Rami Haddad,Rim El Malki,Daniel Cozma

2024-06-04

Abstract:APIs have become the prominent technology of choice for achieving inter-service communications. The growth of API deployments has driven the urgency in addressing its lack of security standards. API Security is a topic for concern given the absence of standardized authorization in the OpenAPI standard, improper authorization opens the possibility for known and unknown vulnerabilities, which in the past years have been exploited by malicious actors resulting in data loss. This paper examines the number one vulnerability in API Security: Broken Object Level Authorization(BOLA), and proposes methods and tools to reduce the prevalence of this vulnerability. BOLA affects various API frameworks, our scope is fixated on the OpenAPI Specification(OAS). The OAS is a standard for describing and implementing APIs; popular OAS Implementations are FastAPI, Connexion (Flask), and many more. These implementations carry the pros and cons that are associated with the OASs knowledge of API properties. The Open API Specifications security properties do not address object authorization and provide no standardized approach to define such object properties. This leaves object-level security at the mercy of developers, which presents an increased risk of unintentionally creating attack vectors. Our aim is to tackle this void by introducing 1) the OAS ESS (OpenAPI Specification Extended Security Scheme) which includes declarative security controls for objects in OAS (design-based approach), and 2) an authorization module that can be imported to API services (Flask/FastAPI) to enforce authorization checks at the object level (development-based approach). When building an API service, a developer can start with the API design (specification) or its code. In both cases, a set of mechanisms are introduced to help developers mitigate and reduce the prevalence of BOLA.

Cryptography and Security,Programming Languages

R.E. Bogachev,N.V. Zarikovskaya,,

DOI: https://doi.org/10.47813/dnit.2021.2.289-293

2021-01-01

Abstract:This article provides an overview of the FastAPI web framework capabilities for web systems backend development. The comparison with popular frameworks such as Django and Flask is described and the main advantages of using FastAPI framework are presented with the terminals web system development as an example.

Daniel Fett,Pedram Hosseyni,Ralf Kuesters

DOI: https://doi.org/10.48550/arXiv.1901.11520

2019-02-01

Abstract:Forced by regulations and industry demand, banks worldwide are working to open their customers' online banking accounts to third-party services via web-based APIs. By using these so-called Open Banking APIs, third-party companies, such as FinTechs, are able to read information about and initiate payments from their users' bank accounts. One of the most promising standards in this segment is the OpenID Financial-grade API (FAPI), currently under development in an open process by the OpenID Foundation and backed by large industry partners. The FAPI is a profile of OAuth 2.0 designed for high-risk scenarios and aiming to be secure against very strong attackers. To achieve this level of security, the FAPI employs a range of mechanisms that have been developed to harden OAuth 2.0. In this paper, we perform a rigorous, systematic formal analysis of the security of the FAPI, based on the Web Infrastructure Model (WIM) proposed by Fett, Kuesters, and Schmitz. To this end, we first develop a precise model of the FAPI in the WIM, including different profiles and combinations of security features. We then use our model of the FAPI to precisely define central security properties. In an attempt to prove these properties, we uncover partly severe attacks, breaking authentication, authorization, and session integrity properties. We develop mitigations against these attacks and finally are able to formally prove the security of a fixed version of the FAPI. This analysis is an important contribution to the development of the FAPI since it helps to define exact security properties and attacker models, and to avoid severe security risks. Of independent interest, we also uncover weaknesses in the aforementioned security mechanisms for hardening OAuth 2.0. We illustrate that these mechanisms do not necessarily achieve the security properties they have been designed for.

Cryptography and Security

Ayan Chatterjee,Andreas Prinz

DOI: https://doi.org/10.3390/s22051703

2022-02-22

Abstract:In this study, we implemented an integrated security solution with Spring Security and Keycloak open-access platform (SSK) to secure data collection and exchange over microservice architecture application programming interfaces (APIs). The adopted solution implemented the following security features: open authorization, multi-factor authentication, identity brokering, and user management to safeguard microservice APIs. Then, we extended the security solution with a virtual private network (VPN), Blowfish and crypt (Bcrypt) hash, encryption method, API key, network firewall, and secure socket layer (SSL) to build up a digital infrastructure. To accomplish and describe the adopted SSK solution, we utilized a web engineering security method. As a case study, we designed and developed an electronic health coaching (eCoach) prototype system and hosted the system in the expanded digital secure infrastructure to collect and exchange personal health data over microservice APIs. We further described our adopted security solution's procedural, technical, and practical considerations. We validated our SSK solution implementation by theoretical evaluation and experimental testing. We have compared the test outcomes with related studies qualitatively to determine the efficacy of the hybrid security solution in digital infrastructure. The SSK implementation and configuration in the eCoach prototype system has effectively secured its microservice APIs from an attack in all the considered scenarios with 100% accuracy. The developed digital infrastructure with SSK solution efficiently sustained a load of (≈)300 concurrent users. In addition, we have performed a qualitative comparison among the following security solutions: Spring-based security, Keycloak-based security, and their combination (our utilized hybrid security solution), where SSK showed a promising outcome.

Jianping Wu,Lifeng Chen,Siyuan Fang,Chunming Wu

DOI: https://doi.org/10.3390/app142210162

2024-01-01

Applied Sciences

Abstract:The traditional methods for identifying sensitive data in APIs mainly encompass rule-based and machine learning-based approaches. However, these methods suffer from inadequacies in terms of security and robustness, exhibit high false positive rates, and struggle to cope with evolving threat landscapes. This paper proposes a method for detecting sensitive data in APIs based on the Federated Large Language Model (FedAPILLM). This method applies the large language model Qwen2.5 and the LoRA instruction tuning technique within the framework of federated learning (FL) to the field of data security. Under the premise of protecting data privacy, a domain-specific corpus and knowledge base are constructed for pre-training and fine-tuning, resulting in a large language model specifically designed for identifying sensitive data in APIs. This paper conducts comparative experiments involving Llama3 8B, Llama3.1 8B, and Qwen2.5 14B. The results demonstrate that Qwen2.5 14B can achieve similar or better performance levels compared to the Llama3.1 8B model with fewer training iterations.

Muhammad Idris,Iwan Syarif,Idris Winarno

DOI: https://doi.org/10.24003/emitter.v10i2.705

2022-12-16

EMITTER International Journal of Engineering Technology

Abstract:The trend of API-based systems in web applications in the last few years keeps steadily growing. API allows web applications to interact with external systems to enable business-to-business or system-to-system integration which leads to multiple application innovations. However, this trend also comes with a different surface of security problems that can harm not only web applications, but also mobile and IoT applications. This research proposed a web application security education platform which is focused on the OWASP API security project. This platform provides different security risks such as excessive data exposure, lack of resources and rate-limiting, mass assignment, and improper asset management which cannot be found in monolithic security learning application like DVWA, WebGoat, and Multillidae II. The development also applies several methodologies such as Capture-The-Flag (CTF) learning model, vulnerability assessment, and container virtualization. Based on our experiment, we are successfully providing 10 API vulnerability challenges to the platform with 3 different levels of severity risk rating which can be exploited using tools like Burp Suite, SQLMap, and JWTCat. In the end, based on our performance experiment, all of the containers on the platform can be deployed in approximately 16 seconds with minimum storage resource and able to serve up to 1000 concurrent users with the average throughput of 50.58 requests per second, 96.35% successful requests, and 15.94s response time.

Irum Rauf,Elena Troubitsyna

DOI: https://doi.org/10.48550/arXiv.1805.05519

2018-05-15

Software Engineering

Abstract:The widespread adoption of cloud computing has resulted in the proliferation of open source cloud computing frameworks that give more control to enterprises over their data and networks. Though the benefits of open source software are widely recognized, there is a growing concern over their security assurance. Often open source software is a subject of frequent updates. The updates might introduce or remove a variety of features and hence violate security properties of the previous releases. Obviously, a manual inspection of security would be prohibitively slow and inefficient. In this work, we propose an automated approach that can help developers to assure the security of open source cloud framework even in the presence of frequent releases. Our methodology consists of creating a (stateful) wrapper that emulates the usage scenarios with explicit representation of security and functional requirements as contracts. We use a model-driven approach to model REST APIs of KeyStone, an identity service in OpenStack. OpenStack is an open source cloud computing framework providing IaaS. Our models define structural and behavioral properties of Keystone together with its security requirements. We detail the implementation of these models in Django Web Framework and also show how to use the behavioral interfaces to implement a service monitor for the cloud services. This mechanism facilitates verification and validation of functional behavior and security requirement in an automated manner.

Kulanda Seitbekovna Duisebekova,Roman Khabirov,Azamat Zholzhan

DOI: https://doi.org/10.52167/1609-1817-2021-116-1-275-281

2021-03-15

Вестник КазАТК

Abstract:. Today information security has become one of the most important parts of our social media life. Social and media resources are based on web-services in the cloud. It means security of web-services is the equality of people’s social, media, data and information security. In this paper the most important focus was on special secure techniques and tools inside the most popular web-framework on Python programming language - Django. Django has several really strong design patterns and techniques with special tools to store and send user’s data in very secure methods. Developer can easily install in Django-application some new extra instruments, tools and special libraries to make web-application more securable. Django has such extremely useful instruments like Django-ORM, CSRF-tokens, XSS-protection and so many else. For example, Django-ORM (Object-Relational Mapping) is a really powerful instrument to be used for protection of such attacks like SQL-injections. One more instance, CSRF-token (Cross-site request forgery - token) is really amazing internal Django's tool against cross-site request forgery attacks that Django uses in html-templates. The best practice and good examples of these tools are shown inside this paper. Moreover, in the paper were demonstrated comparison of different attack cases and their deep analysis with protection methods from these attacks by Django's tools and techniques. One more thing, we also briefly reviewed other types of vulnerabilities and methods of protection against them and hope this article has given an understanding of the Django security techniques. Finally, Django could become more securable after each next version.

C. Cheh,Binbin Chen

DOI: https://doi.org/10.1109/SecDev51306.2021.00019

2021-10-01

Abstract:Modern web and mobile applications rely on an ever increasing set of services defined by their respective API (Application Programming Interface) specifications. The complexity of today’s APIs, in terms of scale and inter-dependency, poses a challenge for security analyses as it requires much manual effort to conduct a check for design flaws. In this work, we leverage the standardized OpenAPI specification as input and propose a semi-automatic approach to infer various key information about that API specification’s security issues. Our case study based on the OpenAPI specification of the Open Bank Project (consisting of 304 API calls and 402 data fields) shows that our approach can: 1) identify sensitive and insensitive data fields, 2) identify insecure or high-risk API calls that may leak sensitive data, and 3) calculate the exposure level of each data field and API call. In particular, we identified 31 sensitive data fields, 29 insufficiently protected API calls that access a subset of those sensitive data, and 34 high-risk API calls that may result in sensitive data exposure. Furthermore, our exposure level calculation shows that transactions-related fields generally have higher exposure level, hence requiring more scrutiny.

Computer Science

Obinna Ethelbert,Faraz Fatemi Moghaddam,Philipp Wieder,Ramin Yahyapour

DOI: https://doi.org/10.48550/arXiv.1710.08281

2017-10-23

Cryptography and Security

Abstract:Cloud computing is significantly reshaping the computing industry built around core concepts such as virtualization, processing power, connectivity and elasticity to store and share IT resources via a broad network. It has emerged as the key technology that unleashes the potency of Big Data, Internet of Things, Mobile and Web Applications, and other related technologies, but it also comes with its challenges - such as governance, security, and privacy. This paper is focused on the security and privacy challenges of cloud computing with specific reference to user authentication and access management for cloud SaaS applications. The suggested model uses a framework that harnesses the stateless and secure nature of JWT for client authentication and session management. Furthermore, authorized access to protected cloud SaaS resources have been efficiently managed. Accordingly, a Policy Match Gate (PMG) component and a Policy Activity Monitor (PAM) component have been introduced. In addition, other subcomponents such as a Policy Validation Unit (PVU) and a Policy Proxy DB (PPDB) have also been established for optimized service delivery. A theoretical analysis of the proposed model portrays a system that is secure, lightweight and highly scalable for improved cloud resource security and management.

He Fang,Angie Qi,Xianbin Wang

DOI: https://doi.org/10.48550/arXiv.1907.12092

2019-07-28

Abstract:Security provisioning has become the most important design consideration for large-scale Internet of Things (IoT) systems due to their critical roles to support diverse vertical applications by connecting heterogenous devices, machines and industry processes. Conventional authentication and authorization schemes are insufficient in dealing the emerging IoT security challenges due to their reliance on both static digital mechanisms and computational complexity for improving security level. Furthermore, the isolated security designs for different layers and link segments while ignoring the overall protection lead to cascaded security risks as well as growing communication latency and overhead. In this article, we envision new artificial intelligence (AI) enabled security provisioning approaches to overcome these issues while achieving fast authentication and progressive authorization. To be more specific, a lightweight intelligent authentication approach is developed by exploring machine learning at the gateway to identify the access time slots or frequencies of resource-constraint devices. Then we propose a holistic authentication and authorization approach, where online machine learning and trust management are adopted for analyzing the complex dynamic environment and achieving adaptive access control. These new AI enabled approaches establish the connections between transceivers quickly and enhance security progressively, so that communication latency can be reduced and security risks are well-controlled in large-scale IoT. Finally, we outline several areas for AI-enabled security provisioning for future researches.

Cryptography and Security

Fatima Hussain,Rasheed Hussain,Brett Noye,Salah Sharieh

DOI: https://doi.org/10.1109/mitp.2020.2973852

2020-09-01

IT Professional

Abstract:With the advancements in enterprise-level business development, the demand for new applications and services is overwhelming. For the development and delivery of such applications and services, enterprise businesses rely on Application Programming Interfaces (APIs). APIs provide interface to enable the communication among different applications. In essence, API is a double-edged sword; on one hand, API helps in expanding the business through sharing value and utility, but on the other hand, it raises security and privacy issues. Since the applications usually use APIs to retrieve important and critical data, it is extremely important to make sure that effective access control and security mechanisms are in place so that the data do not fall into wrong hands. In this context, in this article, we discuss the current state of the enterprise API security and the role of Machine Learning (ML) in an API security. We also discuss the General Data Protection Regulation (GDPR) Compliance and its effect on the API security.

computer science, information systems,telecommunications, software engineering

Alexander Barabanov,Denis Dergunov,Denis Makrushin,Aleksey Teplov

DOI: https://doi.org/10.21681/2311-3456-2022-1-49-65

2022-01-26

Abstract:Objective. Insecure Direct Object Reference (IDOR) or Broken Object Level Authorization (BOLA) are one of the critical type of access control vulnerabilities for modern applications. As a result, an attacker can bypass authorization checks leading to information leakage, account takeover. Our main research goal was to help an application security architect to optimize security design and testing process by giving an algorithm and tool that allows to automatically analyze system API specifications and generate list of possible vulnerabilities and attack vector ready to be used as security non-functional requirements. Method. We conducted a multivocal review of research and conference papers, bug bounty program reports and other grey sources of literature to outline patterns of attacks against IDOR vulnerability. These attacks are collected in groups proceeding with further analysis common attributes between these groups and what features compose the group. Endpoint properties and attack techniques comprise a group of attacks. Mapping between group features and existing OpenAPI specifications is performed to implement a tool for automatic discovery of potentially vulnerable endpoints. Results and practical relevance. In this work, we provide systematization of IDOR/BOLA attack techniques based on literature review, real cases analysis and derive IDOR/BOLA attack groups. We proposed an approach to describe IDOR/BOLA attacks based on OpenAPI specifications properties. We develop an algorithm of potential IDOR/BOLA vulnerabilities detection based on OpenAPI specification processing. We implemented our novel algorithm using Python and evaluated it. The results show that algorithm is resilient and can be used in practice to detect potential IDOR/BOLA vulnerabilities.

Cryptography and Security

Nihala Basheer,Shareeful Islam,Mohammed K S Alwaheidi,Spyridon Papastergiou

DOI: https://doi.org/10.3390/s24154859

2024-07-26

Abstract:System-to-system communication via Application Programming Interfaces (APIs) plays a pivotal role in the seamless interaction among software applications and systems for efficient and automated service delivery. APIs facilitate the exchange of data and functionalities across diverse platforms, enhancing operational efficiency and user experience. However, this also introduces potential vulnerabilities that attackers can exploit to compromise system security, highlighting the importance of identifying and mitigating associated security risks. By examining the weaknesses inherent in these APIs using security open-intelligence catalogues like CWE and CAPEC and implementing controls from NIST SP 800-53, organizations can significantly enhance their security posture, safeguarding their data and systems against potential threats. However, this task is challenging due to evolving threats and vulnerabilities. Additionally, it is challenging to analyse threats given the large volume of traffic generated from API calls. This work contributes to tackling this challenge and makes a novel contribution to managing threats within system-to-system communication through API calls. It introduces an integrated architecture that combines deep-learning models, i.e., ANN and MLP, for effective threat detection from large API call datasets. The identified threats are analysed to determine suitable mitigations for improving overall resilience. Furthermore, this work introduces transparency obligation practices for the entire AI life cycle, from dataset preprocessing to model performance evaluation, including data and methodological transparency and SHapley Additive exPlanations (SHAP) analysis, so that AI models are understandable by all user groups. The proposed methodology was validated through an experiment using the Windows PE Malware API dataset, achieving an average detection accuracy of 88%. The outcomes from the experiments are summarized to provide a list of key features, such as FindResourceExA and NtClose, which are linked with potential weaknesses and related threats, in order to identify accurate control actions to manage the threats.

Rahul,Kulanshu Sharma

DOI: https://doi.org/10.1109/CIISCA59740.2023.00031

2023-06-22

Abstract:In the current era of increasing web and software development based on Microservices architecture, security concerns are also increasing to protect applications from malicious activities, attacks, unauthorized and unauthenticated accesses. An API Gateway resolves that problem to some extent. Various API Gateways are currently available to support various security challenges. This Paper Proposed a System named VSAG (Voteroid Secure API Gateway) which not just works on the cross cutting concerns but also provide advanced facilities like Secured Access key generation, Users subscription model, low degree of coupling, Tracking model of users, blocking/unblocking API's or users. Developers are free to invest time in designing business logics after mapped with VSAG System. At last, various API Gateways are compared on various parameters and functionalities with VSAG.

Computer Science

Gopi Krishna Suvanam

DOI: https://doi.org/10.48550/arXiv.1607.05075

2016-07-15

Distributed, Parallel, and Cluster Computing

Abstract:We describe a novel architecture that combines the simplicity of RESTful architecture with the power of functional programming for delivering web-services. Although, RESTful architecture has been quite useful in simplifying the development of scalable systems, it is not suited for all types of network applications. Our architecture improves upon the RESTful architecture to provide scalable framework for computationally intensive network applications. The proposed architecture is ideal for applications that involve data management and data analysis/calculations on data. Data analytics and financial calculations are two areas where the architecture can be applied efficiently.

ZHOU Jing-li,WANG Jian,XIA Hong-tao

DOI: https://doi.org/10.3969/j.issn.1007-130x.2006.04.001

2006-01-01

Abstract:Apache is one of the most widely used Web servers in the Internet and we can easily extend it in favor of the new features of Apache 2. This paper discusses how to implement Web application security and protection based on Apache using the Apache Filter.

Gyan Prakash Tiwary,Abhishek Srivastava

DOI: https://doi.org/10.48550/arXiv.1609.06012

2016-09-20

Abstract:The world is rapidly adopting RESTful web services for most of its tasks. The once popular SOAP-based web services are fast losing ground owing to this. RESTful web services are light weight services without strict message formats. RESTful web services, unlike SOAP, are capable of message transfer in any format be it XML, JSON, plain text. However, in spite of these positives, ensuring message level security in REST is a challenge. Security in RESTful web services is still largely dependent upon transport layer security. There has been some work recently towards message level security in such environments wherein the transfer of message level security metadata is done through utilising new HTTP headers. We feel, however, that any method that compromises the generality of the HTTP protocol should be avoided. In this paper, therefore, we propose two new ways of encryption that promise to ensure message level security in RESTful web services without the need for special HTTP headers. This approach works seamlessly on most famous content-types of RESTful web services: XML, JSON, HTML, plain-text and various ASCII printable content types. Further, the proposed approach removes the need for content negotiation in cases where the content comprises XML, JSON, HTML, plain-text, and ASCII printable content types and also removes the need for XML or JSON canonicalization.

Networking and Internet Architecture,Cryptography and Security

Zhen Chen,Wenchao Qi,Pengfei He,Linlin Liu,Limin Shen

DOI: https://doi.org/10.11999/JEIT211185

2023-01-01

Abstract:n the cloud era, cloud Application Programming Interface (API) is the best carrier for servicedelivery, capability replication and data output. However, cloud API increases the exposure and attack surfaceof cloud application while opening up services and data. Through data hijacking, traffic analysis and othertechnologies, attackers can obtain the key resources of the target cloud API, so as to identify the identity andbehavior of users, or even directly cause the paralysis of the underlying system. Currently, there are many typesof attacks against cloud APIs, and their threats and protection methods are different. However, the existingresearches lack a systematic summary for cloud API attack and protection methods. In this paper, a detailsurvey on the threats and protection methods faced by cloud API is conducted. Firstly, the evolution and theclassification of cloud API are analyzed. The vulnerability of cloud API and the importance of cloud APIsecurity research are then discussed. Furthermore, a systematical cloud API security research framework isproposed, which covers six aspects: identity authentication, cloud API Distributed Denial of Service (DDoS)attack protection, replay attack protection, Man-In-The-Middle (MITM) attack protection, injection attackprotection and sensitive data protection. In addition, the necessity of Artificial Intelligence (AI) protection forcloud API is discussed. Finally, the future challenges and development trends of cloud API protection are presented

Swarag Sharma,Jevitha Kp

DOI: https://doi.org/10.1109/i-PACT58649.2023.10434479

2023-12-08

Abstract:Many users all over the world routinely use open authentication and authorization providers based on OAuth 2.0 framework such as Google, Facebook etc. to sign in to third-party websites (relying party). The authentication (OpenID connect) and authorization (OAuth) protocol based on OAuth 2.0 framework enables the relying party application to authenticate its users and gain access to their protected resources without storing any of the sensitive user credentials such as usernames and passwords. Hence, the implementation of these protocols by the relying parties and identity providers play an important role in security of the user information and their privacy. The risk of attacks on improper implementation of these protocols can cause unauthorized access to the user accounts. In this work, we focused on testing the OAuth implementations done by the relying parties. For the secure implementation of OAuth 2.0 we found that following parameters must be present while generating OAuth request: client_id, state, response_type, redirect_uri and scope. We have analyzed our work with around 75 websites that were using Google as an identity provider to provide access to its users. Out of 75 relying parties, 30% were found vulnerable to CSRF attack due to missing state parameter, 13% used implicit flow which reveals id_token or access_token in the OAuth URL and 2% had secret parameters in OAuth URL. We developed a browser extension which successfully identify and alert its user on these issues.

Computer Science