Organizations’ websites are often the main public face of the business. From the company website, users can browse a company’s offerings and even interact with their account via web applications. Web apps are extremely valuable and useful for businesses and their customers alike; however, they also represent a major potential hole in the organization’s defenses.
One of the often overlooked aspects of web application security is web API security. Web Application Programming Interfaces (APIs) expose functionality of the website to automated tools, allowing more efficient access to backend data. This ability to automate queries to the database reduces load on the website’s front-end and increases efficiency for the script-using customers; however, the direct connection between the user and the database via the API means that poorly-secured APIs can be a prime target for hackers.
Web APIs can be attacked in many different ways, but a common first step in the process is reconnaissance. Hackers need to understand the API in order to determine how to exploit it, and one way of accomplishing this is monitoring legitimate communications between the API and a trusted client and looking for leaked sensitive information. Additionally, hackers may want to collect information leaked about legitimate users by eavesdropping on their communications with the web API. Both of these can be accomplished through a Man in the Middle (MitM) attack.
What is a Man in the Middle (MitM) Attack?
A Man in the Middle (MitM) attack involves a hacker eavesdropping on the communications between two parties. Performing a MitM attack requires the hacker to be able to control the communication channels between the two users and route all traffic through a device under their control. At a minimum, this allows the attacker to selectively forward or drop traffic, but it may also allow the hacker to read and possibly edit the traffic as well.
The main challenge with MitM attacks is the fact that most websites use HTTPS to authenticate their users and secure the connection. In order to defeat these protections, the hacker needs to either be able to convince the user that they are the owner of the web API or to use an insecure version of TLS (both of which are possible). However, if the web API is available using HTTP, none of this is necessary.
MitM and Web APIs
Web APIs using Representational State Transfer (REST) perform all API communications using HTTP requests and responses. If TLS is not used to secure these communications, an attacker has complete control over the packets being sent between the user and the web API. This allows the hacker to read any data included in the requests and to modify the data being transmitted.
This ability to read and modify data is valuable to an attacker in any phase of the web API exploitation process. If a web API is designed to only interact with a “trusted” application, some corners may have been cut when securing the API. An attacker performing a MitM attack may be able to learn important details about the functionality of the API by intercepting, observing, and possibly modifying these communications. This type of attack can be performed using a device and account completely under the attacker’s control.
If the attacker has the ability to perform a MitM attack on an unprotected or underprotected communications channel between the API and a benign user, they may be able to gain access to the user’s account or read sensitive data from it. If the API passed session information in an HTTP header or a URL, it will happily allow an attacker who has intercepted this information to connect as the legitimate user.
The potential impacts of an attacker using a MitM attack on an unprotected API make it one of the most significant threats to API security. At a minimum, web APIs should use TLS to encrypt traffic and authenticate both sides of the connection to ensure that an attacker is not intercepting and decrypting traffic. It is also wise to enable HTTP Strict Transport Security (HSTS), which forces the web client to interact via HTTPS (using TLS for security) and denies access to users via HTTP (without TLS). Enabling this significantly raises the bar for an attacker attempting to perform a Man in the Middle attack.
Securing Your Web Application
Web APIs are a huge asset for an organization and its users since they streamline access to the data and functionality provided by the organization’s website. However, they also represent a huge potential security vulnerability for the organization since the code of the web API is all that stands in the way between a hacker and a trove of valuable data. A vulnerable web API can be the cause of a major data breach, so web API security is of paramount importance.
One significant threat to an unsecured or undersecured API is the Man in the Middle attack, where a hacker can intercept, view, and possibly modify traffic between the user and the web API. This level of access gives the attacker complete control of the user’s account and the ability to steal sensitive data from the API. While the proper use of TLS can help protect a web API from MitM attacks, they can still be vulnerable to a variety of different threats. Like any code exposed to the Internet, web APIs should be protected by a web application firewall (WAF) capable of identifying and blocking attempts to exploit any vulnerabilities in the web API’s code.