Data Leaks in Public APIs
During a website's cybersecurity assessment, it is critical to understand the public footprint. One area for low hanging fruit is inspecting network traffic for public APIs.
With a little investigating we can pretty quickly identify if data can be leaked from a website. A common problem is unprotected public APIs with unsafe parameters. Think about the parameter num_results=5. What if we try num_results=1000 or even further, what about num_results=1000000?
Interesting right?
In a lot of cases this returns a much higher limit than expected, if not the entire amount requested.
Notwithstanding the hazard of potential data leaks, there are other serious threats from unvalidated user input into public APIs. Although automated fuzzing and source code exploration are beyond the scope of this article, it is important to mention that they can be quite lucrative when auditing a company's security posture.
The Server's Perspective
From the server's standpoint, if the API returns too many results the server can easily detect the anomalous requests based on the transfer size being larger than normal. Similarly the request alone is unusual because it is not a standard input. Now on the flip side, most endpoints are tracking the number of requests being made and in this case the number is not abnormal. Therefore the amount of stealth is dependent on the depth and breadth of the company's tracking. It is possible an Endpoint Detection and Response (EDR) or Intrusion Prevention System (IPS) might be triggered or possibly block the requests as a threat, though not likely at first.
Securing API Endpoints
The amount of effort utilized in securing endpoint depends on the business threat model and risks. How important is the data provided from the API? Are there other APIs that have similar problems? Is there location based compliance? Is the website aiming to block rogue bots and scrapers?
Once the need is determined, the methodology is relatively straightforward.
- Validate user input
- Monitor requests
At the root of the problem is that APIs need to validate input – ensuring that parameters adhere to strict input requirements. This can be simple or complex, but as with all things in security, simple is generally better. Slim solutions can be easily checked and managed.
Next up is traffic monitoring and anomaly detection. This can be done by adding monitoring for larger than normal requests, checking for patterns in the timing of requests based on unique fingerprints (IP addresses, user-agents, etc.), and of course AI detection through advanced providers.
Tags:
Cybersecurity
API Security
Looking for security help?
We offer services to assess and enhance your organization's security posture. Request a quote with us to strengthen your security today.
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 216 17" xmlns="http://www.w3.org/2000/svg"><path d="M 162.513 10.582 L 162.513 4.187 L 163.295 4.187 C 163.725 4.187 164.122 4.235 164.178 4.295 C 164.235 4.356 164.691 4.361 165.191 4.306 C 165.693 4.252 167.019 4.203 168.138 4.199 C 169.934 4.192 170.228 4.222 170.633 4.446 C 170.983 4.639 171.141 4.832 171.3 5.258 C 171.485 5.756 171.509 6.127 171.511 8.571 C 171.514 11.496 171.454 11.97 171.011 12.553 C 170.543 13.169 170.151 13.235 167.421 13.159 C 166.047 13.12 164.839 13.047 164.736 12.996 C 164.563 12.909 164.549 13.051 164.549 14.939 L 164.549 16.977 L 162.513 16.977 Z M 169.301 11.25 C 169.453 11.095 169.478 10.739 169.478 8.613 C 169.478 6.314 169.464 6.144 169.27 6.018 C 169.042 5.869 166.417 5.836 165.272 5.968 L 164.549 6.051 L 164.549 8.617 C 164.549 10.495 164.585 11.225 164.682 11.345 C 164.88 11.587 169.052 11.501 169.301 11.25 Z M 0.168 7.938 C 0.164 5.049 0.124 2.377 0.08 2 L 0 1.315 L 2.405 1.315 L 5.194 4.872 C 6.729 6.827 8.168 8.721 8.392 9.08 L 8.802 9.733 L 8.83 5.524 L 8.858 1.315 L 11.105 1.315 L 11.105 13.191 L 10.007 13.179 L 8.908 13.166 L 6.477 10.079 C 5.412 8.734 4.361 7.379 3.324 6.014 C 2.928 5.475 2.54 5.016 2.461 4.993 C 2.345 4.958 2.318 5.712 2.318 9.071 L 2.318 13.192 L 0.176 13.192 Z M 14.215 12.898 C 13.31 12.335 13.302 12.296 13.302 8.777 C 13.302 5.921 13.319 5.653 13.517 5.244 C 13.649 4.979 13.823 4.737 14.033 4.527 C 14.319 4.265 14.483 4.25 17.192 4.21 C 20.372 4.166 20.822 4.236 21.361 4.868 C 21.82 5.406 21.951 6.197 21.909 8.167 L 21.874 9.733 L 19.677 9.725 C 18.47 9.721 16.986 9.676 16.383 9.626 L 15.285 9.535 L 15.285 10.311 C 15.285 11.441 15.38 11.497 17.264 11.482 C 18.208 11.471 19.153 11.438 20.096 11.384 L 21.425 11.298 L 21.73 11.885 C 21.897 12.209 22.022 12.56 22.006 12.668 C 21.953 13.048 20.991 13.165 17.798 13.177 C 14.772 13.19 14.674 13.182 14.215 12.897 Z M 19.892 7.132 C 19.892 5.871 19.914 5.883 17.658 5.883 C 15.313 5.883 15.285 5.898 15.285 7.13 L 15.285 7.971 L 19.892 7.971 Z M 23.003 13.098 C 23.013 12.839 23.367 12.302 24.66 10.59 C 25.426 9.574 26.053 8.698 26.053 8.642 C 26.053 8.585 25.812 8.193 25.517 7.772 C 24.742 6.671 23.962 5.573 23.175 4.48 L 22.962 4.187 L 24.24 4.195 L 25.517 4.203 L 26.482 5.717 C 27.012 6.55 27.495 7.249 27.554 7.271 C 27.612 7.291 28.115 6.606 28.671 5.747 L 29.683 4.187 L 32.222 4.187 L 32.095 4.48 C 32.026 4.642 31.301 5.633 30.484 6.683 C 29.668 7.733 29 8.633 29 8.685 C 29 8.736 29.417 9.344 29.927 10.039 C 30.436 10.732 31.022 11.534 31.23 11.821 C 31.437 12.108 31.753 12.534 31.931 12.767 L 32.256 13.192 L 29.666 13.192 L 28.669 11.69 C 28.121 10.866 27.622 10.193 27.559 10.196 C 27.497 10.199 27.01 10.86 26.477 11.664 L 25.509 13.126 L 24.254 13.163 C 23.564 13.184 23.001 13.154 23.003 13.098 Z M 35.161 13.008 C 34.729 12.773 34.375 12.284 34.248 11.745 C 34.191 11.501 34.143 10.082 34.143 8.592 L 34.143 5.883 L 32.75 5.883 L 32.75 5.034 C 32.75 4.229 32.763 4.187 33.004 4.187 C 33.91 4.187 34.067 3.991 34.261 2.62 C 34.465 1.19 34.362 1.315 35.324 1.315 L 36.179 1.315 L 36.179 4.187 L 39.607 4.187 L 39.607 5.883 L 36.179 5.883 L 36.179 11.241 L 36.454 11.367 C 36.605 11.438 37.303 11.495 38.003 11.495 L 39.277 11.495 L 39.333 11.919 C 39.476 12.998 39.481 12.981 39.019 13.082 C 38.25 13.251 35.513 13.197 35.161 13.008 Z M 45.071 7.743 C 45.071 4.746 45.041 2.074 45.004 1.805 L 44.938 1.315 L 49.065 1.315 C 52.619 1.315 53.269 1.346 53.743 1.533 C 54.843 1.965 55.36 3.152 55.36 5.248 C 55.36 7.465 55 8.419 53.913 9.08 L 53.27 9.472 L 50.296 9.455 L 47.323 9.44 L 47.323 13.191 L 45.072 13.191 Z M 52.443 7.44 C 52.994 7.206 53.11 6.842 53.11 5.356 C 53.11 4.071 53.101 4.026 52.796 3.654 L 52.483 3.273 L 47.323 3.273 L 47.323 7.579 L 49.718 7.579 C 51.149 7.579 52.247 7.523 52.443 7.44 Z M 57.395 6.596 L 57.395 0 L 58.387 0.037 L 59.377 0.076 L 59.407 2.309 L 59.437 4.542 L 59.89 4.425 C 60.138 4.361 61.379 4.276 62.646 4.236 C 64.906 4.166 64.959 4.17 65.432 4.47 C 66.299 5.016 66.337 5.223 66.377 9.505 L 66.411 13.191 L 64.371 13.191 L 64.339 9.722 C 64.308 6.447 64.296 6.243 64.096 6.065 C 63.926 5.914 63.463 5.884 61.685 5.913 L 59.484 5.948 L 59.457 9.57 L 59.428 13.191 L 57.395 13.191 Z M 69.34 13.018 C 68.455 12.602 68.063 11.833 68.064 10.52 C 68.065 9.431 68.33 8.738 68.94 8.23 L 69.329 7.906 L 72.256 7.916 L 75.183 7.927 L 75.183 7.12 C 75.183 5.79 75.294 5.83 71.817 5.916 L 68.878 5.99 L 68.774 5.252 C 68.699 4.718 68.703 4.487 68.791 4.421 C 69.053 4.222 70.107 4.17 73.059 4.209 C 75.987 4.25 76.147 4.264 76.435 4.527 C 76.601 4.678 76.833 5 76.951 5.245 C 77.149 5.654 77.168 5.966 77.201 9.44 L 77.236 13.191 L 76.474 13.191 C 75.976 13.191 75.626 13.124 75.465 12.996 C 75.248 12.822 75.095 12.822 74.103 12.993 C 72.767 13.224 69.811 13.24 69.34 13.018 Z M 75.161 10.345 L 75.192 9.262 L 72.82 9.302 C 70.475 9.341 70.447 9.345 70.244 9.65 C 69.909 10.154 70.043 11.272 70.456 11.41 C 70.551 11.441 71.641 11.458 72.879 11.448 L 75.129 11.429 Z M 79.415 13.097 C 78.973 12.964 78.947 12.83 79.212 12.047 C 79.351 11.635 79.512 11.313 79.57 11.33 C 79.627 11.346 80.971 11.4 82.555 11.448 C 85.41 11.535 85.438 11.533 85.667 11.254 C 85.974 10.88 85.984 10.032 85.684 9.669 C 85.483 9.422 85.327 9.406 83.052 9.406 C 81.625 9.406 80.441 9.347 80.159 9.261 C 79.235 8.977 78.826 7.969 78.966 6.32 C 79.034 5.512 79.281 4.923 79.717 4.527 C 80.008 4.262 80.159 4.25 83.414 4.21 C 85.702 4.182 86.942 4.217 87.215 4.314 C 87.651 4.472 87.652 4.478 87.446 5.71 L 87.399 5.993 L 84.362 5.918 L 81.325 5.844 L 81.147 6.153 C 80.907 6.571 80.923 7.132 81.183 7.449 C 81.386 7.695 81.541 7.71 83.946 7.71 C 86.379 7.71 86.518 7.723 86.967 8.003 C 87.77 8.503 87.88 8.804 87.88 10.493 C 87.88 11.794 87.855 11.996 87.641 12.361 C 87.181 13.146 86.922 13.193 83.083 13.176 C 81.183 13.168 79.533 13.132 79.415 13.097 Z M 90.501 12.898 C 89.664 12.384 89.595 12.061 89.595 8.689 C 89.595 6.047 89.613 5.776 89.816 5.295 C 89.965 4.941 90.188 4.678 90.512 4.474 C 90.98 4.179 91.04 4.175 93.935 4.213 C 96.778 4.25 96.898 4.262 97.345 4.553 C 98.095 5.041 98.234 5.581 98.197 7.868 L 98.168 9.733 L 95.917 9.722 C 94.679 9.716 93.198 9.671 92.622 9.622 L 91.578 9.532 L 91.578 10.227 C 91.578 11.474 91.474 11.433 94.596 11.403 C 96.088 11.388 97.408 11.346 97.527 11.31 C 97.7 11.257 97.815 11.384 98.083 11.924 C 98.348 12.456 98.394 12.639 98.292 12.765 C 98.035 13.084 96.959 13.191 93.996 13.191 C 91.081 13.191 90.964 13.182 90.501 12.898 Z M 96.185 7.062 C 96.185 6.297 96.153 6.132 95.977 6.018 C 95.739 5.862 92.128 5.833 91.932 5.986 C 91.733 6.139 91.578 6.758 91.578 7.392 L 91.578 7.971 L 96.185 7.971 Z M 104.221 7.864 C 104.221 4.929 104.189 2.251 104.152 1.914 L 104.084 1.303 L 108.679 1.341 L 113.276 1.38 L 113.913 1.772 C 114.442 2.097 114.595 2.273 114.823 2.812 L 115.098 3.461 L 115.098 11.045 L 114.823 11.693 C 114.597 12.228 114.439 12.412 113.92 12.734 L 113.292 13.127 L 108.756 13.164 L 104.221 13.202 Z M 112.466 11.042 C 112.942 10.741 113.008 10.285 113.008 7.253 C 113.008 5.564 112.961 4.324 112.89 4.072 C 112.674 3.317 112.473 3.274 109.316 3.274 L 106.472 3.274 L 106.472 11.233 L 109.316 11.233 C 111.609 11.233 112.221 11.196 112.466 11.042 Z M 117.936 12.898 C 117.075 12.367 117.026 12.141 117.026 8.754 C 117.027 5.306 117.092 4.998 117.937 4.475 C 118.41 4.181 118.476 4.176 121.365 4.214 C 124.116 4.249 124.341 4.27 124.741 4.524 C 125.488 5.002 125.593 5.382 125.635 7.764 L 125.672 9.841 L 122.903 9.753 C 121.379 9.705 119.881 9.628 119.571 9.583 L 119.009 9.501 L 119.009 10.236 C 119.009 11.43 119.115 11.498 120.964 11.482 C 121.916 11.471 122.868 11.439 123.819 11.385 L 125.147 11.299 L 125.506 11.948 C 125.793 12.47 125.838 12.629 125.729 12.761 C 125.464 13.085 124.398 13.191 121.428 13.191 C 118.511 13.191 118.395 13.182 117.936 12.898 Z M 123.616 7.062 C 123.616 6.297 123.584 6.132 123.408 6.018 C 123.289 5.94 122.418 5.883 121.34 5.883 C 119.086 5.883 119.092 5.88 119.029 7.107 L 118.983 7.971 L 123.616 7.971 Z M 129.298 11.071 C 128.742 9.583 128.181 8.097 127.616 6.613 C 127.309 5.822 127.011 5.028 126.724 4.231 C 126.724 4.206 127.242 4.187 127.875 4.188 L 129.028 4.19 L 129.659 6.048 C 130.695 9.098 130.982 9.963 131.176 10.615 C 131.277 10.956 131.393 11.234 131.434 11.234 C 131.476 11.234 131.661 10.75 131.846 10.158 C 132.031 9.566 132.565 7.995 133.029 6.666 L 133.876 4.252 L 135.023 4.216 C 136.081 4.181 136.165 4.196 136.112 4.41 C 136.081 4.539 136.021 4.82 135.98 5.035 C 135.938 5.251 135.535 6.337 135.083 7.45 C 134.559 8.742 134.041 10.037 133.527 11.333 L 132.793 13.192 L 130.09 13.192 Z M 138.077 12.898 C 137.272 12.403 137.225 12.17 137.227 8.754 C 137.229 5.265 137.296 4.942 138.115 4.458 C 138.588 4.18 138.697 4.172 141.531 4.211 C 144.245 4.249 144.488 4.271 144.88 4.522 C 145.683 5.034 145.738 5.23 145.777 7.675 L 145.811 9.841 L 143.045 9.753 C 141.524 9.705 140.025 9.628 139.715 9.583 L 139.154 9.501 L 139.154 10.022 C 139.154 10.929 139.333 11.344 139.77 11.445 C 140.162 11.534 144.963 11.395 145.191 11.288 C 145.382 11.199 146.03 12.549 145.893 12.751 C 145.663 13.087 144.66 13.191 141.635 13.191 C 138.655 13.191 138.54 13.182 138.077 12.898 Z M 143.761 7.062 C 143.761 6.297 143.729 6.132 143.553 6.018 C 143.315 5.862 139.704 5.833 139.508 5.986 C 139.309 6.139 139.154 6.758 139.154 7.392 L 139.154 7.971 L 143.761 7.971 Z M 147.832 7.599 C 147.832 4.522 147.801 1.645 147.764 1.204 L 147.695 0.401 L 149.868 0.401 L 149.868 13.191 L 147.832 13.191 Z M 152.657 12.898 C 151.753 12.335 151.743 12.295 151.743 8.777 C 151.743 5.218 151.786 5.016 152.653 4.48 C 153.114 4.196 153.227 4.187 156.217 4.187 C 159.522 4.187 159.763 4.226 160.221 4.855 C 160.628 5.415 160.691 5.936 160.691 8.765 C 160.691 11.577 160.641 11.98 160.228 12.517 C 159.745 13.149 159.488 13.191 156.2 13.191 C 153.227 13.191 153.114 13.182 152.656 12.898 Z M 158.417 11.291 C 158.649 11.095 158.655 11.021 158.655 8.689 C 158.655 6.358 158.649 6.283 158.417 6.086 C 158.067 5.787 154.315 5.787 153.964 6.086 C 153.734 6.283 153.726 6.359 153.726 8.631 C 153.726 11.727 153.528 11.495 156.166 11.495 C 157.815 11.495 158.222 11.458 158.417 11.291 Z M 173.335 8.712 L 173.335 4.233 L 176.466 4.213 C 179.397 4.192 179.624 4.206 180.038 4.451 C 180.459 4.7 180.502 4.702 180.952 4.497 C 181.298 4.341 181.933 4.265 183.32 4.219 C 185.106 4.158 185.242 4.17 185.698 4.439 C 186.057 4.651 186.237 4.866 186.401 5.279 C 186.608 5.8 186.622 6.066 186.622 9.513 L 186.622 13.192 L 184.586 13.192 L 184.586 9.754 C 184.586 6.567 184.572 6.299 184.387 6.095 C 184.215 5.907 183.968 5.881 182.645 5.912 L 181.103 5.948 L 181.075 9.57 L 181.046 13.191 L 179.015 13.191 L 179.015 9.798 C 179.015 5.539 179.187 5.883 177.043 5.883 C 175.735 5.883 175.491 5.914 175.435 6.09 C 175.4 6.203 175.371 7.847 175.371 9.743 L 175.371 13.191 L 173.333 13.191 Z M 189.335 12.922 C 188.52 12.429 188.502 12.349 188.463 8.911 C 188.431 6.067 188.444 5.835 188.649 5.319 C 189.064 4.273 189.145 4.252 192.622 4.252 C 195.503 4.252 195.701 4.266 196.099 4.521 C 196.902 5.034 196.957 5.23 196.997 7.675 L 197.03 9.841 L 194.248 9.754 C 192.717 9.706 191.242 9.629 190.973 9.584 L 190.48 9.501 L 190.48 10.299 C 190.48 11.56 190.464 11.555 193.651 11.444 C 195.093 11.393 196.338 11.321 196.419 11.285 C 196.511 11.242 196.689 11.484 196.911 11.957 C 197.192 12.555 197.23 12.719 197.111 12.81 C 196.727 13.1 195.707 13.191 192.858 13.191 C 189.964 13.191 189.757 13.175 189.335 12.922 Z M 194.98 7.062 C 194.98 6.297 194.948 6.132 194.772 6.018 C 194.653 5.94 193.786 5.883 192.719 5.883 C 190.489 5.883 190.48 5.888 190.48 7.143 L 190.48 7.971 L 194.98 7.971 Z M 198.945 8.689 L 198.945 4.187 L 199.646 4.187 C 200.04 4.187 200.476 4.266 200.641 4.37 C 200.861 4.509 201.048 4.523 201.411 4.43 C 201.676 4.363 202.927 4.275 204.194 4.236 C 206.455 4.166 206.508 4.17 206.981 4.47 C 207.848 5.016 207.886 5.223 207.926 9.505 L 207.96 13.191 L 205.923 13.191 L 205.889 9.722 C 205.857 6.448 205.844 6.243 205.646 6.065 C 205.474 5.914 205.012 5.884 203.233 5.913 L 201.034 5.948 L 201.006 9.57 L 200.977 13.191 L 198.945 13.191 Z M 211.535 13.017 C 210.66 12.525 210.528 11.942 210.522 8.592 L 210.516 5.883 L 209.124 5.883 L 209.124 4.187 L 209.491 4.187 C 210.342 4.187 210.475 3.972 210.733 2.197 L 210.862 1.315 L 212.553 1.315 L 212.553 4.187 L 215.982 4.187 L 215.982 5.883 L 212.553 5.883 L 212.553 8.477 C 212.553 10.728 212.576 11.095 212.729 11.25 C 212.851 11.374 213.345 11.45 214.31 11.495 L 215.713 11.56 L 215.785 12.277 C 215.825 12.671 215.835 13.022 215.808 13.054 C 215.781 13.087 214.88 13.133 213.807 13.156 C 212.311 13.188 211.781 13.156 211.534 13.017 Z" fill="rgb(255, 255, 255)" height="16.97650776733889px" id="yL1x8Ylra" width="215.98170458678632px"/></svg>)