APIs are like doors to your system. Make sure you're not leaving the keys under the doormat!
Introduction to OWASP API Top 10
The Open Web Application Security Project (OWASP) is a non-profit, collaborative online community behind the OWASP Top 10 API security risks. OWASP (Open Web Application Security Project) Top 10 API Security Risks lists the most critical security vulnerabilities and risks affecting APIs (Application Programming Interfaces). It guides developers and organisations to understand and address the potential security threats in their API implementations.
The OWASP API Security Project is in the process of updating its Top 10 API Security Risks for 2023. The previous version was last revised in 2019. The new list retains several familiar risks while introducing a few new ones and removing others. Notably, logging, monitoring, and injection have been excluded from the top 10 risks, although they still hold significance. On the other hand, server-side request forgery (SSRF) and unsafe consumption of APIs are newly identified risks that have made their way onto the list.
Updates in OWASP API top 10 2023
The list for the year 2023 has been finalised and is now available on the OWASP Github site. It is important to note that this list results from extensive collaboration and expert input. Below mentioned are the OWASP API's top 10 security risks in order:
Broken object-level authorisation (Unchanged)
Broken authentication (Modified)
Broken object property level authorisation (New!)
Unrestricted resource consumption (Modified)
Broken function level authorisation (Unchanged)
Unrestricted Access to Sensitive Business Flows (New!)
Server-side request forgery (New!)
Security misconfiguration (Demoted)
Improper inventory management (Modified)
Unsafe consumption of APIs (New!)
Broken object-level authorization (BOLA)
The object-level authorisation is a security measure commonly implemented at the code level to validate user access to specific objects. This authorisation category can expose systems to severe vulnerabilities when not adequately enforced.
APIs often have exposed endpoints that deal with object identifiers, which can lead to a broad range of Object Level Access Control vulnerabilities. To mitigate these risks, implement object-level authorization checks in all functions interacting with a data source using user-provided IDs. By doing so, we can enhance the security of our system and protect against unauthorized access and manipulation of sensitive data.
Attackers exploit API endpoints by manipulating object IDs transmitted within requests. This issue is unfortunately prevalent in API-based applications, particularly when server-side components fail to maintain a comprehensive client state and rely heavily on object IDs. A notable incident at Uber involved exploiting this weakness by sending API requests that included user phone numbers to gain unauthorised access to tokens and manipulate systems.
Implementing effective authorisation and access controls can take time and effort. Even with proper protocols and configurations, developers may occasionally pay more attention to the need for authorisation checks before accessing sensitive objects. These oversights are not easily detected through automated testing methods
Broken authentication
Improper implementation of authentication mechanisms can expose vulnerabilities, enabling attackers to compromise authentication tokens and exploit flaws to impersonate other users temporarily or permanently. Such compromises undermine the system's ability to identify clients or users accurately and pose significant risks to the overall security of the API. It is essential to ensure robust authentication practices are in place to prevent unauthorized access and maintain the integrity of the API's security measures.
These endpoints pose potential threats as they may be accessible to individuals outside an organisation. Failing to adequately protect the complete authentication boundary or implementing appropriate security protocols can lead to vulnerabilities.
Authentication endpoints are often susceptible to various risks, such as brute force attacks, credential stuffing, weak encryption keys, and connections to other microservices without requiring authentication.
The OWASP highlights two specific issues related to endpoint authentication:
There need to be more protection mechanisms that lack additional layers of security.
Incorrect implementation of authentication mechanisms or utilising inappropriate mechanisms for specific applications.
Broken object property level authorization (Newly added with fusion of API3:2019 & API6:2019)
In this category, OWASP brings together the risks highlighted in API3:2019 Excessive Data Exposure and API6:2019 Mass Assignment. The primary focus is addressing insufficient or incorrect authorization validation at the object property level. This vulnerability can result in unauthorized access to and manipulation of sensitive information. Keep reading to gain a deeper understanding of the topic.
To ensure authorised access to object properties when using an API, it becomes crucial to validate users' permissions. Failing to enforce proper authorisation at the object property level can result in unauthorised users gaining access to and modifying objects.
Threat actors exploit vulnerable API endpoints to manipulate object property values by reading, modifying, adding, or deleting them, even if those objects should be off-limits to attackers.
Developers may overlook validating whether users have the necessary permissions to access specific properties within objects, even when they have implemented access controls for functions and objects.
Unrestricted resource consumption
API requests consume valuable resources such as network bandwidth, CPU, memory, and storage. Service providers offer additional resources like emails, SMS, phone calls, or biometrics validation through API integrations, billed per request. However, successful attacks targeting these APIs can result in Denial of Service attacks by overwhelming resources with multiple requests or a significant increase in operational costs. This behaviour can result in financial losses for those billed on a pay-per-request basis. Over the past two years, distributed denial of service (DDoS) attacks have increased by up to 60%.
Protecting against such attacks is crucial to maintain service availability and prevent financial implications. Exploiting APIs involves sending numerous simultaneous requests to APIs that lack interaction limitations.
APIs often fail to implement restrictions such as execution timeouts, maximum memory limits, limits on the number of operations in client requests, or third-party spending limits. Despite logging mechanisms, detecting malicious activities in the early stages is challenging.
Broken function level authorization
Authorization flaws often arise from complex access control policies involving hierarchies, groups, roles, and unclear boundaries between administrative and regular functions. Exploiting these vulnerabilities allows attackers to gain unauthorized access to resources belonging to other users or even obtain administrative privileges. It is essential to establish clear and well-defined access control mechanisms that accurately differentiate between administrative and regular user privileges to ensure robust security.
Granting users function-level authorisation enables them to acquire privileges that facilitate the execution of critical operations when accessing administrative endpoints.
Attackers can exploit API vulnerabilities by leveraging their structured and predictable access methodology. Individuals can utilise legitimate API calls to communicate with endpoints outside their designated access boundaries. Sometimes, it can be as simple as guessing the endpoint URL and modifying strings from "users" to "admins."
Modern applications often involve numerous roles, groups, and intricate user hierarchies. Users may have different roles for various areas or objects, making monitoring access and permissions challenging.
Unrestricted Access to Sensitive Business Flows
Unrestricted Access to Sensitive Business Flows refers to a security vulnerability where unauthorised individuals or attackers gain unrestricted access to critical business processes or workflows that contain sensitive information. This vulnerability poses a significant risk, allowing attackers to maliciously manipulate or exploit these sensitive flows.
APIs susceptible to this risk expose critical business functionalities, such as purchasing tickets or posting comments, without implementing measures to mitigate potential harm caused by excessive or automated usage. It is crucial to address this vulnerability through bug fixes and considering the broader impact on the business.
From an attacker's point of view, gaining unrestricted access to sensitive business flows allows them to carry out various attacks. They can manipulate or tamper with the data in these flows, leading to unauthorised modifications, data breaches, or unauthorised actions within the system, potentially resulting in financial loss, reputation damage, or compromise of sensitive information.
Monitoring and logging mechanisms can help detect and respond to unauthorised access attempts or suspicious activities. Regular security awareness training for employees can also contribute to proactive security culture and help mitigate the risk of unrestricted access to sensitive business flows.
Server-Side Request Forgery
The occurrence of server-side request forgery (SSRF) transpires when an API retrieves a remote resource, neglecting the essential validation of the URL supplied by the user. Such a Vulnerability can allow attackers to exploit servers as proxies to conceal malicious activities, even bypassing firewalls and VPNs. Researchers recently discovered and patched four SSRF vulnerabilities in Azure API management. It is crucial to implement robust input validation mechanisms to prevent SSRF attacks and safeguard the integrity and security of the system.
Attackers identify an API endpoint that accepts a universal resource identifier (URI) and manipulates the application to send requests to unexpected destinations. This behaviour can bypass firewalls or VPN protections that are in place.
In application development, accessing URIs provided by the client is expected. However, server-side data retrieval often needs to be logged or adequately monitored, leaving potential security gaps.
Security misconfiguration
APIs and their underlying systems often involve intricate configurations aimed at enhancing customization. However, the complexity of these configurations can result in oversight or failure to adhere to security best practices by software and DevOps engineers. Such lapses create vulnerabilities and expose the APIs to various types of attacks. It is imperative to implement thorough configuration management processes and follow security guidelines to mitigate these risks and ensure the robustness of the API ecosystem.
Developers should prioritise strengthening the security of the API stack. However, there are often instances where permissions are incorrectly or inconsistently applied across cloud services. Outdated security patches and software further compound the issue. Notably, there have been notable cases where companies failed to adequately protect their cloud resources, such as the United States Army Intelligence and Security Command, resulting in the exposure of top-secret files.
Threat actors actively search for unpatched vulnerabilities and unprotected files or directories. Malicious actors aim to establish a comprehensive system mapping and attain unauthorised entry by focusing on widely used endpoints. Inconsistencies in the handling and processing of requests create opportunities for attackers.
Misconfigurations can occur at various levels, ranging from network to application. The presence of legacy options and unnecessary services can also introduce additional attack paths.
Improper inventory management
APIs often expose more endpoints than traditional web applications, underscoring the criticality of comprehensive and up-to-date documentation. By prioritizing thorough documentation and active inventory management, organizations can enhance the security and stability of their API infrastructure.
APIs in various applications can be intricate and interconnected. Integrating third-party services increases the exposure to potential threats, and it is common for multiple versions of APIs to be left unmanaged. Outdated or missing documentation further complicates the task of maintaining oversight.
Attackers may exploit older versions of APIs or target unpatched endpoints. They can also gain unauthorised access through vulnerabilities in third-party connections.
Insufficient inventory or asset management practices can result in various issues, including the existence of unpatched systems. API hosts may be exposed through microservices, often leading to independent applications. The absence of a structured and documented methodology for deploying, managing, and retiring APIs can lead to various security vulnerabilities.
Unsafe consumption of APIs
Developers often need to place a higher level of trust in data obtained from third-party APIs compared to user input, which can lead to the adoption of less robust security measures. In their attempts to compromise APIs, attackers often target integrated third-party services rather than directly attacking the target API itself. if threat actors manage to compromise these third parties, they can exploit the APIs that connect them, resulting in potential damage. Surprisingly, up to half of data breaches today occur due to vulnerabilities in third-party connections.
Developers need to recognize the potential vulnerabilities associated with third-party integrations and implement robust security measures to safeguard against potential exploits. By prioritizing robust security practices, developers can strengthen the overall security posture of their APIs.
Exploiting security vulnerabilities in APIs arises when developers place trust in endpoints that interact with other APIs without conducting thorough verification and implementing robust protection measures. For instance, they may neglect to impose appropriate limitations on resources, validate redirects, or validate/sanitise data requests from APIs before processing.
In conclusion, the OWASP API 2023 project highlights the critical importance of securing APIs in today's interconnected digital landscape. With the increasing reliance on APIs for seamless data exchange and integration, it becomes crucial to prioritise API security. The project sheds light on various security vulnerabilities and attack vectors that threat actors exploit, emphasising the need for developers and organisations to implement robust security measures. By adhering to the guidelines and recommendations outlined in the OWASP API 2023, developers can strengthen the security of their APIs, mitigate potential attacks, and enhance the protection of sensitive data.
It is important to note that while the OWASP API 2023 provides valuable insights and best practices, it is not an exhaustive security checklist that guarantees a completely secure application. Instead, it's a foundational framework of essential security measures that help address common vulnerabilities and mitigate common mistakes. Security weaknesses often emerge when less secure security models are applied to API integrations, particularly in transport security, input validation, data validation, authentication, and authorisation. Consequently, such exposure makes organisations susceptible to unauthorised access and malicious injections.
Implementing the recommended security practices from OWASP API 2023 acts as a fundamental baseline for securing applications. However, it is still crucial for developers to conduct comprehensive and thorough security assessments, perform ongoing vulnerability and penetration testing, and stay updated with emerging threats. Building a secure application requires a holistic approach that considers the OWASP guidelines, industry standards, specific application requirements, and continuous improvement through monitoring, patching, and adopting the latest security practices.
References:
Register for instructor-led online courses today!
Check out our free programs!
Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.