API vulnerabilities: current status and dependencies

  • Authors

    • Touhid Bhuiyan
    • Afsana Begum
    • Sharifur Rahman
    • Imran Hadid
    https://doi.org/10.14419/ijet.v7i2.3.9957

    Received date: March 8, 2018

    Accepted date: March 8, 2018

    Published date: March 8, 2018

  • API, API Security, Vulnerability, Public API’s, API Vulnerability, Test API vulnerabilities, API IDOR, API CORS, API Problems,

  • Abstract

    Recently API (Application Programming Interface) is becoming more popular for developers. When software is designed, most of the time, developers need to use APIs to manage a specific task. Developers use various kinds of APIs. Some of them are built by themselves and some are used from public APIs. API is a set of functions and procedures that allows another program or application to get access to features or data. Public APIs are open in public networks; developers collect these APIs depending on their specific needs. Developers need to interact with other software, as a result, a developer can conduct specific task without authorization to access the entirety of the software. It definitely reduces our loads at the same time introduces risks. In the end every developer wants to ensure security to his/her application. Commonly used public APIs are not enough secure to provide security to confidential data. We focused on these public APIs that are commonly used by developers. We tested a set of public APIs in our security lab and we have found many vulnerabilities that are highly alarming for developers who are going to use these API. In this paper we have tried to introduce the current status of vulnerable APIs. Moreover, several relationships exist between API vulnerabilities. In this paper we have also discussed the dependencies and relationships between API vulnerabilities.

  • References

    1. Kim S.S., Lee D. E., Hong C. S., “Vulnerability Detection Ma-chanism Based on open API for Multi User’s Convenience” Kyung Hee University.
    2. Myer’s B. A., Stylos J., “Improving API usability” Human-Computer Interaction Institute School of Computer Science, Carnegie Mellon University, Pittsburgh, PA 15213-3891.
    3. Deng Z., Saltaformaggio B. , Zhang X., Xu D., “iRiS: Vetting Private API Abuse in iOS Applications”, Department of Com-puter Science and CERIAS Purdue University, West Lafayette, IN 47907.
    4. Alqahtani S. S., Eghan E. E., Rilling J.,” Recovering Semantic Traceability Links between APIs and Security Vulnerabilities: An Ontological Modeling Approach”, Concordia University Montreal, Canada.
    5. Thomas D. R., Beresford A. R., Coudray T. , Sutclie T. , and Taylor A., “The Lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface,” Bromium, Cam-bridge, United Kingdom.
    6. Mao Y., Chen H., Zhou† D., Wang X., Zeldovich N., and Kaashoek M. F.,” Software fault isolation with API integrity and multi-principal modules”, MIT CSAIL, †Tsinghua Univer-sity IIIS.
    7. (5thJune 2017) Top 5 Vulnerabilities In APIs. [Online]. Availa-ble: https://datafloq.com/read/top-5-vulnerabilities-in-apis/2876.
    8. (10thAugust 2017) Viber API Documentation. [Online]. Availa-ble: https://developers.viber.com/docs/api/rest-bot-api.
    9. ( 12th August 2017) Web API tester [Online]. Available: http://stoplight.io/platform/scenarios/.
    10. Zhang M., Duan Y., Yin H., Zhao Z.,” Semantics-Aware An-droid Malware Classification Using Weighted Contextual API Dependency Graphs”, Syracuse University, Syracuse, NY, USA.
    11. ( 8th july 2017) Documentation and Test Consoles for Over 500 Public APIs [Online]. Available: https://any-api.com.
    12. ( 19th july 2017) Open API [Online]. Available: https://www.getpostman.com/docs/postman_for_publishers/public_api_docs.
    13. ( 20th june 2017) Recent news about security [Online]. Availa-ble: https://thehackernews.com.
    14. Sami A., Yadegari B., Rahimi H., Peiravian N., Hashemi S.,” Malware detection based on mining API calls”, Ali Hamze Shi-raz University, Shiraz, Iran
    15. ( 20th june 2017) REST Security Cheat Sheet. [Online]. Availa-ble:https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
    16. ( 1th may 2017) Bug bounty platform [Online]. Available: www.hackerone.com
    17. ( 10th may 2017) List of public API. [Online]. Available: https://github.com/toddmotto/public-apis
    18. Johari R., Sharma P., “A Survey On Web Application Vulnera-bilities(SQLIA,XSS)Exploitation and Security Engine for SQL Injection”, 12 International Conference on Communication Sys-tems and Network Technologies
    19. Bhuiya T., Alam D., Farah T., Evaluating the Readiness of Cyber Resilient Bangladesh, January 2016, International Jour-nal of Internet Technology and Secured Transactions 4(1)
    20. Rexha B., Halili A., Rrmoku K. and Imeraj D., "Impact of se-cure programming on web application vulnerabilities," 2015 IEEE International Conference on Computer Graphics, Vision and Information Security (CGVIS), Bhubaneswar, 2015, pp. 61-66.
    21. Bhuiyan T., Alam D., and Farah T. (2016). Evaluating the Readiness of Cyber Resilient Bangladesh.Journal of Internet Technology and Secured Transactions (JITST), Vol. 4, No. 1, ISSN 2046-3723.
    22. Begum A., Hassan M. M., Sharif M. H., Bhuiyan T., “A study on RFI and SQLi based on Local File Inclusion Vulnerabilities in the Web Applications of Bangladesh” , International Work-shop on Computational Intelligence, 12-13 December-2016
    23. Moussaid N.E.E. and Toumanari A., “Web Application At-tacks Detection: A Survey and Classification”, “International Journal of Computer Applications (0975 – 8887) Volume 103 – No.12, October 2014”
    24. Ami P. V. and Malav S.C., ”Top Five Dangerous Security Risks Over Web Application”, ”International Jurnal Of Emerg-ing Trends & Technology In Computer Science,2013 ”
    25. Chakraborty R., Datta A., Mandal J.K., “Secure Encryption Technique (SET): A Private Key Crypto System”, “Internation-al Journal of Multidisciplinary in Cryptology and Information Security”, Volume 4, No.1, January – February 2015
    26. Kumari M. S., Shrivastava D. M., “A Study on the Security and Routing Protocols for Ad-Hoc network”, “International Journal of Advanced Trends in Computer Science and Engineering”, Volume 1, No.3, July – August 2012

  • Downloads

  • How to Cite

    Bhuiyan, T., Begum, A., Rahman, S., & Hadid, I. (2018). API vulnerabilities: current status and dependencies. International Journal of Engineering and Technology, 7(2.3), 9-13. https://doi.org/10.14419/ijet.v7i2.3.9957