the shoulder of giants (and
contribute fixes and improvements)

22. 22 │ 42Crunch.com
Semgrep FTW
https://semgrep.dev/
Search for:
• Hardcoded secrets
• Missing AuthN/AuthZ
decorators
• JWT validation errors
• Missing method decorators
• Transport misconfiguration

23. 23 │ 42Crunch.com
Rugged at runtime

24. 24 │ 42Crunch.com
Rate limiting
API backend
42Crunch
firewall
This protection limits how many requests API Firewall
accepts from an IP address within a given time window.

25. 25 │ 42Crunch.com
JWT token validation
API backend
42Crunch
firewall
JWT token validation performs a variety of checks on
request tokens and blocks invalid requests

26. 26 │ 42Crunch.com
Security headers
API backend
42Crunch
firewall
These protections on APIs control security headers either locally to
specific paths, operations, responses, or alternatively to all incoming
requests or outgoing responses.

27. 27 │ 42Crunch.com
API monitoring in your SIEM – Azure Sentinel

28. 28 │ 42Crunch.com
Continuous threat detection
● Excessive AuthZ errors
● Path enumeration
● Rate limiting
● Excessive requests
● Tool detection
● Fuzzing detection
● Risky IP address detection

29. 29 │ 42Crunch.com
Leveraging your Cloud platform protections
API backend
42Crunch
firewall
Azure
Sentinel
Azure
firewall

30. 30 │ 42Crunch.com
Learning more
https://42crunch.com/actively-monitor-and-defend-your-
apis-with-42crunch-and-the-azure-sentinel-platform/
https://apisecurity.io/