Understanding the OWASP API Security Top 10

By Sekhar Chintaginjala

(This blog originally appeared on CloudVector)

As organizations embrace digital transformation initiatives, they are increasingly consuming and exposing APIs that increase their risk surface. The OWASP API Security Top 10 focuses on the strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). In this blog, we will explain each of the OWASP API Security Top 10 vulnerabilities.

Broken Object Level Authorization

One function of APIs is to provide access to objects that may contain information with sensitive content. E.g. Employee or customer data with social security numbers and credit card numbers. This access is controlled by providing object identifiers in the API requests. Failure to implement object level authorization enables the manipulation of object identifiers to gain unauthorized access to sensitive data. Security should focus on identifying API calls that misuse this vulnerability.

Broken User Authentication

API authentication is a critical service that identifies and authorizes clients to access applications. A broken authentication mechanism enables attackers to use stolen authentication tokens, credential stuffing and brute force attacks to gain unauthorized access to applications. Security should focus on stale user authentication tokens and APIs that are accessed without authentication.

Excessive Data Exposure

Developers may implement generic APIs that provide more data than is needed, which an attacker can exploit by using redundant data, such as incremental ID numbers, to further extract sensitive data. For example, Amazon’s Ring Neighbors app exposed users’ precise location because of this vulnerability. Security should work with DevOps to categorize APIs and parameters that contain or transact sensitive data so they can monitor them for abuse.

Lack of Resources & Rate Limiting

It is common to find APIs that improperly implement rate limiting, or neglect to implement it entirely. This is a risk because an attacker can overwhelm the service with brute force attacks to break through its authentication. This vulnerability enabled an attacker to attempt 1 million Zoom passwords in a matter of minutes to gain access to private meetings. Security should monitor API call rates, the number of resources requested and the response to them.

Broken Function Level Authorization

API functions include adding, updating or deleting a customer record, a user role, and so forth. These functions are governed by authorization, the role and the scope of the users making these API calls. When authorization is not properly implemented, these functions may be executed by unauthorized users, which may lead to the loss of data or a full account takeover. Security should focus on behavioral modeling to detect anomalies.

Mass Assignment

API implementations that directly consume input requests and assign/write them to the business logic data stores are vulnerable to mass assignment because an attacker can include parameters and values that change critical data properties, resulting in exploits such as privilege escalation. Security should focus on behavioral modeling to detect anomalies.

Security Misconfiguration

There are many possible misconfigurations within API resources, transport protocols and application infrastructure. Any of these mistakes, such as APIs that are accessible without authentication or use insecure communication (plain text HTTP), may cause severe security risks, such as the loss of sensitive data or account takeover. Security should focus on monitoring sensitive data and behavioral modeling to detect anomalies. DevOps should be encouraged to take a shift left approach to application security.

Injection

APIs consume data within their URL and parameters, but if they do not check for invalid data then injection attacks may be used to perform database or OS operations. Unsanitized data inputs can cause data corruption, data leakage, denial of service, privilege escalation, and so forth. Typical attack vectors include SQL, NoSQL, and OS commands with API parameters. Security should focus on behavioral modeling to detect anamolies.

Improper Asset Management

Enterprise DevOps teams are accelerating the deployment of APIs into production, which may leave them vulnerable to insecure parameters published into production, old versions of APIs left operating due to backward compatibility issues, or sensitive data transacted in APIs not conforming to governance policies. These issues may lead to sensitive data loss, ecosystem compromise, and so forth. Security should categorize and monitor APIs that contain sensitive data.

Insufficient Logging & Monitoring

API threats are often missed because of insufficient logging and monitoring of attempts. The lack of such a capability enables attackers to conduct their reconnaissance and exploit attempts over an extended period of time without detection.

Sekhar Chintaginjala is an experienced information security researcher who brings 15+ years of hands-on knowledge to the CloudVector team. He has proven expertise in the area of vulnerability research, security content development and leading teams for large global companies. At CloudVector, Sekhar is a member of the Security Research team and also leads efforts for new feature development that help protect from API abuses.