Hardly the Same: Web App vs Web API Security

Securing their web presence is a priority for many organizations, and this being the case, they deploy security solutions designed for web apps and consider themselves secure. However, web API security can be very different from web app security, and failing to properly secure web APIs can leave an organization open to a data breach.

Web Apps and Web APIs Are Similar

Web applications and web APIs have a lot of features in common. Their main purpose is to provide users with access to certain functionality exposed by an organization via its web presence. This access is granted by exposing pre-defined functionality on a web server. While the details may vary, since web applications typically provide a web interface and APIs directly expose certain functions, users take advantage of the service by making requests over HTTP to the web server and processing the responses.

Typically, both web apps and web APIs require access to sensitive data to do their jobs. Whether this job is to provide users access to their bank account online or to expose functionality and data generated by an organization to their clients, the organization doesn’t want this data to be exposed. This makes it important for an organization to invest in securing their web presence, but web applications and web APIs aren’t the same thing or secured in the same way.

But They’re Not the Same

While web apps and web APIs can perform the same role and use the same underlying technology, they have some important fundamental differences.

One of the biggest differences between a web application and a web API is where the bulk of the processing is performed. In a web application, the web server is responsible for performing most of the processing, maintaining a record of the current state of the transaction, etc. By using internal links to move from page to page, the web server guides the client through the process without requiring any knowledge or processing on the client’s behalf.

Web APIs, on the other hand, move the burden of processing and maintaining state to the client. As users increasingly take advantage of mobile devices and applications to perform actions on sites that they visit every day, the use of APIs has increased dramatically. With a mobile application, the app maintains state and requests certain actions to be performed on the web server by requesting certain functions via its API.

The shift from a server-driven system that users interact with via web pages to a client-driven system where specific functionality is requested from the server at need dramatically changes the types of data that flow over the network and how both benign and malicious users interact with it. As a result, web APIs require a very different security solution from web applications.

Web APIs Require Their Own Security Solution

Many of the threats faced by web applications are also applicable to web APIs. Attackers can still perform SQL injections, buffer overflows, and a variety of other attacks. However, web APIs also face their own threats. These differences have led the Open Web Application Security Project (OWASP) to create a web API vulnerabilities top ten list in addition to their list specifically for web application vulnerabilities. This different attack surface for web APIs is driven by a number of factors.

  • Client-Based State Tracking

When using a web API, state tracking is performed by the client; however, the web server still needs to know the current state of the process. In order to keep the web server up to date, the client needs to send state information with its requests for API functions. If this information is not appropriately protected against an attack, it can be leaked to someone eavesdropping on the conversation.

  • No Need for a Browser

Web applications typically work by presenting the user with web pages in the browser that they interact with. This creates additional overhead that is eliminated when a user switches to interacting directly with the backend via an API.

However, the use of a browser also provides certain protections to the user. In a browser, it is easy to determine that the user is interacting with the correct site. The website’s address is at the top of the page and a lock icon shows that the website’s certificate has been verified. With a mobile app interacting via an API, this information is not provided to the user, and there is no guarantee that the app is using encrypted HTTPS or performing verification of the server. If not, an attacker could intercept and possibly modify communications.

  • Exposed Server Functionality

Web applications and web APIs differ in how a user can interact with an organization’s backend servers. With a web application, the user is limited to requesting and interacting with web pages provided by the server, which can help to limit the rate of requests, the functionality requested by the user, and the data sent to and from the server. With a web API, the user chooses the functionality that they will interact with. This can impact web server security or usability if an attacker uses functions in an unexpected way or performs a denial of service attack by requesting more functionality than the server can support.

Securing Web APIs

Web application and web API security are similar, but hardly the same. As more organizations deploy APIs as part of their web presence, web API security solutions become increasingly important to protect against cyberattacks and data breaches.