Application programming interfaces (APIs) are integral to letting applications talk to each other and deliver optimized digital experiences. They can greatly benefit developers but, unfortunately, also come with many security challenges. Attackers can target APIs to access sensitive information, disrupt services, or alter data.
The good news is that the Open Web Application Security Project (OWASP) has already highlighted the top 10 API security risks. This list, created by security experts, helps developers understand what vulnerabilities to look out for.
At SecureFlag, we want to help you stay ahead of these API threats. Our post breaks down each risk and shows you how to protect against them.
1. Broken Object Level Authorization
Object-level authorization controls give users access to specific data, such as records or files. For instance, a user may view certain files but cannot edit or delete them. Vulnerabilities happen when these controls don’t work, allowing users to access and edit other data due to weak authorization checks.
These vulnerabilities often stem from insecure coding practices, such as not validating user input or checking permissions properly, which leave API resources overly accessible and unprotected.
Solution:
- Enforce strict access controls to validate user permissions at the object level.
- Test thoroughly to identify and fix object-level authorization vulnerabilities.
- Apply least privilege by granting users only the necessary permissions.
2. Broken Authentication
Broken authentication is a top OWASP API security risk, and it happens when vulnerabilities allow attackers to impersonate legitimate users. Attackers can take over user identities by compromising passwords, session tokens, or account details. The leading causes are weak session management and loose password policies or other inadequate security practices, which lead to stolen or compromised credentials.
Vulnerabilities in authentication have been exploited in several incidents, including an attack on the Marriott hotel chain. Attackers used stolen login credentials from two employees to access data from over 5.2 million guests.
Solution:
- Implement strong authentication standards like MFA, OAuth, and OpenID to prevent unauthorized access.
- Ensure secure token generation, storage, and validation.
- Regularly update authentication and session policies to stay ahead of threats.
3. Broken Object Property Level Authorization
Another API Security issue is broken property-level authorization, which lets attackers bypass access controls and modify specific properties of an object without necessary permissions—such as changing a user’s email address or phone number to gain access to account recovery features. The API doesn’t correctly enforce authorization checks at the property level, allowing unauthorized users to alter sensitive fields within an object.
For example, a vulnerability in the Twitter API (now known as X) allowed users to confirm their connection to a Twitter ID by submitting their email address or phone number. This flaw was exploited to compile datasets containing usernames, screen names, phone numbers, email addresses, and other information sold on hacker forums and marketplaces.
Solution:
- Apply fine-grained authorization at the property level to restrict access to sensitive fields.
- Review and test API responses to ensure only essential data is exposed.
- Validate and sanitize all inputs to prevent unauthorized data manipulation.
4. Unrestricted Resource Consumption
APIs need resources such as CPU, memory, bandwidth, and services like SMS or email notifications. If these resources are not limited, attackers can abuse them to initiate a Denial of Service (DoS) or drive up operational costs by making excessive, automated requests.
Consider an API that handles image uploads without size limitations. If an attacker submits thousands of oversized images in a short time, it could lead to resource exhaustion.
Solution:
- Set up rate limiting and throttling to control request volumes per client.
- Monitor and analyze API usage patterns to identify and prevent resource exhaustion attacks.
- Configure and monitor API integrations to detect and mitigate excessive usage.
5. Broken Function Level Authorization
This API vulnerability occurs when an application doesn’t properly enforce authorization checks for users trying to access certain functions or perform sensitive actions. This flaw allows attackers or unauthorized users to execute actions that should only be available to users with specific roles or higher privileges.
According to OWASP API security best practices, safeguarding each function based on user roles is vital, ensuring only authorized users can access specific functions. For instance, in a banking app, a regular user could exploit a vulnerability to modify or view another user’s account details if proper checks aren’t in place.
Solution:
- Define and document access control policies for each API function.
- Enforce robust authorization mechanisms that apply the principle of least privilege.
- Conduct regular reviews and audits of access control policies to keep them current and effective.
6. Unrestricted Access to Sensitive Business Flows
Some APIs expose critical business functions (e.g., purchasing items or posting content) without sufficient protection against misuse. For instance, a business might allow anyone to use an API endpoint for purchases without restricting the number of items that can be bought at once, which could lead to inventory or revenue losses if automated bots abuse it.
Solution:
- Identify and protect sensitive business flows exposed by APIs.
- Implement rate limiting and other mechanisms to prevent automated abuse of these flows.
- Regularly monitor and analyze API usage patterns to detect and prevent unauthorized access to sensitive business flows.
7. Server-Side Request Forgery
Server-side request forgery (SSRF) happens when an API accepts a URL or URI parameter from a user without validation and then performs the request. Attackers can exploit SSRF vulnerabilities to force servers to make requests to internal or external systems, potentially bypassing firewalls or VPN protections.
An example of an SSRF attack occurred when Capital One was breached, resulting in data leaks for about 106 million people in the U.S. and Canada. The hacker exploited a misconfiguration in the web application firewall, which allowed them to receive a response containing credentials. This gave the attacker access to the server where Capital One stored its data, enabling them to retrieve customer files.
Solution:
- Validate and sanitize all user-supplied URLs before making requests.
- Implement a safelist of approved URLs or domains that the API is allowed to access.
- Use a dedicated URL fetch service that enforces URL validation and access control.l
8. Security Misconfiguration
APIs have complex configurations, and mistakes can open doors for attackers. For instance, leaving debug settings enabled in production or allowing unauthorized access due to a configuration oversight can expose sensitive data.
A misconfigured permission in Jira exposed NASA employees’ personal data and details about upcoming projects. A system administrator mistakenly assigned ‘all users’ permissions within the app while creating a dashboard, assuming it would limit access to those within the organization. Unfortunately, it didn’t.
Solution:
- Adopt a systematic approach to managing API configurations, including regular audits and updates.
- Review and update default configurations to align with security best practices.
- Use automated tools to detect and remediate security misconfigurations efficiently.
9. Improper Inventory Management
As APIs often involve numerous endpoints across multiple versions, maintaining an accurate inventory of these endpoints is essential. Older, less secure endpoints may remain exposed without proper inventory, or debug endpoints may be left accessible in production, leading to potential security issues.
A real-world case of improper inventory management occurred during the Optus breach in September 2022. A security vulnerability in one of the company’s APIs exposed 11.2 million customer records, including personally identifiable information.
Solution:
- Keep an inventory of all deployed APIs, including versions and endpoints.
- Update API documentation regularly to reflect the current state.
- Implement processes to retire or secure deprecated API versions.
10. Unsafe Consumption of APIs
Developers often trust third-party APIs more than they should, sometimes treating their data with less caution than user-provided data. This can lead to weak security standards and indirect attacks on APIs. Attackers might target third-party services that an API integrates with, indirectly gaining access to data.
These attacks can lead to the theft of sensitive personal or corporate data, putting users and businesses at risk and making the system susceptible to various injection attacks. They can cause performance degradation and even result in denial-of-service (DoS) conditions, disrupting operations and access to critical services.
Solution:
- Perform thorough security checks and validations on all data received from third-party APIs.
- Keep a detailed inventory of third-party API integrations and regularly assess their security posture.
- Verify that third-party API providers follow best practices and have a proven security track record.
How SecureFlag Can Help Mitigate OWASP API Security Risks
It’s imperative to keep in mind the security challenges that come with APIs to help prevent potential attacks. Each risk points out the weaknesses APIs could have if the right security measures aren’t put in place.
SecureFlag offers hands-on training specifically designed to help developers learn about and mitigate API security risks in real-world scenarios. Teams can spot and fix these risks early, reducing the chance of data breaches. In a world where APIs are critical to business, SecureFlag provides the skills to keep your APIs secure.
