Microsoft recently patched three vulnerabilities in its Azure API Management service, two of which enabled server-side request forgery (SSRF) attacks that could have allowed hackers to access internal Azure assets. The proof-of-concept exploits serve to highlight common errors that developers could make when trying to implement blacklist-based restrictions for their own APIs and services.
Web APIs have become an integral part of modern application development, especially in the cloud. They allow services to communicate and exchange data, non-browser clients such as mobile apps and IoT devices to securely access data and perform operations on behalf of users, and companies to abstract older server backends and quickly interconnect them with modern apps and services. APIs are standardized and easy to interact with rather than relying on custom and legacy protocols that were not built for the web.