Web API Security Vulnerabilities and Mitigation Mechanisms: A Systematic Mapping Study

The growth of the web over the last couple of decades opened the door for the creation of an increasing number of web-based software systems. This change brought the need for new software solutions to establish communication between distributed software entities. One of the adopted solutions was web APIs; however, their appearance brought with itself new challenges that need to be solved. Among these new challenges, we find the necessity to protect the API at a design level from attacks by malicious users, in other words, making the API secure by design. This task is not trivial, and to be able to perform it effectively, it is necessary to know the vulnerabilities which APIs are commonly exposed to, alongside the mechanisms which exist to defend against them. The objective of this systematic mapping study is to gather the existing scientific knowledge about security threats that a web API faces, alongside design-level mechanisms for detecting, resisting, reacting, and recovering from attacks. Our results discovered 66 threats described in the literature. We observed that the most reported threats are those related to Spoofing and Tampering, both mostly related to the network traffic the API interacts with. In contrast, the least reported threats are those related to repudiation. We identified 21 techniques, 11 patterns and 34 methods that can be employed at a design level to detect, resist, react to or recover from these threats.