The document discusses API security best practices, highlighting real-world incidents of API-related breaches affecting organizations. It emphasizes the importance of robust authorization checks and outlines the OWASP API Security Top 10 vulnerabilities from 2019 to 2023. The Akamai API Security Platform is presented as a solution for detecting and mitigating API threats and vulnerabilities throughout the API lifecycle.

1. © 2024 Akamai
1
API Security Best
Practices:
Lessons Learned from
Real-World Attacks and Breaches
Boon Wah, Tay
郑文华 鄭文華 정문하 テイブーンワ
API Security Solutions Specialist
Senior Solutions Engineer
28 Sep 2024

2. © 2024 Akamai
2
API - Application Programming Interface

3. © 2024 Akamai
3
API – Application Programming Interface
• Set of rules or programming to allow applications to interface or
communicate between each other.
• Simply put.. a piece of code talking to another piece of code
• API architecture is usually explained in terms of client and server. The
application sending the request is called the client, and the application
sending the response is called the server.
Your Program
(in language X)
Your Program
(in language Y)
● Operating systems APIs
● Remote APIs
● Database APIs
● Web APIs

4. © 2024 Akamai
4
APIs Power the Modern World
Mission Critical Operations, Digital Transformation, and Information Availability – All Rely on APIs

5. © 2024 Akamai
5
API Security Incidents
- Major Data Breach
- Fraudulent Financial Transactions

6. © 2024 Akamai
6
https://www.bleepingcomputer.com/news/security/dell-api-abused-to-steal-49-million-customer-records-in-data-breach/

7. © 2024 Akamai
7
https://www.bankinfosecurity.com/google-settles-google-api-data-leak-lawsuit-for-350m-a-24296?trk=feed_main-feed-card_feed-article-content
• Google+ API that allowed outside developers to access users' private profile data.
• Up to 438 third-party apps likely had access to the API.
• Access to data including photos, relationship status, email and home addresses
• Discovered in March 2018 a glitch dating to 2015

8. © 2024 Akamai
8
APIs Attacks Are the New Normal
Recent major breaches caused by API exploitation
76% of organizations have had an
API-related breach in the past year*
Sensitive Health Data for 3.9M Customers
$35M hit to revenue
$34M Customer Funds Stolen
Reputation Damaged
2.8 M Customer IDs
$50M Fine Proposed
22.5M Gov Identity Records
68% of citizens at risk for identity theft
37m Customer Records
Brand Impact & Fines Likely
300K Customer Emails
Public Apology
National Registration
Dept of Malaysia
500K+ Customers’ PII Exposed
Brand Impact and Fines
3200+ Apps Exposed
200 Million Records
Source Code & Customer PII
Critical IP Stolen
*API Security Disconnect, Akamai Study, 2022

9. © 2024 Akamai
9
API Attacks
- Business Logic Flaws

10. © 2024 Akamai
10
API Attacks are Different
Web Security
Protection
Attacker
Web /
Mobile
App
API
Back-end
Data /
App
Crown
Jewel
Yesterday’s Attacks
Today’s Attacks

11. © 2024 Akamai
11
API Attacks are Different
Web Security
Protection
Attacker
Web /
Mobile
App
API
Back-end
Data /
App
• Attackers, are going right around your web & mobile app, straight to the API and then the back-end, where the
valuable data (crown jewel) is stored!!!
• Attackers are by-passing all the traditional web & mobile app security protection.
• API breaches exploit business logic flaws or gaps in authorization or weak authentication and the like.
Crown
Jewel

12. © 2024 Akamai
12
OWASP API Security Top 10 2019
https://owasp.org/www-project-api-security/

13. © 2024 Akamai
13
OWASP API Security Top 10 2023
https://owasp.org/www-project-api-security/
API1:2023 Broken Object Level Authorization
API2:2023 Broken Authentication
API3:2023 Broken Object Property Level Authorization
API4:2023 Unrestricted Resource Consumption
API5:2023 Broken Function Level Authorization
API6:2023 Unrestricted Access to Sensitive Business Flows
API7:2023 Server Side Request Forgery
API8:2023 Security Misconfiguration
API9:2023 Improper Inventory Management
API10:2023 Unsafe Consumption of APIs

14. © 2024 Akamai
14
OWASP Top 10 2019 to 2023
API1:2023 - Broken Object Level Authorization
API2:2023 - Broken Authentication
API3:2023 - Broken Object Property Level Authorization
API4:2023 - Unrestricted Resource Consumption
API5:2023 - Broken Function Level Authorization
API8:2023 - Security Misconfiguration
API9:2023 - Improper Inventory Management
API1:2019 - Broken Object Level Authorization
API2:2019 - Broken User Authentication
API3:2019 - Excessive Data Exposure
API4:2019 - Lack of Resources & Rate Limiting
API5:2019 - Broken Function Level Authorization
API6:2019 - Mass Assignment
API7:2019 - Security Misconfiguration
API8:2019 - Injection
API9:2019 - Improper Assets Management
API10:2019 - Insufficient Logging & Monitoring
API6:2023 - Unrestricted Access to Sensitive Business Flows
API7:2023 - Server Side Request Forgery
API10:2023 - Unsafe Consumption of APIs
Legend Unchanged Renamed Merged New Removed

15. © 2024 Akamai
15

16. © 2024 Akamai
16
Broken Object Level Authorization (BOLA)
• User A can access other users’ record (or data object)
• API Endpoint have insufficient access controls – No Authorization Check of the data object
• Violation of Zero Trust leads to Major Data Breach or Fraudulent Transactions
User A
User A Data
User B Data
User C Data
User N Data
Rightful Access (1-to-1 Mapping)
Data Access due to No Authorization Check
(1-to-Many Mapping)

17. © 2024 Akamai
17

18. © 2024 Akamai
18

19. © 2024 Akamai
19

20. © 2024 Akamai
20
Broken Object Level Authorization
What if I replace id1
with id2 and view
someone else’s data
Alice
Attacker
GET/accounts/id1/financial_info
GET/accounts/id2/financial_info

21. © 2024 Akamai
21
Data Exfiltration
Legit Behavior
JWT Token of
Francis
API URI with User ID of Francis

22. © 2024 Akamai
22
Data Exfiltration
Legit Behavior
Personal Data of
Francis

23. © 2024 Akamai
23
Data Exfiltration
Anomaly
User ID had changed
Same JWT Token
of Francis was
used
API Hacking

24. © 2024 Akamai
24
Data Exfiltration
Anomaly
API Hacking
Now Reading Other
People’s Data

25. © 2024 Akamai
25
Data Exfiltration
Anomaly
API Hacking
Now Reading More Other
People’s Data

26. © 2024 Akamai
26
Data Exfiltration
Data Exfiltration
API Hacking
All of them are 200 OK! That’s Bad!!!
Appear Normal to WAF or API Gateway

27. © 2024 Akamai
27
© Akamai API Security. All rights
reserved.
[ Optus Data Breach]
● Company: Optus
● Industry: Telco
● Impact: ~600M USD
● Vulnerability:
○ Unauthenticated, publicly exposed
API Endpoint
○ Excessive Data Exposure
○ Incrementing Customer Identifiers

28. © 2024 Akamai
28
https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142 https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142

29. © 2024 Akamai
29
https://www.straitstimes.com/business/companies-markets/singtels-profit-risks-erosion-from-optus-data-hack-in-australia

30. © 2024 Akamai
30 https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142
"No authenticate
needed. That is bad
access control. All
open to internet for
any one to use."

31. © 2024 Akamai
31
https://mango.pdf.zone/finding-former-australian-prime-mi
nister-tony-abbotts-passport-number-on-instagram
API and Boarding Pass

32. © 2024 Akamai
32

33. © 2024 Akamai
33
The Akamai API Security Platform
Complete API security covers the entire lifecycle of an API
Locate and inventory all of your
APIs and related risk, from both
the inside-out and outside-in
Discovery
Uncover vulnerabilities and
misconfigurations to speed
remediation and ensure
compliance
Detect and block API attacks
with real-time traffic analysis
powered by machine learning
Find and remediate API
vulnerabilities during the
development lifecycle
Posture Runtime Testing

34. © 2024 Akamai
34
Applications are
at the center of
everything we do.
We protect the applications
you build everywhere,
every time without
compromising performance
or customer experience.

35. © 2024 Akamai
35
Boon Wah, Tay
Senior Solutions Engineer
Akamai Technologies
https://www.linkedin.com/in/boonwah/
Thank You!