Helpful as they’re, OWASP Prime 10 lists will not be famend for being clear and readable, and positively not for being enjoyable. Whereas we do have a severe submit discussing the methodology, classes, and missed alternatives of the OWASP API Safety Prime 10 for 2023, this time we thought we’d take a extra light-hearted take a look at the large ten for APIs. And this isn’t (simply) goofing round—by reducing via the exact formal language, we are able to hopefully get a greater really feel for every API threat class.
API threat #1: Ask and also you shall obtain
API1:2023 Damaged Object-Degree Authorization (aka BOLA aka IDOR)
The entire level of APIs is to supply automated entry to utility information and performance. Organising an API endpoint to serve up the main points of a buyer account is simple—the large problem is to ensure that information is simply accessible to approved customers and methods. If one thing (the “object”) in your app might be freely accessed by anybody simply because they know learn how to request the best URL and object ID (like a buyer quantity), you get information breaches just like the Optus hack.
API threat #2: You don’t must see his identification
API2:2023 Damaged Authentication
With APIs, as in life, proving your id is the very first thing you ought to be requested to do earlier than doing something essential. If this authentication mechanism is weak or simple to bypass, malicious actors can get in with none questions requested, utilizing strategies starting from brute-force credential stuffing to tampering with a JWT token to bypass signatures. And as soon as they’re in, the remaining high 9 dangers are up for grabs.
API threat #3: Promise me you gained’t look inside
API3:2023 Damaged Object Property-Degree Authorization
With most enterprise purposes, it’s fairly apparent that totally different customers want totally different ranges of information entry. If in case you have a buyer account within the system, a few of your employees might solely want fundamental contact info, others can even be trusted with monetary info, whereas an admin consumer might have entry to the whole lot plus credential administration. Implementing this for API entry is particularly troublesome, resulting in conditions the place an attacker who will get entry to a buyer account object additionally will get entry to all the info for that account.
API threat #4: I don’t anticipate you to speak, Mr. API. I anticipate you to die
API4:2023 Unrestricted Useful resource Consumption
Knowledge breaches are likely to make extra headlines, however attackers don’t all the time want your API to speak—knocking it offline together with the entire app is commonly sufficient. Denial of service (DoS) assaults are among the many crudest but most typical methods to focus on an API, made all the simpler by APIs being particularly designed for silent and automatic entry. Accepting and processing each incoming request with out imposing any limits leaves an API susceptible to useful resource exhaustion and its proprietor uncovered to extreme working prices.
API threat #5: Are they allowed to do this?
API5:2023 Damaged Perform-Degree Authorization
API endpoints expose not solely information but additionally operations on that information. Whereas threat #3 was associated to attackers getting all-or-nothing entry to information objects, the identical applies to permitted operations. REST APIs, particularly, generally expose strategies that embrace. GET, PUT, and DELETE. If anyone who can learn information via an everyday GET request can be capable of delete it by simply manually altering GET to DELETE within the request header, you’re clearly asking for bother. The identical goes for unsecured entry to issues like admin operations.
API threat #6: Hey, that’s dishonest!
API6:2023 Unrestricted Entry to Delicate Enterprise Flows
Abusing automated entry to sure operations may need severe enterprise penalties, even when it’s not technically a safety threat. Frequent examples embrace automated public sale bidding, shopping for out after which reselling high-demand objects like tickets, or flooding a reservation system with requests to disclaim it to legit customers. So whereas it may not knock the service offline like a DoS, it will possibly actually trigger enterprise disruption and materials losses. Plus it’s dishonest.
API threat #7: Give them a pretend deal with; they by no means test anyway
API7:2023 Server-Facet Request Forgery (SSRF)
Fetching assets from an exterior website is a typical follow in net growth. When working via APIs, it’s equally frequent to get the precise useful resource deal with (URL) from an incoming request. With out cautious validation to catch any sudden information in that URL, an attacker might ship you the URL of a malicious exterior useful resource, together with malicious code. Even worse, they may additionally request a delicate inner useful resource—and since the request is coming out of your API server, they may not directly entry inner methods through your API.
API threat #8: Wonderful, that’s the identical code I’ve on my baggage!
API8:2023 Safety Misconfiguration
Organising a manufacturing API to work appropriately shouldn’t be simple, and making it safe is even tougher. Even a single safety misconfiguration anyplace on this multi-layered expertise puzzle might depart attackers with a approach to entry API information or operations. Examples embrace unpatched merchandise or software program elements anyplace within the tech stack, extreme permissions at any degree of that stack (particularly for cloud storage permissions), and weak safety (comparable to gaps in encryption) at any stage of API request processing.
API threat #9: New constructing, identical unlocked fence gate
API9:2023 Improper Stock Administration
When an API modifications, it’s frequent follow to arrange the brand new model alongside the outdated one to verify current methods that depend on that API nonetheless work till the transition is full. With out cautious stock administration, these outdated APIs can simply be ignored and forgotten, remaining accessible to attackers. And since they’re outdated and deserted, they’re much less prone to embrace the newest safety updates and may not be monitored and guarded to the identical degree as manufacturing APIs, giving malicious actors loads of time and alternative to discover a approach in. For this reason API discovery is such a giant deal.
API threat #10: It’s all the time a buddy of a buddy that causes bother
API10:2023 Unsafe Consumption of APIs
For essentially the most half, APIs don’t work together with people however with different APIs—and people, by design and in contrast to people, ought to behave based on spec. This will create a way of implicit belief, main builders to unquestioningly settle for and go on information from a well-recognized third-party API, particularly one operated by a well known firm. If attackers compromise that API or handle to slide malicious information into one among its information sources, blindly trusting outcomes obtained from that API might depart your personal utility susceptible or compromised.
Closing ideas: Are you speaking to me?
When put into on a regular basis language, lots of the high 10 API-related safety dangers might sound easy, even mundane—largely other ways of letting attackers entry issues they clearly haven’t any enterprise accessing. The problem with APIs is that they act as shortcuts to the internals of your utility. Until these shortcuts are rigorously deliberate from the earliest phases of utility design and growth, they’ll bypass entry controls that may be current within the utility.
It’s all the time tempting to deal with any OWASP Prime 10 as a safety guidelines, however the purpose of the API Safety Prime 10 is clearly acknowledged in its introduction: “to teach these concerned in API growth and upkeep, for instance, builders, designers, architects, managers, or organizations.” You’ll notice that safety of us aren’t listed—as a result of API safety actually begins approach earlier than they arrive in with testing and safety.
The principle takeaway from the OWASP API Safety Prime 10 is that, in an ideal world, safe APIs ought to all the time begin with safe utility design. In the actual world, although, APIs are hardly ever completely designed, carried out, or tracked, so instruments for API discovery and API safety testing are a significant a part of any utility safety toolbox.
Be taught extra about Invicti API Safety and take a look at our free (and ungated) white paper: API Vulnerability Testing within the Actual World.
