A security vulnerability our API hates

As you know, we’ve talked about many different and critical subjects related to application programming and knowing that it is very important to protect them, let’s talk about (probably) one of the most crucial things we need to know when transferring data.

First, let’s explain what is this API,

API – which stands for Application programming interfaces, is a set of code libraries, commands, functions and procedures, which, are already existing.

We mainly use API’s as a way of “exchanging” that information whether the data goes internally or externally.

When we feel very “social” and we want log in to our favorite “guilty-pleasure” social Network such as Facebook (sorry, “Meta”) the API’s checks and verifies the input you’ve inserted and, eventually “decides if it’s valid of not.

And why it should worry us ? – given the fact that many of this “input” or data can lead to our sensitive and valuable info, we don’t want it to get to the wrong hands, if a company as huge as Google accidentally gets her internal API’s leaked it can cause exposure of the entire organization interface and secrets which may lead to them losing thousands and even millions of dollars (and trust me, we all have secrets).

Think of it this way, you built a house, your personal space, that you trust and “have-faith” in, suddenly being breached and your personal diary gets stolen.

It’s important to understand that, since the API’s are on the internet, they share similar vulnerabilities that common WEB-Apps has.

Let’s talk about the some of the types of attacks we can expect from the our not-so-friendly hackers :

  • The Man-In-The-Middle attack – imagine yourselves gathering the courage to finally ask the girl you’ve been dreaming about for years to a date, you send a message, she replies nicely (you go bro!) and, all of a sudden, messages that you don’t even write are being sent to her without you being able to control it, now think of an even worse scenario, maybe it was your boss ? a partner from your company ? or even worse, your mom ??? .

Those type of attacks are just that, someone “pushing” himself between two sides of a conversation and interfering which can lead to horrific results.

  • Injection attacks – probably the best known type of attacks, we mainly hear about SQL and XSS injections, the attacker “injects” malicious script or code into the vulnerable application will result in a user’s input (such as password, keywords and such) will now be revealed, that means that (usually) due to a “breach” in the original code\program the attacker will be able to exploit it and by detecting the breach he will allow himself to extract data or even “buying” himself a ticket to the backstage.

Oh no! who will save us? how can we protect ourselves?

As usual, that’s where i come in, firstly, never use sites\apps that doesn’t use the secured HTTPS protocol and a very good dose of that SSL , especially if it’s a MPA ( multi-web-application) , and of course as always,

you should turn to the PROS, in Cytrix we’ll make sure your special diary with all the secrets in it are safe from vulnerabilities that can be found and related to the API you’ve worked so hard on writing and designing.

Stay safe kids, choose Cytrix.

Crossing Scripts – XSS

Injections. SQL Injections. Cross-site Scripting (hence the amazing title “Crossing Scripts – XSS”). There all sorts of Injection-Based attacks, if you want to read about

Read More »