Discovering and securing any API is one of the most difficult challenges for developers. The API security landscape is constantly evolving, with new threats and vulnerabilities emerging at a rapid pace. Since commercial API security solutions could be really expensive for organizations, it’s never worst to have a look at open-source alternatives. The OSS API Firewall is the pioneer in this space with more than 1 billion docker pulls after the first release in October 2021. This article will discuss its new feature: blacklisting for compromised API tokens and cookies.
1. Why do API tokens leaks happen?
When an API server is not properly secured, then it could be leaking its tokens to the internet. Bad guys could intercept traffic to the server and use the leaked tokens to authenticate themselves and access the API.
There are multiple ways this could happen, like:
- The API is being accessed by a third-party application, either on the same or a different server.
- The API is being accessed by another service that is directly exposed to the internet (not using TLS).
- The API is being accessed by a service that is using an unsecured internal load balancer.
2. Are blacklists of compromised credentials and API tokens the solution?
Blacklists have been used for many years to block known bad guys from accessing specific websites or IP addresses. The general idea is to blacklist known malicious IP addresses or domains that are associated with attacks, and let through everything else. However, this approach could create other problems. To start with, a lot of companies create their own blacklists and share them with their clients in an effort to keep them safe. But this also gives every company or website that uses blacklists to track users. Blacklists are also prone to false positives, where an address or user is erroneously marked as malicious when they aren’t. In short, blacklists are only as good as the rules that create them.
3. Using OSS API firewall to prevent using leaked tokens and cookies.
If an API leak is detected, the OSS API Firewall is able to stop the affected tokens and cookies from being used. The firewall will set a policy to block all traffic from the offending API service, ensuring that the breach is contained. The firewall is able to keep the detected tokens and cookies as a blacklist. This means that all new compromised tokens and cookies will be blocked in any form of API requests to stop using them as authentication secrets.
To enable this policy, users can just put compromised tokens into the blacklist file in a plain text format. Like this:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZDk5OTk5ODIifQ.CUq8iJ_LUzQMfDTvArpz6jUyK0Qyn7jZ9WCqE0xKTCA eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZDk5OTk5ODMifQ.BinZ4AcJp_SQz-iFfgKOKPz_jWjEgiVTb9cS8PP4BI0 eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZDk5OTk5ODQifQ.j5Iea7KGm7GqjMGBuEZc2akTIoByUaQc5SSX7w_qjY8 eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZDk5OTk5ODUifQ.S9P-DEiWg7dlI81rLjnJWCA6h9Q4ewTizxrsxOPGmNA eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZDk5OTk5ODYifQ.HdINfOmk59NdNYBnMjrqUdD4gEikAUafKjAhBI1_Ue8 eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZDk5OTk5ODcifQ.MDPMmuAquxi55sGTajKQjcFzoaNzFZJFMkDg3fIyhx0 eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZDk5OTk5ODgifQ.-HfLUDIIHawNbZJkAbml_Um8vlQw7UMeiYmzdRbbwHs eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZDk5OTk5ODkifQ.zyFgVDFYCKyp10GKbC8HCUpeT0rRajqG192gb-s7L8U eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZDk5OTk5OTAifQ.6b3J4xCO6U88k0ZmLPUeDpopsg6krl6Q7UyuLbcH-l8 eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZDk5OTk5OTEifQ.NdeEQYz4vE56uJrniAHCDO2NeMJmlrUH5F_a5bQJOo4
And then apply it by the following ENV variable or CLI argument: APIFW_BLACKLIST_TOKENS_FILE
Then it’s required to set up which HTTP header or Cookie name should be used to find token value: APIFW_BLACKLIST_TOKENS_COOKIE_NAME and APIFW_BLACKLIST_TOKENS_HEADER_NAME.
If the compromised API is using JWT, it’s also possible to trim the JWT prefix by setting the variable APIFW_BLACKLIST_TOKENS_TRIM_BEARER_PREFIX to the value true or false.
Then all the requests with blacklisted tokens or cookies will be blocked by OSS API Firewall:
curl http://localhost:8080/anything -v -H "Cookie: test=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21lIjoicGF5bG9hZDk5OTk5OTEifQ.NdeEQYz4vE56uJrniAHCDO2NeMJmlrUH5F_a5bQJOo4"
The OSS API firewall by Wallarm is a great option for API development. It offers a rich feature set, and its underlying technology is mature. The firewall’s new feature of blacklisting for compromised tokens and cookies is a great way to gain visibility into threats and prevent issues. The feature is easy to set up and offers a high degree of visibility into the security posture of APIs and services.