In today’s blog, we will discuss the ramifications of unauthenticated APIs using the recently published ZIPNet vulnerability. ZIPNet is an online application operated by Law Enforcement Authorities in India to share Crime and Criminal information in real time. This includes a registry of reported crimes, wanted criminals, and proclaimed offenders, amongst others. This application was designed to provide access to existing records using APIs so that that multiple law enforcement authorities in India can share information rapidly.
In October 2019, Karan Saini, a security researcher reported a ZIPNet API vulnerability that allowed a malicious actor to create or modify criminal records in this registry without any authentication. Even after reporting, the vulnerable API was still exposed until May 2020, allowing anyone on the Internet to access the API without authentication.
Data Breach Root Cause
Based on the publicly available information, this security incident was a direct result of poorly implemented API authentication and access control. Authentication is the process of validating who the user is before accessing the application and access control is the process of providing access to the application based on the user’s privileges. In this case, the controls were too weak, allowing a malicious actor to use the API to delete or modify existing criminal records of known offenders; or add criminal records for law-abiding citizens.
Rather than focus on the volume of data leaked, the remainder of this article will analyze the need for authentication and access control, along with steps that a developer should take to ensure their APIs, like more traditional applications, are coded to strict security best practices.
The Need for API Authentication and Access Control
Based on recent reports, more than 83% of traffic on the internet is driven by APIs. According to a Gartner survey, 70% of enterprises are using APIs as a core element of their digital transformation. Drivers include the rapid transition from monolith applications to microservices where each such service communicates with other services and the world using APIs, growing support for mobile/IoT devices and the move to iterative development methodologies.
Any API, but particularly those that transmit or provide access to sensitive information should have strong authentication and access control – just as a traditional application would – to help ensure that your data is not inadvertently exposed and stolen. While there is no way to determine why this API was released without authentication, possible reasons include:
- The developer made a mistake – they happen – developers are human. It is possible the developer did not have adequate training on secure API coding practices.
- Multiple developers were working on parts of the API and they missed this error, as did the QA department.
- The functionality was deemed not important or not outlined in the specification, or a specification was not followed.
Regardless of why this error existed, API developers should understand what data the API is transmitting, and working with the API owner, should choose an authentication technique equal to the value of the data. Basic auth, API key-based auth, and Oauth are several alternatives as defined by the Swagger/OpenAPI specification 2.0.
Controlling who has access to these APIs is as important as authentication on these APIs. Even though the API may be authenticated, we need to make sure that the users are contained within their own authorization profiles. Lack of access controls can lead to:
- Application level privilege escalation where regular users can perform administrative tasks
- Application level lateral movement where an authenticated user can access another user’s information
Avoiding Weak API Authentication Errors
The “shift left” paradigm that many organizations are embracing is designed to catch these types of security issues early in the DevOps process by implementing checks and balances in each of the development phases. The shift left approach includes implementing security at various phases, including:
- Secure coding training for API developers
- Well-defined features and functional specifications that include security
- Code reviews and security audits
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
If the Delhi developers had followed these practices, theoretically, the incident should have been caught before publication. The reality is that bugs and security issues like weak authentication do make their way into production, which can then lead to a major breach.
API Security Begins with Visibility and Monitoring
To help eliminate API-based vulnerabilities (like weak or no authentication and access control) from making it into production, enterprises need to implement a runtime API visibility and monitoring solution that continually tracks all APIs – shadow, non-conforming or otherwise – then analyzes them for threats and assesses their potential risk. With runtime API visibility and monitoring, enterprises can answer three basic questions that in turn can strengthen their API security posture.
- How many APIs do you have and who owns them? Answering this question will keep track of your entire API attack surface as developers continually roll out new APIs while updating the existing ones. A real-time API inventory is a critical first step towards API security.
- Have the appropriate levels of authentication and access control been enabled? All your APIs should have some level of authentication and access control to help eliminate potential forms of abuse. The strength of your controls should be appropriate for the type of functionality implemented and data being used.
- What type of data are your APIs transmitting? APIs deliver rich functionality that may include sensitive information, knowingly or unknowingly. Determining which APIs may expose sensitive data will minimize security risks and associated compliance violations.
- Are your APIs using encryption? Security best practices dictate that data transmission via an app or an API should be encrypted. Ensuring encryption is enabled will help you maintain privacy and regulatory compliance.
To learn more about how Cequence can help you identify all your APIs and tell you what form of authentication and access control is in place, please check out this brief video.