5

I have a website and i want to consume public API from third party services such as Zoopla, weather etc.

I want to ensure i do not consume malicious code/malware from the data retrieved from the 3rd party services.

What are the security checks/best practice i should consider when using any 3rd party public API?

I am using AWS API Gateway.

Architect
  • 631
  • 1
  • 6
  • 9
  • 6
    That is highly dependant on what you *actually consume*. Let's say you consume an array of JSON data. There is basically no way for this to be malicious, other than the data being wrong. If you consume JavaScript code, which you then execute, the story is different. –  Aug 02 '19 at 17:53

4 Answers4

3

On top of what others have mentioned, I would suggest to follow these guidelines:

Third Party Schema Validation If the third party has a published swagger / OpenAPI schema and they have defined the structure of the API well (e.g. using minLength, maxLength, type etc.), make sure you validate the incoming data based on their schema.

Your Own Schema Validation Assuming you are using a portion of the incoming dataset, only extract that data and validate that the input is aligned with your expectation (e.g. for weather in degrees, validate it's an integer)

Use a third party malware scanning / validation tool for binaries If you are getting binaries, you can leverage a lambda function to scan the file, from using open source scanning with ClamAV (something in the lines of this article) or use VirusTotal for validation (here is an example with slack integration + lambda + virustotal)

NaorP
  • 184
  • 3
  • Based on all the responses received; you have nicely summaried the key actions to take when assessing public APIs.Thank you. @NaorP – Architect Jan 02 '20 at 11:40
2

Here are a few tips:

  • Check if there have been any major security issues with the third party API you are using
  • Treat the data coming in from the API the same as you would treat any user input
  • Make sure the third party supports TLS
Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • we can establish TLS and ensure data input (file type, etc) is as expected. But malicious code can still arrive in the expected format. Is it common practice to install AV or WAF for any content coming in? Or is this an over the top security measure? – Architect Aug 02 '19 at 10:17
2

To expand on the above answers by @mhr and @Raimonds-Liepiņš:

Validate Data

Meticulously validate all data pulled from the public API. Any text or "unknown" data must be filtered through a Security Encoding Library.

For example consider weather data being pulled from a public API.

  • Temperature - An acceptable temperature could be a negative or positive number and at most three digits. If three digits, the first number will always be a 1. Be specific. Anything different should error out.
  • Forecast Summary Text - Basic text using A-Za-z0-9 and standard punctuation. Define max amount of text allowed and produce an error for anything exceeding that threshold. Alternatively, consider truncating the data and apply ... suffix denoting this action. This data must be filtered through a Security Encoding Library.

Respect Rate Limits

Ensure your client will not abuse the rate limits placed on the public API. While the public API will likely have it's own method of enforcement, its best to be a good citizen and remain under the threshold.

Use TLS

TLS provides lots of protections as noted below. Require the use of a secure protocol (e.g. TLS 1.2) and strong cipher. Anything less should error out.

You get all of the benefits of an encrypted connection!

  • Assurance knowing you're connected directly to the target website via certificate validation. This protects against: Man-in-the-middle attacks, DNS hijacking, BGP hijacking, Domain spoofing (Why is HTTP not secure?).
  • The target website is more secure since all content is loaded over HTTPS. Some examples include protecting against posting from http to https and mixed-content while securing logins and cookies.
  • Some ISPs have been known to monitor connections for ad serving purposes which encryption defeats.
  • You're protected should an adjacent system become compromised.

Source: Does HSTS provide security advantages on private networks?

Check OWASP

Since your post didn't include specifics regarding the framework being used and data consumed, the above is a generalized guideline that expands on the answers already provided. For specifics, take a look at OWASP as well as their Cheat Sheet Series. The main page may require some searching to find what you're looking for but will be well worth it.

phbits
  • 1,002
  • 2
  • 5
  • 12
1

Unrelated of consuming an API or accepting user input, it is good practice not to trust the data without checking it.

Therefore you should validate, that the data looks like whatever you expect it to be.

To mitigate a MITM intercepting and changing data, you should use TLS (assuming you'll ingest the data over http(s)).

mhr
  • 329
  • 3
  • 10