Though central to innovation in the app-driven digital ecosystem, APIs or Application Programming Interfaces expose more data and endpoints than traditional web apps by nature, making them lucrative targets to attackers. In a bid to promote enhanced API security, OWASP released a list of common API security risks that every business must protect against in 2019.
This article will delve into the Top 10 API security risks and ways to mitigate these risks.
Common API Security Risks: The OWASP Top 10 List and Their Mitigation
Broken Object Level Authorization (BOLA)
Object-level authorization is an access control mechanism that helps validate users and what objects they can access. When the object level authorization is broken or improperly implemented, or not enabled, there is a high probability of the APIs exposing endpoints and sensitive information to attackers, widening the attack surface significantly. It is one of the most prevalent and severe API security risks.
Mitigation:
- Implement a proper object-level authorization mechanism with clearly defined roles and hierarchies
- Use object-level authorization checks and access tokens to allow access only to authorized users
Broken User Authentication
Authentication in APIs, though critical, is often a complex and confusing mechanism. Broken user authentication risks arise when authentication mechanisms aren’t implemented correctly and/or adequate layers of security aren’t implemented for API endpoints handling authentication.
So, attackers can easily compromise authentication tokens, expose endpoints, API keys, and sensitive information, assume user identities, and cause more damage.
Mitigation:
- Implement multifactor authentication and robust authentication policies
Excessive Data Exposure
For faster implementation, developers tend to publish a suite of endpoints without proper itemized restrictions based on the sensitivity of each object, unnecessarily exposing data beyond what’s required. The onus of data filtering, thus, falls on the user, giving an almost free pass to attackers. This excessive data exposure increases the security risks of APIs massively.
Mitigation:
- Extend data access only to trusted parties and only to the extent necessary
- Encrypt all API traffic using strong TLS protocols
- Review API responses, including error messages, to ensure they contain only legitimate data
Lack of Resources & Rate Limiting
Without clearly defined and enforced restrictions on user requests – the size and number of resources that can be requested, etc., APIs are left exposed to the risks of DoS and eroded server performance. Further, this API security risk also makes the API vulnerable to authentication flaws such as brute force attacks and so on.
Mitigation:
- Enforce strict rate-limiting policies
- Implement payload restrictions
- Monitor traffic and user behavior in real-time to detect suspicious behavior
- Filter all incoming user requests and allow/ block/ flag/ challenge requests intelligently
Broken Function Level Authorization
Broken function-level authorization flaws occur owing to the complexity involved in
- developing and implementing access control policies with multiple roles, groups, and hierarchies
- getting an adequate separation between administrative and general API functions
Given this complexity, developers rarely get it right, and attackers gain access to privileged functions and critical resources by leveraging authorization flaws.
Mitigation:
- Follow the principle of least privileges while defining access control based on roles and hierarchies
- Authorization checks are a must
Mass Assignment
Mass Assignment is a web API security risk wherein threat actors can overwrite/ initialize server-side variables by sending malicious inputs. This occurs mainly because user-provided data (bound to data models) is not validated and filtered. By exploiting these vulnerabilities, attackers can
- guess object properties
- read documentation
- explore other API endpoints
- modify API functions, properties, and variables
- access sensitive information, and so on.
Mitigation:
- Input validation, sanitization, and filtering are indispensable
- Monitor and analyze user behavior to detect anomalous behavior
- Use a combination of whitelist and blacklist policies in defining privileges and access
Security Misconfiguration
Security misconfiguration, the failure to harden the attack surface with proper configurations, is yet another common API security risk. Several little details and flaws put your app/ platform at high risk. Some of these include:
- Default, insecure, incomplete, and/or ad hoc configurations
- Open cloud storage
- Misconfigured HTTP headers
- Unnecessary features enabled
- Permissive Cross-Origin Resource Sharing (CORS)
- Verbose error messages, etc.
Mitigation:
- Design and implement a repeatable hardening process
- Don’t use default configurations
- Regularly scan for misconfigurations and apply instant remedies
- Remove unnecessary features
Injection
APIs are prone to injections such as SQL, NoSQL, command injections, code injection, etc. They allow users to send data inputs as part of the query/ command to the interpreter without parsing and validating them. So, attackers leverage these injection flaws to initiate remote code execution, access data/ database/ system functionalities, erase/ modify records, etc.
Mitigation:
Input sanitization and validation are critical to mitigate this API security risk.
Improper Assets Management
Without proper documentation and asset management, it becomes difficult to proactively identify bugs and security weaknesses, protect assets and manage risks effectively.
Mitigation:
- Regularly inventory and manage your assets, endpoints, and hosts
- Maintain proper documentation right from the development stages
- Plan your API deprecation timelines and versions ahead of release to ensure old versions aren’t active anymore.
Insufficient Logging & Monitoring
This web API security risk empowers attackers to attack other systems and be persistent, go undetected for longer and keep exploiting vulnerabilities, destroy data and cause much more damage to the organization – financially and reputationally.
Mitigation:
Use intelligent security solutions to log and monitor all activities and events effectively. Use behavioral analytics to monitor user activities. Configure dashboards to provide real-time alerts and triggers on anomalous activities to ensure proactive protection.
ConclusionÂ
Leverage an intelligent, managed security solution like AppTrana’s API Protection to effectively mitigate the common API security risks and keep hardening your security posture.