OWASP 10 API Security

Top 10 Application Programming Interface Vulnerability

Vulnerability I - Broken Object Level Authorisation (BOLA)

Insecure Direct Object Reference (IDOR) where a user can access unauthorized resources through API endpoints.

Impact

Data leakage, account takeover, financial loss, damage to organization’s reputation.

Example

API endpoint that does not validate incoming requests or check for authorization.

Solution

Implement authorization mechanism using authorization tokens in the header to validate incoming API requests.

Mitigation

Implement authorization mechanism based on user policies and hierarchies, strict access controls, use completely random values for nearly impossible-to-predict tokens.

Vulnerability II - Broken User Authentication (BUA)

Invalid implementation of authentication or absence of security mechanisms allows attacker access to database or higher privilege.

Impact

Data leaks, deletion, modification, complete account takeover.

Example

Poorly implemented authentication system allows identity takeover.

Solution

Implement proper authentication mechanisms such as authorization headers and tokens.

Mitigation

Use complex passwords, do not expose sensitive credentials, enable strong JSON Web Tokens (JWT), implement multifactor authentication, account lockout or captcha system, and ensure passwords are not saved in plain text.

Vulnerability III - Excessive Data Exposure

Applications disclose more than desired information through an API response due to developers exposing all object properties without considering sensitivity.

Impact

Malicious actors can intercept the response and extract confidential data.

Example

Endpoint fetches all information available for a comment without filtering out sensitive information.

Solution

Implement proper data filtration mechanisms to ensure only necessary information is exposed through API responses.

Mitigation

Use runtime detection tools or general security scanning tools to detect vulnerabilities, review API responses regularly, avoid using generic methods, and use API endpoint testing.

Vulnerability IV - Lack of Resources & Rate Limiting

APIs do not enforce restriction on frequency or size of clients’ requested resources, leading to excessive resource utilization and potential DoS attacks.

Impact:

Non-availability of service, tarnished brand reputation, financial loss.

Example:

API endpoint allows unlimited requests or uploads without enforcing limits.

Solution:

Implement rate limiting mechanisms to restrict frequency and size of clients’ requested resources.

Mitigation:

Use Captcha systems, define maximum data size on parameters and payloads, implement limits on API calls within a specified time.

Vulnerability V - Broken Function Level Authorisation

Low privileged user bypasses system checks and accesses confidential data by impersonating high privileged user due to complex access control policies.

Impact

Intruders can access unauthorized resources or administrative functions.

Example

API endpoint fetches employee information if isAdmin=1 and Authorization-Token are correct.

Solution

Implement proper access control policies with clear separation between regular and administrative functions.

Mitigation

Use strict access controls to check user authorization, review API endpoints against functional level authorization flaws, keep in mind business logic of apps and group hierarchy.

Vulnerability VI - Mass Assignment

Client-side data is automatically bound with server-side objects or class variables. Hackers exploit this by understanding the application’s business logic and sending crafted data to the server.

Impact

Data tampering and privilege escalation from regular user to administrator.

Example

User’s profile dashboard. Malicious actor can edit read-only attribute (e.g. username) and submit form. If no filtration on server side, data is updated in database.

Solution

Ensure necessary filtering on server side (apirule6/user_s) and insert default credit value of 50 even if more is received from client side.

Mitigation Measures

Study backend insertions and updates before using framework. Avoid functions that bind input from client to code variables automatically. Allowlist properties that need to get updated from client side.

Vulnerability VII - Security Misconfiguration

Security misconfiguration occurs when security controls are implemented incorrectly or poorly configured. This can result in unauthorized access to the system.

Impact

Security misconfiguration can give intruders complete knowledge of API components and allow them to bypass security mechanisms.

Example

Bob developed an API endpoint for server health and status but forgot to implement error handling. This resulted in a complete stack trace being sent in response, revealing sensitive information.

Solution

Bob will create an API endpoint that will carry out error handling and only share desired information with the user.

Mitigation Measures

Limit access to administrative interfaces, disable default usernames and passwords, disable directory listing and set proper permissions, remove unnecessary code snippets and turn off debugging in production.

Vulnerability VIII - Injection

Injection attacks occur when user input is not filtered and is directly processed by an API. This can result in unintended API actions without authorization.

Likely Impact

Injection flaws may lead to information disclosure, data loss, DoS, and complete account takeover. Successful injection attacks may also cause intruders to access sensitive data or perform remote code execution.

Practical Example

Bob developed a vulnerable login API endpoint that is not filtering user input. A malicious attacker can use a payload to get an authorization key for any account.

Solution

Bob updated the API endpoint and used parameterized queries and built-in filters to sanitize user input.

Mitigation Measures

Use a well-known library for client-side input validation. Validate, filter and sanitize all client-provided data. Add necessary security rules to the Web Application Firewall (WAF). Make use of built-in filters in frameworks to validate and filter data.

Vulnerability IX - Improper Assets Management

Inappropriate Asset Management refers to a scenario where an older version of an API is still present in the system but does not have updated security features. This can lead to data leakage and server takeover.

Likely Impact

The older or unpatched API versions can allow intruders to get unauthorized access to confidential data or even complete control of the system.

Practical Example

The company MHT developed different API versions but forgot to remove the old version from the server. Old API calls returned more information than intended.

Solution

Bob realized he must immediately deactivate old and unused assets.

Mitigation Measures

Block access to previously developed sensitive and deprecated API calls at the network level. Segregate APIs developed for R&D, QA, production etc. and host on separate servers. Ensure documentation of all API aspects.

Vulnerability X - Insufficient Logging & Monitoring

How it happens

Lack of logging and monitoring mechanisms makes it difficult to track malicious activity on your server.

Impact

Inability to identify the attacker behind the attack.

Example

Company MHT was susceptible to multiple attacks and could not identify the culprit. An API endpoint was created to log users’ metadata and save it in the database.

Mitigation

Use a SIEM system for log management. Keep track of denied accesses, failed authentication attempts, and input validation errors.

Conclusion

In conclusion, over half of the OWASP API security’s top 10 list is relevant to authorization and authentication. Most commonly, API systems are hacked because of failure in authorization and authentication mechanisms and security misconfigurations. It is crucial for API developers to safeguard APIs in line with the best cybersecurity practices and give importance to modules like sign-in, role-based access, and user profile setting.