Just Found Out We Had 200 Shadow Apis After Getting Pwned

Just Found Out We Had 200 Shadow APIs After Getting Pwned

INTRODUCTION

Imagine waking up one morning to find out that your company’s infrastructure has been compromised, and the attackers have been exploiting a collection of undocumented APIs that nobody knew existed. This is exactly what happened to a company that recently got “pwned” and discovered over 200 shadow APIs in their production environment. In this comprehensive guide, we will delve into the world of shadow APIs, exploring what they are, how they can be detected, and most importantly, how to prevent them from becoming a security risk in your self-hosted or homelab environment.

As a DevOps engineer, it is crucial to understand the importance of infrastructure management and system administration in maintaining the security and integrity of your systems. In this article, we will discuss the concept of shadow APIs, their history, key features, pros and cons, use cases, and real-world applications. We will also provide a step-by-step guide on how to detect and prevent shadow APIs in your infrastructure.

UNDERSTANDING SHADOW APIS

What are Shadow APIs?

Shadow APIs refer to undocumented or unmanaged APIs that exist in a production environment without the knowledge or consent of the development team or system administrators. These APIs can be created by developers for testing purposes or as a shortcut to bypass standard development procedures. However, they can also be exploited by attackers to gain unauthorized access to sensitive data or systems.

History and Development of Shadow APIs

The concept of shadow APIs is not new and has been around for as long as APIs have existed. However, the term “shadow API” was first coined in 2019 by Gartner, which defined it as “an API that is not officially recognized or managed by an organization, but still has the potential to impact the organization’s security, compliance, or reputation.”

Key Features and Capabilities

Shadow APIs can have various features and capabilities, including:

• Undocumented endpoints: Shadow APIs often have undocumented endpoints that are not listed in the official API documentation.
• Unauthenticated access: Shadow APIs may allow unauthenticated access to sensitive data or systems.
• Unencrypted data transmission: Shadow APIs may transmit data in plain text, making it vulnerable to interception and exploitation.

Pros and Cons of Shadow APIs

While shadow APIs can provide a temporary solution for developers, they can also have significant drawbacks, including:

• Security risks: Shadow APIs can be exploited by attackers to gain unauthorized access to sensitive data or systems.
• Compliance issues: Shadow APIs can lead to compliance issues, as they may not meet regulatory requirements.
• Reputation damage: Shadow APIs can damage an organization’s reputation if they are discovered and exploited by attackers.

Use Cases and Scenarios

Shadow APIs can be used in various scenarios, including:

• Testing and development: Developers may create shadow APIs for testing and development purposes.
• Legacy system integration: Shadow APIs may be used to integrate with legacy systems that do not have official APIs.

Real-World Applications and Success Stories

While shadow APIs can be a security risk, they can also be used in real-world applications, such as:

• API-based integration: Shadow APIs can be used to integrate with third-party services that do not have official APIs.
• Custom applications: Shadow APIs can be used to create custom applications that require access to sensitive data or systems.

PREREQUISITES

To detect and prevent shadow APIs, you will need to meet the following prerequisites:

• System requirements: You will need a Linux-based system with a minimum of 2 GB RAM and 2 CPU cores.
• Required software: You will need to install Docker, Kubernetes, and a API gateway.
• Network and security considerations: You will need to ensure that your network and security configurations are properly set up to detect and prevent shadow APIs.

INSTALLATION & SETUP

To detect and prevent shadow APIs, you will need to follow these steps:

Step 1: Install Docker and Kubernetes

# Install Docker
sudo apt-get update
sudo apt-get install -y docker.io

# Install Kubernetes
sudo apt-get update
sudo apt-get install -y kubernetes

Step 2: Install an API Gateway

# Install an API gateway
sudo apt-get update
sudo apt-get install -y nginx

Step 3: Configure the API Gateway

# Configure the API gateway
sudo nano /etc/nginx/nginx.conf

Add the following configuration to the file:

http {
    ...
    server {
        listen 80;
        server_name example.com;

        location / {
            proxy_pass http://localhost:8080;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        }
    }
}

Step 4: Start the API Gateway

# Start the API gateway
sudo service nginx start

CONFIGURATION & OPTIMIZATION

To optimize the detection and prevention of shadow APIs, you will need to configure your API gateway and Kubernetes cluster. Here are some configuration options you can use:

• API gateway configuration: You can configure your API gateway to detect and prevent shadow APIs by adding the following configuration:

http {
    ...
    server {
        listen 80;
        server_name example.com;

        location / {
            proxy_pass http://localhost:8080;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;

            # Add this configuration to detect and prevent shadow APIs
            if ($request_method !~ ^(GET|POST|PUT|DELETE)$) {
                return 405;
            }
        }
    }
}

• Kubernetes configuration: You can configure your Kubernetes cluster to detect and prevent shadow APIs by adding the following configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80

USAGE & OPERATIONS

To use the API gateway and Kubernetes cluster to detect and prevent shadow APIs, you will need to follow these steps:

Step 1: Create a Kubernetes Deployment

# Create a Kubernetes deployment
kubectl create deployment example-deployment --image=example-image

Step 2: Expose the Kubernetes Deployment

# Expose the Kubernetes deployment
kubectl expose deployment example-deployment --type=NodePort --port=80

Step 3: Create a Kubernetes Ingress

# Create a Kubernetes ingress
kubectl create ingress example-ingress --rule="example.com/*=example-service:80"

TROUBLESHOOTING

To troubleshoot issues with the API gateway and Kubernetes cluster, you can use the following commands:

• Check the API gateway logs:

# Check the API gateway logs
sudo tail -f /var/log/nginx/access.log

• Check the Kubernetes logs:

# Check the Kubernetes logs
kubectl logs -f example-deployment

CONCLUSION

In this comprehensive guide, we have discussed the concept of shadow APIs, their history, key features, pros and cons, use cases, and real-world applications. We have also provided a step-by-step guide on how to detect and prevent shadow APIs in your infrastructure using an API gateway and Kubernetes cluster.

To further learn about shadow APIs and how to detect and prevent them, you can refer to the following resources:

• OWASP API Security Project: The OWASP API Security Project provides a comprehensive guide on API security, including shadow APIs.
• API Gateway Documentation: The API gateway documentation provides detailed information on how to configure and use the API gateway to detect and prevent shadow APIs.
• Kubernetes Documentation: The Kubernetes documentation provides detailed information on how to configure and use Kubernetes to detect and prevent shadow APIs.

By following the steps outlined in this guide, you can ensure that your infrastructure is secure and protected against shadow APIs. Remember to always keep your API gateway and Kubernetes cluster up to date and configured correctly to detect and prevent shadow APIs.