Sign up to save your podcasts
Or
Share 128 Stopping API security hacks cold (using ColdFusion API Manager) with Mike Brunt
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
128 Stopping API security hacks cold (using ColdFusion API Manager) with Mike Brunt
Mike Brunt talks about “Stopping API security hacks cold (using ColdFusion API Manager)” in this episode of the ColdFusion Alive Podcast with host Michaela Light.
"We're going to be talking about API security and ColdFusion, which you may not have considered. This is a whole other attack service surface that your apps can be hacked by."
Show notes
Why does CF API security matter?
Remote API calls: False assumption that APIs your app calls are secure - but they may not be
Local API - is it secure?
Are they still open but not used
API use
“APIs are extremely popular these days, with an average organization leveraging 15,564 APIs in total, up 201% year-on-year.” From this article in TechRadar, from April 2022.
API use is increasing exponentially, which can expose serious security issues.
Common API use
Legacy database
Other company’s data eg USP shipping tracking
Blockchain
ChatGPT
Amazon AWS features
And many more
What is API
A portal into the middle of your code functionality and data
Sends and returns XML and JSON
CF API Security attacks
Credential Stuffing: Malicious actors using stolen credentials to gain unauthorized access to API endpoints. Pay close attention to the origin, rate and frequency of authorization requests.
Cross-Site-Scripting XSS: As we can see, many of these attacks already exist in the website world. Here malicious actors try to insert subversive scripts (often JavaScript) which can be executed. In this case, validate all input using character escaping and filtering.
Distributed Denial of Service Attacks DdoS: Impose limits on the amount and frequency of data inputs and outputs.
Injection Attacks akin to SQL Injection: Check, sanitize and validate all the data inputs passed via API requests. In addition ensure that data delivered via the API does not expose any possible vulnerabilities.
Man-in-the-Middle Attacks: Ensure that all transmitted data is fully encrypted.
Actions to protect your CF app APIs
Inventory All Existing API Endpoints
- This should be a first step in determining what the attack surface could be. This audit should show the actual requirement of each API endpoint and any vulnerabilities shown in the table above.
Both remote API calls and
Your own APIs
Look at API Manager monitoring
Scan code for CFHTTP calls and CFCs that expose API
Build API Security For New Applications/Features At The Planning Stage
- As with the applications themselves, any security concerns should be in the very early planning stages of any new apps or features using API endpoints.
Use Strong Authentication And Authorization On All API Endpoints
- Ideally, there should be no API endpoints that are not strongly secured, if so, these will be captured by the inventory-audit.
Encrypt All Traffic Via TLS
- Ideally all traffic passing inward and outward should be encrypted and preferably via TLS.
Use A Minimal Set Of Privileges
- Ensure that users, systems, devices, processes etc, only have the minimum amount of privileges needed to operate. Again, this should become apparent during the inventory/audit.
Avoid using the database SA/System Administrator user in APIs
Expose Only The Very Necessary Data
- the task of what data is exposed and passed should be determined via the API endpoint and not any application code. Again allow only totally necessary information.
Validate All Input
- Validate all data passing in and out of an API endpoint; for instance, if the endpoint only needs integers, there should be no text passing through.
Create And Enforce Rate Limiting
- Set limits which will reject excess transactions if they are exceeded. For instance 6,000 requests per day, per account; any requests which exceed this number will be rejected. Of course,
View all episodes
By Michaela Light
4.8
55 ratings
Mike Brunt talks about “Stopping API security hacks cold (using ColdFusion API Manager)” in this episode of the ColdFusion Alive Podcast with host Michaela Light.
"We're going to be talking about API security and ColdFusion, which you may not have considered. This is a whole other attack service surface that your apps can be hacked by."
Show notes
Why does CF API security matter?
Remote API calls: False assumption that APIs your app calls are secure - but they may not be
Local API - is it secure?
Are they still open but not used
API use
“APIs are extremely popular these days, with an average organization leveraging 15,564 APIs in total, up 201% year-on-year.” From this article in TechRadar, from April 2022.
API use is increasing exponentially, which can expose serious security issues.
Common API use
Legacy database
Other company’s data eg USP shipping tracking
Blockchain
ChatGPT
Amazon AWS features
And many more
What is API
A portal into the middle of your code functionality and data
Sends and returns XML and JSON
CF API Security attacks
Credential Stuffing: Malicious actors using stolen credentials to gain unauthorized access to API endpoints. Pay close attention to the origin, rate and frequency of authorization requests.
Cross-Site-Scripting XSS: As we can see, many of these attacks already exist in the website world. Here malicious actors try to insert subversive scripts (often JavaScript) which can be executed. In this case, validate all input using character escaping and filtering.
Distributed Denial of Service Attacks DdoS: Impose limits on the amount and frequency of data inputs and outputs.
Injection Attacks akin to SQL Injection: Check, sanitize and validate all the data inputs passed via API requests. In addition ensure that data delivered via the API does not expose any possible vulnerabilities.
Man-in-the-Middle Attacks: Ensure that all transmitted data is fully encrypted.
Actions to protect your CF app APIs
Inventory All Existing API Endpoints
- This should be a first step in determining what the attack surface could be. This audit should show the actual requirement of each API endpoint and any vulnerabilities shown in the table above.
Both remote API calls and
Your own APIs
Look at API Manager monitoring
Scan code for CFHTTP calls and CFCs that expose API
Build API Security For New Applications/Features At The Planning Stage
- As with the applications themselves, any security concerns should be in the very early planning stages of any new apps or features using API endpoints.
Use Strong Authentication And Authorization On All API Endpoints
- Ideally, there should be no API endpoints that are not strongly secured, if so, these will be captured by the inventory-audit.
Encrypt All Traffic Via TLS
- Ideally all traffic passing inward and outward should be encrypted and preferably via TLS.
Use A Minimal Set Of Privileges
- Ensure that users, systems, devices, processes etc, only have the minimum amount of privileges needed to operate. Again, this should become apparent during the inventory/audit.
Avoid using the database SA/System Administrator user in APIs
Expose Only The Very Necessary Data
- the task of what data is exposed and passed should be determined via the API endpoint and not any application code. Again allow only totally necessary information.
Validate All Input
- Validate all data passing in and out of an API endpoint; for instance, if the endpoint only needs integers, there should be no text passing through.
Create And Enforce Rate Limiting
- Set limits which will reject excess transactions if they are exceeded. For instance 6,000 requests per day, per account; any requests which exceed this number will be rejected. Of course,