Application Programing Interfaces (API) are foundational to how most of today’s modern applications work. By design, they enable two systems to communicate and transfer information. When implemented correctly, we don’t realize we’re interfacing with APIs. They are, however, found in almost everything we interact with daily – websites, mobile apps, kiosks at malls and airports, even our IoT enabled devices (i.e., internet enabled devices, cameras, etc..).
While API’s allow for more flexible, and scalable, applications, it has also expanded an organizations threat landscape exponentially. We’ve seen this over the years with the increase in attacks targeting API’s, most notably the Twitter hack in 2021 where 5.4 million Twitter user had their information stolen via an exploitable vulnerability in one of their APIs.
To help combat this challenge, the Open Web Application Security Project (OWASP) released the OWASP Top 10 API Security Risks – 2023.
Security Challenge -Broken Authentication
One o the key tenants of IAAA (Identification and Authentication, Authorization and Accountability) in security is Authentication. It also happens to be one of the toughest to implement with API’s and continues to be one of the main vectors abused by bad actors.
OWASP highlights this risk with API2:2023
API2:2023 – Broken Authentication | Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising a system’s ability to identify the client/user, compromises API security overall. |
The impact of this risk is categorized as severe because via this vector bad actors have the ability to gain complete control of the system or other users in the system, read personal data, and possibly perform sensitive actions (as demonstrated in the Twitter hack).
Coincidently, a lot of what we build across our various brands (CleanBrowsing, Trunc, NOC, Scanner, DNS Repo) leverage API’s to interface with each other making this a real problem for us and our customers.
With this in mind, we’re introducing a new feature that lets you mitigate API2:2023 via the NOC networking services.
Introducing API Security – Tackling API Authentication Challenges
Our most recent release now includes an update to our API that allow you to manage, protect and control access to API’s you own and manage. Via this update you will be able to create new ACL (access control lists) for your API’s. You’ll be able to create and manage users, while also controlling their utilization.
For example, let’s say you have a service like DNS Repo where users sign up to access and query your insights and intelligence, via this update you’d now be able to create accounts while also putting caps on their utilization to correspond to a plan (example: $20 per month for 10k queries a month, etc..).
NOC API Protection Options
To protect an API url you will need to create a rule for the specific URL, add users that will be issued unique tokens, and apply utilization settings.
This is how it works:
Step 1 – Create an API protected URL Rule
The first step is to create an API protected URL.
If your API is at /api, you would add /api as a api_protect custom rule to the system. Our API’s use basic CRUD operations and can be easily used via your favorite terminal via command tools like cURL:
$ curl -D - "https://my.noc.org/api?apikey=YOURAPIKEY&action=cdn/customrules/add&website=YOURSITE&rule_type=api_protect&url=/api&rule_name=my_apiprotected"
{"status":"success", "notice":"CDN/WAF Custom rule added for https://YOURSITE: my_apiprotected"}
This creates a new rule named my_apiprotected for your domain YOURSITE and applies it to a specific URL – /api.
With this rule created, every request to /api would fail with this error without the appropriate token (assigned to each unique user):
$ curl -s https://YOURSITE/api
{"status":"error", "reason":"API access blocked. Missing api access token."}
Which is exactly what we want to start. Let’s add users!
Step 2 – Adding users
Now we add users with permission to access the API URL. You this by leveraging the following action: cdn/customrules/api_protect/add_user
For example, lets add dcid@noc.org as a user to /api:
$ curl -s "https://my.noc.org/api?apikey=YOURAPIKEY&action=cdn/customrules/api_protect/add_user&website=YOURSITE&username=dcid@noc.org"
{"status":"success", "notice":"CDN/WAF API_protect user added for https://YOURSITE: dcid@noc.org, Access token: NEWTOKEN"}
The API will reply back with a success message, if successful, and provide the automatically created API access token for the user. The user will have to use this Token any time access to the API is required.
*You can also provide the Access token by adding a value called: access_token=VALUE to the API call. That way you can manage the keys instead of having us create them automatically..
Step 3 – Using the API Access token
To use the API Access token, the user will need to add a Header called X-API-Access to the HTTPS requests via the API.
Via the command line you might do something like this:
$ curl -s --header "X-API-Access:NEWTOKEN" -D - https://YOURSITE/api
[ api access success ]
Without this header, and a valid API Access token, the user would not be able to access the API.
Step 4 – Limiting Requests Per User
Creating users and corresponding access tokens is one thing, but as a service you might also want to control utilization to fit a predefined rule (i.e., this user gets 100 requests per hour, some utilization based on pricing tier). This also serves as a great feature to help tackle intentional, and unintended usage problems, that could lead to exhausted resources, DDOS, etc..
This highlights another important part of API management, security, and that is controlling user requests. To tackle this problem, we will add a separate user called client_enterprise_x with a restriction of 100 requests per hour:
curl -s "https://my.noc.org/api?apikey=APIKEY&action=cdn/customrules/api_protect/add_user&website=YOURSITE&username=client_enterprise_x&max_requests=100"
{"status":"success", "notice":"CDN/WAF API_protect user added for https://YOURSITE: client_enterprise_x, Access token: 48ba7332f47396e69e8a503d32b62b8eb77504"}
Once added, the user will have access to the API with the provided Access token (in this example: 48ba7332f47396e69e8a503d32b62b8eb77504). Now, he can connect to the API using:
$ curl -s --header "X-API-Access:48ba7332f47396e69e8a503d32b62b8eb77504" -D - https://YOURSITE/api |more
noc-api-access: pass
noc-api-limit-hour: 100
noc-api-usage-hour: 2
There will be 3 new headers added, the user can leverage these new headers to verify utilization. The noc-api-limit-hour provides the API limit per hour and noc-api-usage-hour shows how many requests have been used. The noc-api-access tells if the requests have been blocked or allowed. If the user goes over the limit, the following error will displayed along with the headers:
noc-api-access: deny
noc-api-limit-hour: 100
noc-api-usage-hour: 101
{"status":"error", "reason":"API access blocked. You reached your utilization limit per hour: 100"}
Step 5 – Adding Expiration to Users
Lastly, with any authentication mechanism you want to make sure there is a way to expire users. This is especially important if you’re giving a user access to a system for 1 month, 3 months, 12 months or if you’re using something like a trial system.
Whatever the interval, it never hurts to have an expiration period for a user, it forces good user management.
Via the API you can add an expiration time to a users access. Let’s say you are letting someone trial a service endpoint for a week, you can pass the “expire” value of “1 week”, to force the key to stop working when that time reaches.
This is how it would work:
$ curl -D - "https://my.noc.org/api?apikey=YOURAPIKEY&action=cdn/customrules/api_protect/add_user&website=YOURSITE&username=client_enterprise_trial_z&max_requests=100&expire=1%20week"
You can also specify a date in YYYY-MM-DD format or things like “1 month“, “1 year“, “6 months“, to let us calculate the expiration time for you.
Enhancing API Security: A Human-Centered Approach
APIs are the backbone of modern applications, making our digital interactions smooth and seamless. However, their convenience comes with the need for robust security, especially in the area of authentication.
To help tackle these challenges, we’ve rolled out a new feature designed to help manage and protect your APIs more effectively. Our tools enable you to set up access control lists, manage users, control usage, and implement token-based access, all aimed at enhancing security. Moreover, with options to set expiration dates for user access, you maintain control over who can interact with your systems and for how long.
By implementing these measures, you can safeguard your applications and users, ensuring a more secure and reliable digital experience. If you’d like to play with this, you get a 14 day Free trial, or you can reach out to us at support@noc.org.