Syllabus Point
- Design, develop and implement a safe application programming interface (API) to minimise software vulnerabilities
Interfaces can become gateways for attackers to access sensitive data or perform malicious actions. Improperly secured APIs can introduce vulnerabilities, exposing sensitive information or providing attackers with exploitation opportunities.
Lack of Authentication and Authorisation
If an API does not verify the identity of users, or restrict what different users can do, unauthorised individuals may gain access to sensitive data.
For example, without proper authentication or authorisation, an API could accept requests from anyone, including malicious actors. This can lead to unauthorised access to sensitive data or system functions.
API keys and tokens should be used for authentication, and token expiration should be implemented.
Data Exposure
APIs can expose data to clients, and there is a risk of revealing or returning too much information, which can leak sensitive data.
For example, an API that returns a user's profile information should avoid including sensitive data like password hashes or personal details.
Insecure Communication
If there is a lack of encryption, attackers can intercept and read the data that is transferred between the server and the client.
To address this, HTTPS should always be used to encrypt API traffic.
Injection Attacks
There is a risk that malicious code or scripts are injected into an API request if there is user or system input.
To reduce this risk, an API should always properly sanitise input and use parameterised queries when interacting with the database.
Lack of Rate Limiting
Rate limiting can help prevent brute-force attacks or denial of service attacks.