AppSealing – OWASP API Top 10: What You Need To Know To Secure Your API

With the ever-increasing reliance on mobile applications for communication, commerce, and collaboration, protecting the integrity of the systems that power these applications is paramount. APIs, the conduits that enable different software applications to communicate and exchange data, have become an essential component of the modern digital ecosystem. One of the primary reasons API security is critical in application design and development is the widespread adoption of RESTful APIs, which are built on stateless principles and rely on standard HTTP methods for communication. While this approach simplifies API design and enables seamless integration, it can expose APIs to a range of security vulnerabilities if not adequately protected. Some common threats include unauthorized access, data leaks, injection attacks, and denial of service (DoS) attacks.

This blog about API security throws light on what API security is, the OWASP API Top 10, and how AppSealing offers essential strategies to safeguard your digital assets and enhance the resilience of your application ecosystem.

OWASP API Top 10

The Open Web Application Security Project (OWASP) API Top 10 provides a crucial resource for organizations to enhance the security of their application programming interfaces (APIs). It serves as an industry-standard framework, offering guidance on identifying and mitigating APIs’ most pressing security risks.

To keep up-to-date with emerging threats and changes in the API landscape, developers, security professionals, and organizations need to prioritize understanding and addressing the risks associated with APIs. Confidentiality, integrity, and availability of sensitive information must be ensured to avoid potential breaches. By taking these necessary measures, organizations can safeguard critical information from unauthorized access or cyberattacks on their API systems.

Before we dig deeper into API security, let’s learn about API vulnerabilities in the news and why they are turning heads.

The Experian breach: An undergraduate student at the Rochester Institute of Technology discovered a major security flaw in an API endpoint while searching for better student loan terms. The vulnerability allowed anyone with access to basic personal information, such as a person’s name, address, and date of birth – easily obtainable information – to retrieve highly sensitive credit data, including credit scores. This exposed data presented serious risks for identity theft, financial fraud, and other cybercrimes if accessed by malicious actors. The case illustrates the importance of implementing robust security measures for APIs, as even minor oversights can lead to significant privacy breaches and compromise user data. This breach underscores the urgent need for organizations to prioritize API security by employing strong authentication mechanisms like access controls and continuous monitoring systems designed to prevent unauthorized access or potential misuse of sensitive user data.

A heartening tale emerged amid the grim news of Russia’s invasion of Ukraine. Unnamed Ukrainian heroes remotely disabled tractors worth $5 million that Russian troops had stolen from an authorized John Deere dealer in the occupied city of Melitopol. The soldiers made off with 27 pieces of farm machinery and sent them to Chechnya, over 700 miles away, only to find out they couldn’t operate due to a “kill switch.” The dealership used GPS technology embedded within each machine for tracking purposes. Despite reports suggesting that the equipment was stranded on a farm near Grozny as late as May 1st, rumors are circulating that some Russians might have successfully found experts who can help bypass digital protections bricking the machines.

Today, in a world where virtually every industry relies on software-driven technologies, API security has become an indispensable aspect of business operations. Developers who possess the necessary knowledge and skills to maintain and safeguard this crucial layer of protection are highly sought after by companies operating in diverse sectors ranging from finance to agricultural machinery. As such, developers must stay abreast of advancements in API security tools and best practices to ensure that their organization’s software systems remain secure against cyber threats.

API1:2019 – Broken Object-Level Authorization 

API1:2019 – Broken Object-Level Authorization refers to a vulnerability when an API fails to enforce appropriate access controls on sensitive resources. In this scenario, unauthorized users can access or manipulate objects they should not have permission to interact with. This security flaw often arises when an API uses predictable or easily guessable identifiers for resources and proper authorization checks are not in place.

Attackers can exploit this vulnerability by manipulating object identifiers in API requests to access unauthorized resources, potentially exposing sensitive data or unauthorized actions on behalf of other users. 

Example: An online shopping API uses numerical order IDs in URLs, such as “/orders/12345”. An attacker can change the order ID in the URL to access orders belonging to other users without proper authorization. To mitigate this vulnerability, developers should implement robust access control mechanisms, ensuring that users can only access resources they are authorized to view.

API2:2019 – Broken User Authentication 

API2:2019 – Broken User Authentication is a security vulnerability that occurs when an API’s user authentication mechanisms are improperly implemented or inadequately protected. This issue can leave the API vulnerable to attacks, allowing malicious actors to bypass authentication, impersonate legitimate users, or gain unauthorized access to sensitive data and resources.

Broken User Authentication can result from various factors, such as weak password policies, lack of multi-factor authentication, insecure token handling, or vulnerabilities in the authentication process. When an API’s authentication mechanisms are not robust, attackers can exploit these weaknesses to gain unauthorized access to the system, compromising user accounts and potentially leading to further security breaches.

Example: An API allows users to reset their passwords using security questions but does not limit the number of attempts to answer them. An attacker can launch a brute force attack against the security questions to gain unauthorized access to a user’s account. To address this vulnerability, developers should implement strong authentication mechanisms, such as multi-factor authentication and rate limiting on authentication attempts.

API3:2019 – Excessive Data Exposure 

API3:2019 – Excessive Data Exposure is a security risk when an API exposes more data than necessary, potentially allowing attackers to access sensitive information. This vulnerability often stems from developers assuming clients filter out sensitive data before displaying it to users. As a result, the API may return more information than the client application requires, increasing the risk of data leakage. Excessive data exposure can lead to unauthorized access and exploitation of sensitive data, such as personally identifiable information (PII) or confidential business information. Attackers can use this data for various malicious purposes, including identity theft, financial fraud, or corporate espionage.

Example

A social media API returns a user’s full profile data, including email, phone number, and date of birth, even though the client application only requires the user’s username and profile picture. An attacker can exploit this vulnerability to harvest sensitive user data. To prevent excessive data exposure, developers should implement data filtering at the API level, only returning the necessary data for each request.

API4:2019 – Lack of Resources and Rate Limiting 

API4:2019 – Lack of Resources and Rate Limiting refers to a security risk associated with APIs that do not implement adequate controls to limit the number of requests a client can make within a given period. Without such controls, APIs become vulnerable to various attacks, such as denial-of-service (DoS) or brute force attacks, which can consume system resources and disrupt the service. When APIs lack appropriate rate limiting and resource management, attackers can exploit this weakness to overwhelm the system with high requests. This can lead to server crashes, slow response times, or even complete system unavailability, severely impacting the user experience and potentially causing financial or reputational damage to the organization.

Example:

An API lacks rate limiting on its login endpoint, allowing an attacker to submit thousands of login requests per second to guess user credentials. To mitigate this risk, developers should implement rate limiting and other resource management controls, such as caching and request throttling.

API5:2019 – Broken Function-Level Authorization

API5:2019 – Broken Function-Level Authorization refers to a vulnerability in APIs that occurs when users can perform actions they should not be authorized to execute, typically due to inadequate permission checks. This security issue can enable attackers to escalate their privileges and perform unauthorized actions, potentially compromising sensitive data or system functionality. Broken Function-Level Authorization arises when an API’s authorization mechanisms fail to properly verify a user’s roles, permissions, or privileges before granting access to specific functions or resources. Several factors, such as the incorrect implementation of access controls, reliance on client-side enforcement, or insufficient validation of user roles, can cause this.

Example: 

An e-commerce API has an endpoint for updating product prices, which should only be accessible to administrators. However, due to insufficient permission checks, regular users can access this endpoint and modify prices. To address this issue, developers should implement robust authorization mechanisms and verify user permissions for each API request.

API6:2019 – Mass Assignment 

API6:2019 – Mass Assignment is a vulnerability that occurs when an API allows clients to update or create properties they should not have access to, often due to binding client-provided data to internal object properties without adequate filtering or validation. This can enable attackers to modify sensitive data or escalate privileges by manipulating input parameters in API requests. Mass assignment vulnerabilities can arise due to developers’ reliance on automated data-binding features web application frameworks provide. These features often bind user-supplied data to internal object properties without considering the potential security risks. Consequently, attackers can exploit this oversight to tamper with properties that should be restricted or not exposed to clients.

Example: 

An attacker modifies a user registration request to include the parameter “isAdmin=true”, causing the API to create a new user with administrative privileges. To prevent mass assignment, developers should implement input validation and filtering, ensuring that clients can only modify properties they are authorized to change.

 

API7:2019 – Security Misconfiguration

API7:2019 – Security Misconfiguration refers to a vulnerability when an API is deployed or maintained with insecure configurations, leaving it susceptible to attacks. This risk can arise from various factors, including insecure default settings, incomplete or ad hoc configurations, incorrect security headers, or unprotected cloud storage. Security misconfigurations can result from a lack of proper security hardening, such as leaving default credentials unchanged, enabling unnecessary features, or failing to restrict access to sensitive information. These misconfigurations can expose the API to attacks, including unauthorized access, data leaks, or complete system compromise.

Example:

An API server is deployed with default settings, including directory listing enabled. Attackers can exploit this misconfiguration to discover and access sensitive files or configuration data. To address this risk, developers should follow security best practices, such as disabling unnecessary features, changing default credentials, and regularly reviewing and updating configurations.

API8:2019 – Injection

API8:2019 – Injection refers to a vulnerability that arises when an API fails to properly validate or sanitize user-supplied data, leaving it susceptible to code injection attacks. These attacks can include SQL injection, command injection, or other forms of code injection, allowing attackers to execute unintended commands, access sensitive information, or compromise the system. 

Injection vulnerabilities typically result from using user-supplied data in constructing queries, commands, or other expressions without proper input validation or sanitization. Attackers can exploit these vulnerabilities by submitting malicious code or specially crafted input as part of an API request. If not properly handled, it may lead to the execution of the attacker’s code on the server side or within the context of another user’s session.

Example: 

An attacker submits malicious SQL code as a parameter in an API request. The API fails to validate and sanitize the input, resulting in the execution of the attacker’s SQL code, which may disclose sensitive data or modify the database. Developers should implement proper input validation, sanitization, and parameterization techniques to mitigate injection vulnerabilities.

API9:2019 – Improper Assets Management

API9:2019 – Improper Assets Management is a vulnerability that arises when APIs are not properly documented, versioned, or secured, making it challenging to manage and protect them from unauthorized access or exploitation. This risk can stem from a lack of proper API inventory, outdated or unpatched API versions, inconsistencies between development, testing, and production environments, or inadequate access controls. Improper Assets Management can lead to various security issues, such as unauthorized access to sensitive data, exploitation of known vulnerabilities in outdated API versions, or the exposure of critical system functionality. In some cases, attackers may also leverage poorly managed APIs to access other parts of the application or infrastructure, potentially leading to more severe security incidents.

Example: 

An organization deploys multiple versions of an API but fails to retire older, vulnerable versions. Attackers can exploit known vulnerabilities in outdated API versions to gain unauthorized access or compromise the system. To address this issue, organizations should maintain a comprehensive API inventory, ensure that all API versions are up-to-date, and implement proper access controls.

API10:2019 – Insufficient Logging and Monitoring

Lack of adequate logging and monitoring mechanisms in APIs can make it challenging to detect and respond to security incidents promptly and effectively, potentially allowing attackers to exploit vulnerabilities or compromise sensitive data without being detected. Insufficient Logging and Monitoring can result from various factors, such as inadequate log storage, a lack of log analysis, or insufficient alerting mechanisms. When an API lacks proper logging and monitoring, it becomes difficult for security teams to identify and investigate suspicious activities, track the root cause of issues, or gather evidence for incident response and forensics.

Example:

 An API suffers a data breach due to a previously unknown vulnerability. However, due to insufficient logging and monitoring, the security team remains unaware of the breach for an extended period, allowing the attacker to exfiltrate a large amount of sensitive data. Organizations should implement comprehensive logging and monitoring solutions to mitigate this risk, including real-time alerting and automated log analysis to detect and respond to security incidents promptly.

Final Thoughts

Maintaining API security is an ongoing endeavor. It not only involves taking active steps such as crafting a secure design, evaluating potential threats, fortifying defenses, and establishing safeguards, but also demands persistent observation, evaluation, remediation, and notification. However, safeguarding unidentified assets is impossible; therefore, having a comprehensive understanding of your resources and significance of the OWASP API Security top 10 is essential for prioritizing critical aspects and efficiently managing potential risks.