It’s an API talking to the API world we’re living in. As per Postman, 500 million new APIs are expected to be created by 2025. APIs are a lifesaver when it comes to automation or integration. But when it comes to the security of these APIs, things can get a little tricky. OWASP API Top 10 gives insights on top vulnerabilities exploited in APIs.
In a recent update, OWASP, a well-known security foundation built on open-source principles, has released an updated list of the top 10 API security risks. The list is known as the OWASP API Security Top 10 and identifies the most common security issues organizations face in using APIs. This list first came out in 2019, but so much has changed since then.
Not only are there more cases of API attacks now, but they have also taken on new forms. While one can use API vulnerability scanning tools like Astra Pentest to uncover API vulnerabilities, nothing beats designing APIs securely by design.
OWASP Top 10 for API Risks
When it comes to API security, you need to be aware of the highest possible risks that are likely to occur. The OWASP API Security Top 10 list is a great resource for understanding these risks and how they can impact your organization. Let’s examine each of these risks in depth.
API1:2023 – Broken Object Level Authorization
An API’s failure to provide proper authorization checks at the object level can result in broken object-level authorization vulnerabilities. Attackers may exploit these flaws to gain access and change sensitive data that they are not supposed to have authority over.
This will expose them to unauthorized viewing, modification, or deletion of resources, thereby compromising the confidentiality and integrity of the system.
To address this risk, granular access controls must be put in place, and user permissions for each requested object or resource must be verified. Consequently, developers have to ensure that the API checks whether a user can do something with any one element of information, such as read, write, or delete, among others, based on its privileges.
Example: In 2021, a vulnerability was discovered in the Peloton bike API that allowed users to access the account data of any other user due to improper object-level authorization checks. This included personal information even for users who marked their profiles private.
API2:2023 – Broken Authentication
Issues in authentication occur when authentication mechanisms used by an API are weakly constructed, misconfigured, or insecurely implemented. A malicious person can take undue advantage of these weaknesses to gain unauthorized access to user accounts, steal sensitive information, or make transactions on behalf of other users.
Some common issues include weak password policies, lack of multi-factor authentication mechanisms, and inadequate protection against brute force attacks. Secure implementation is important in mitigating unauthorized access into systems.
Strong passwords should be enforced, while secure protocols such as OAuth 2.0 and OpenID Connect should be used together with secondary layer security through the use of multi-factor authentication and proper session management involving secure session generation, expiration, and revocation by the API, respectively.
Example: In 2018, the U.S. Postal Service (USPS) exposed data from 60 million users due to a broken authentication vulnerability in their API. The API allowed any authenticated user to query the system for account details without proper authorization checks.
API3:2023 – Broken Object Property Level Authorization
When there are no access controls on specific properties or attributes within objects, an API has broken object property-level authorization. This vulnerability allows hackers who lack permission for certain properties to gain access to or change them, leaking data or making unauthorized alterations.
Developers can stop this vulnerability by putting in place fine-grained access controls at the property level. The API must check that users are allowed to view and modify each attribute of an object. Also, proper input validation and output encoding should also be used to prevent injection attacks and unauthorized data exposure.
Example: Imagine an e-commerce platform where sellers manage their online stores through an API. The API handles various store-related operations, such as updating product details and processing orders. However, due to broken object property level authorization, the API fails to restrict access to specific properties within the store objects properly.
A malicious seller discovers that they can modify sensitive properties they shouldn’t have access to, such as the payment settings of competing stores or the order history of other sellers.
API4:2023 – Unrestricted Resource Consumption
Uncontrolled resource consumption vulnerabilities happen when there are no limits or controls on the amount of server resources an API can consume. With these flaws, it is possible for attackers to fill up the system with numerous requests or use a lot of resources leading to denial-of-service (DoS) attacks for instance. It affects both availability and performance of the API including its dependent services.
Mitigating this risk involves implementing proper rate-limiting and resource-throttling mechanisms. Limits should be set on how many transactions a user can perform within a particular time period through which only limited resources should be allocated per request respectively. Systems that monitor and raise alarms against uncharacteristic spikes in consumption exist alongside such measures.
Example: A threat actor exploits a lack of the rate-limiting of an API endpoint by making numerous requests within a short time frame, which results in resource exhaustion on the server, hence an unresponsive or crashing API, thus rendering it unavailable for legitimate users.
Why Astra is the best in pentesting?
- We’re the only company that combines automated & manual pentest to create a one-of-a-kind pentest platform.
- Vetted scans ensure zero false positives.
- Our intelligent vulnerability scanner emulates hacker behavior & evolves with every pentest.
- Astra’s scanner helps you shift left by integrating with your CI/CD.
- Our platform helps you uncover, manage & fix vulnerabilities in one place.
- Trusted by the brands you trust like Agora, Spicejet, Muthoot, Dream11, etc.
API5:2023 – Broken Function Level Authorization
The inability of APIs to implement adequate access controls for individual functions or endpoints leads to broken function-level authorization vulnerabilities. It might have authentication and authorization components, but many lack granularity within the scope of individual functions. This flaw then results in attackers accessing or running functions for which they should not have any permission, leading to unauthorized actions or data exposure.
Developers must therefore put in place strict authorization checks for every API function/endpoint to mitigate this risk. The API should verify and authorize users based on their roles, groups or privileges which will ensure that a user only accesses and executes allowed functions. To prevent parameter tampering or injection attacks, proper input validation and parameter binding should be enforced as well.
Example: Suppose an API endpoint responsible for allowing users to update their own profile information failed to validate the user’s permissions properly. By changing/manipulating the user ID (or any other identifier) in the API request, an attacker can update the profile details of any other user on the platform.
API6:2023 – Unrestricted Access to Sensitive Business
Sensitive corporate information cannot be accessed freely when an API fails to secure it accordingly by restricting its access channels. Unauthorized persons can take advantage of this vulnerability to access financial statements, personal records on customers, and intellectual property, leading to data breaches that significantly impact business value.
To avoid this kind of situation from happening again, the APIs need strong access controls and mechanisms that guarantee secure data transmission over unsecured channels. On top of encrypting sensitive data at rest and in transit, it should also be protected using the least privilege approach, meaning that no one is supposed to access it unless with authority. In addition, there should be proper authentication and authorization checks for sensitive information that allow only authorized people or systems to gain entry into it. Moreover, we should build logging and monitoring mechanisms to warn against any suspicious activity, such as trespassing.
Example: An API that handles sensitive business data, such as financial records, lacks proper access controls. An attacker can exploit this vulnerability to retrieve confidential information by making unauthorized API requests.
API7:2023 – Server-Side Request Forgery (SSRF)
Whenever an attacker manipulates an API server so that it sends requests to unintended domains or even those without prior permission, we call this Server-Side Request Forgery (SSRF). Hackers normally exploit this weakness by misleading the server to make requests for internal systems, external websites, or other APIs. As a result, sensitive data might be stolen, or unauthorized actions might also be taken.
To prevent SSRF attacks, one has to ensure that all user-supplied data used in constructing server-side requests is properly validated and sanitized. The API is supposed to ascertain the allowed destinations and protocols for outbound requests.
In 2020, a security researcher discovered a critical Server-Side Request Forgery (SSRF) vulnerability in Shopify’s infrastructure. The vulnerability found in the screenshotting functionality of Shopify Exchange allowed the researcher to gain root access to containers within a specific infrastructure subset. While the affected subset did not include Shopify’s core infrastructure, it did have access to some core data and systems.
API8:2023 – Security Misconfiguration
A security misconfiguration vulnerability happens when an API is not properly configured or secured leaving it open to possible threats. It may include use of default/weak security settings, exposing confidential information/functionality without any reason or the lack of updating the API together with its dependencies with current security patches.
Secure configuration practices must be adopted throughout the API development lifecycle and deployment to mitigate security misconfigurations. As part of this practice, default accounts/passwords must be disabled, unnecessary features/endpoints removed, and necessary security settings such as encryption/authentication/authorization properly configured.
Regular audits on security issues and vulnerability scans should then help detect misconfigurations that need addressing. Additionally, keeping the API and its dependencies up to date regarding the latest security patches prevents proven vulnerabilities from being exploited.
Example: In 2017, the vehicle tracking company SVR Tracking exposed data on over 500,000 vehicle tracking devices due to a security misconfiguration in their API. The API was left open without any authentication, allowing anyone to access sensitive vehicle data.
API9:2023 – Inadequate Inventory Control
Inadequate inventory control vulnerabilities occur when an organization fails to maintain a current and correct inventory of its APIs, including their versions, endpoints, and associated assets. This lack of transparency and oversight can result in security issues such as exposing deprecated or vulnerable APIs or failing to find vulnerabilities in good time.
To manage this risk, there should be a well laid down process for managing the API inventory. This entails having an all-inclusive list of all the APIs, versions, and endpoints, along with dependencies associated documentation. To ensure that the inventory is up to date and accurate, regular reviews and updates should be done.
Example: A company faces challenges due to inadequate inventory control of its APIs. The lack of a centralized repository and inconsistent documentation makes it difficult to identify and patch vulnerabilities promptly. This leads to delayed remediation, increased exposure to attacks, and the risk of attackers exploiting outdated and vulnerable APIs to access sensitive financial data or perform fraudulent transactions.
API10:2023 – Unsafe Consumption of APIs
Unsafe consumption of APIs happens when client applications or other consumers do not correctly handle or validate API data that is being sent by them. Consequently, this may lead to security vulnerabilities like injection attacks, data leakages, or unauthorized access if the client application blindly trusts API responses without validating them properly.
Both API providers and consumers are responsible for mitigating this risk. Developers need to include input validation routines into their code, which will sanitize any malicious inputs that might be entered by users before taking further action on any input received from clients. On the other hand, all data retrieved from this system should be properly validated before processing in any way.
Example: A client application that consumes an API fails to validate and sanitize the data received from the API properly. An attacker injects malicious scripts into the API responses, which are then executed by the client application, leading to cross-site scripting (XSS) attacks and compromising user data.
Using OWASP API Top 10 to Breach Dell – A Case Study
Recently, Dell was breached, leading to 49 million customer records being leaked. The hackers used multiple OWASP Top 10 API vulnerabilities to cause this breach. Here’s how the breach happened:
- Fake partner, real access: The hackers requested for a partner account on Dell’s partner portal. With limited to no checks, they got a partner account on the portal.
- Oh, those juicy APIs: The attacker found an API endpoint that returned customer details, including address, name, etc., upon receiving a Dell service tag.
- Let’s hack at scale: Once hackers knew that the service tags were 7-character alphanumeric codes, the attacker created a script that generated and submitted these codes to the API at a rate of thousands of requests a minute.
- Rate limiting, what?: The API had no rate limiting to prevent such excessive requests. This allowed the attacker to extract a massive 49 million customer records.
The hackers claimed that they contacted Dell to disclose the vulnerability, but they had allegedly dumped the data before reporting.
OWASP API Top 10 Vulnerabilities Exploited in The Process
- API1:2023 – Broken Object Level Authorization
- API2:2023 – Broken Authentication
- API9:2023 – Improper Inventory Management
Astra’s Perspective on the OWASP API Top 10 Security
Astra Security recognizes the vital significance of OWASP API Top 10 in mitigating the most common security vulnerabilities in APIs. In line with this, Astra directs its services and products to these risk areas.
With regards to the OWASP API Top 10 risks, Astra’s API Vulnerability Scanner is a potent tool that helps companies identify and mitigate any risks involved. It conducts an all-around automated test on APIs following OWASP guidelines for various security checks. It identifies weaknesses such as broken object-level authorization, injection flaws, and broken authentication, offering insights into an API’s weak points.
In addition to automated API vulnerability scanning capabilities, Astra has a team of experienced security experts who provide enterprises with support in dealing with risks associated with the OWASP Top 10 API. They offer manual penetration testing that complements automated scans to thoroughly assess an API’s overall security posture.
At the same time, they maintain up-to-date knowledge of current threat landscapes while recommending best practices and remedial strategies.
Astra Pentest is built by the team of experts that helped secure Microsoft, Adobe, Facebook, and Buffer
To sum it up, Astra Security’s Scanner is an effective instrument for addressing potential issues accompanying OWASP API Security Top 10 by businesses. This way, organizations can identify, prioritize, and rectify vulnerabilities affecting their API Systems, making them more robust against breaches.
Automated scanning capabilities, skilled assistance, and a holistic approach by Astra make it possible for companies to discover, prioritize, and address API vulnerabilities by empowering their overall security landscape.
Additional Resources on API Security: