API Security

Created by

GiganticAngonoka72710

Cards (59)

Open Worldwide Application Security Project (OWASP) is a non-profit and collaborative online community that aims to improve application security via a set of security principles, articles, documentation etc. Back in 2019, OWASP released a list of the top 10 API vulnerabilities, which will be discussed in detail, along with its potential impact and a few effective mitigation measures.
What is an API & Why is it important?
API stands for Application Programming Interface. It is a middleware that facilitates the communication of two software components utilising a set of protocols and definitions. In the API context, the term 'application' refers to any software having specific functionality, and 'interface' refers to the service contract between two apps that make communication possible via requests and responses.
What is an API & Why is it important?
The API documentation contains all the information on how developers have structured those responses and requests. The significance of APIs to app development is in just a single sentence, i.e., API is a building block for developing complex and enterprise-level applications.
Broken Object Level Authorisation (BOLA)
How does it Happen?
Generally, API endpoints are utilised for a common practice of retrieving and manipulating data through object identifiers. BOLA refers to Insecure Direct Object Reference (IDOR) - which creates a scenario where the user uses the input functionality and gets access to the resources they are not authorised to access. In an API, such controls are usually implemented through programming in Models (Model-View-Controller Architecture) at the code level.
Broken Object Level Authorisation (BOLA)
Likely Impact
The absence of controls to prevent unauthorised object access can lead to data leakage and, in some cases, complete account takeover. User's or subscribers' data in the database plays a critical role in an organisation's brand reputation; if such data is leaked over the internet, that may result in substantial financial loss.
What is the issue with the above API call? The problem is that the endpoint is not validating any incoming API call to confirm whether the request is valid. It is not checking for any authorisation whether the person requesting the API call can ask for it or not.
The solution for this problem is pretty simple; Bob will implement an authorisation mechanism through which he can identify who can make API calls to access employee ID information.
Broken Object Level Authorisation (BOLA)
The purpose is achieved through access tokens or authorisation tokens in the header. In the above example, Bob will add an authorisation token so that only headers with valid authorisation tokens can make a call to this endpoint.
Broken Object Level Authorisation (BOLA)
Mitigation Measures
An authorisation mechanism that relies on user policies and hierarchies should be adequately implemented.
Strict access controls methods to check if the logged-in user is authorised to perform specific actions.
Promote using completely random values (strong encryption and decryption mechanism) for nearly impossible-to-predict tokens.
Broken User Authentication (BUA)
How does it happen? User authentication is the core aspect of developing any application containing sensitive data. Broken User Authentication (BUA) reflects a scenario where an API endpoint allows an attacker to access a database or acquire a higher privilege than the existing one. The primary reason behind BUA is either invalid implementation of authentication like using incorrect email/password queries etc., or the absence of security mechanisms like authorisation headers, tokens etc.
Broken User Authentication (BUA)
Likely Impact: In broken user authentication, attackers can compromise the authenticated session or the authentication mechanism and easily access sensitive data. Malicious actors can pretend to be someone authorised and can conduct an undesired activity, including a complete account takeover.
Broken User Authentication (BUA)
Practical Example
Bob understands that authentication is critical and has been tasked to develop an API endpoint apirule2/user/login_v that will authenticate based on provided email and password.
The endpoint will return a token, which will be passed as an Authorization-Token header (GET request) to apirule2/user/details to show details of the specific employee. Bob successfully developed the login endpoint; however, he only used email to validate the user from the user table and ignored the password field in the SQL query.
Broken User Authentiction (BUA)
Practical Example
To fix this, we will update the login query logic and use both email and password for validation. The endpoint /apirule2/user/login_s is a valid endpoint, as shown below, that authorises the user based on password and email both.
Broken User Authentication (BUA)
Mitigation Measures
Ensure complex passwords with higher entropy for end users.
Do not expose sensitive credentials in GET or POST requests.
Enable strong JSON Web Tokens (JWT), authorisation headers etc.
Ensure the implementation of multifactor authentication (where possible), account lockout, or a captcha system to mitigate brute force against particular users.
Ensure that passwords are not saved in plain text in the database to avoid further account takeover by the attacker.
Excessive Data Exposure
How does it happen? Excessive data exposure occurs when applications tend to disclose more than desired information to the user through an API response. The application developers tend to expose all object properties (considering the generic implementations) without considering their sensitivity level. They leave the filtration task to the front-end developer before it is displayed to the user.
Excessive Data Exposure
How does it happen? Consequently, an attacker can intercept the response through the API and quickly extract the desired confidential data. The runtime detection tools or the general security scanning tools can give an alert on this kind of vulnerability. However, it cannot differentiate between legitimate data that is supposed to be returned or sensitive data.
Excessive Data Exposure
Likely Impact A malicious actor can successfully sniff the traffic and easily access confidential data, including personal details, such as account numbers, phone numbers, access tokens and much more. Typically, APIs respond with sensitive tokens that can be later on used to make calls to other critical endpoints.
It is NOT Good Practice to Send Username in a API GET request
Excessive Data Exposure: Practical Example:
Bob was tasked to develop an endpoint for showing users' comments on the company's main website. He developed an endpoint apirule3/comment_v/{id} that fetches all information available for a comment from the database. Bob assumed that the front-end developer would filter out information while showing it on the company's main website
What is the issue here? The API is sending more data than desired. Instead of relying on a front-end engineer to filter out data, only relevant data must be sent from the database.
Excessive Data Exposure
Mitigation Measures
Never leave sensitive data filtration tasks to the front-end developer.
Ensure time-to-time review of the response from the API to guarantee it returns only legitimate data and checks if it poses any security issue.
Avoid using generic methods such as to_string() and to_json().
Use API endpoint testing through various test cases and verify through automated and manual tests if the API leaks additional data.
Lack of Resources & Rate Limiting
How does it happen? Lack of resources and rate limiting means that APIs do not enforce any restriction on the frequency of clients' requested resources or the files' size, which badly affects the API server performance and leads to the DoS (Denial of Service) or non-availability of service. Consider a scenario where an API limit is not enforced, thus allowing a user to upload several GB files simultaneously or make any number of requests per second. Such API endpoints will result in excessive resource utilisation
Lack of Resources & Rate Limiting
How does it happen? Nowadays, attackers are using such attacks to ensure the non-availability of service for an organisation, thus tarnishing the brand reputation through increased downtime. A simple example is non-compliance with the Captcha system on the login form, allowing anyone to make numerous queries to the database through a small script written in Python.
Lack of Resources & Rate Limiting
Likely Impact The attack primarily targets the Availability principles of security; however, it can tarnish the brand's reputation and cause financial loss.
Lack of Resources & Rate Limiting
Practical Example
The company MHT purchased an email marketing plan (20K emails per month) for sending marketing, password recovery emails etc. Bob realised that he had successfully developed a login API, but there must be a "Forgot Password" option that can be used to recover an account.
He started building an endpoint /apirule4/sendOTP_v that will send a 4-digit numeric code to the user's email address. An authenticated user will use that One Time Password (OTP) to recover the account.
Lack of Resources & Rate Limiting: Practical Example
What is the issue here? Bob has not enabled any rate limiting in the endpoint. A malicious actor can write a small script and brute force the endpoint, sending many emails in a few seconds and using the company's recently purchased email marketing plan (financial loss).
Finally, Bob came up with an intelligent solution (/apirule4/sendOTP_s) and enabled rate limiting such that the user has to wait 2 minutes to request an OTP token again.
Lack of Resources & Rate Limiting
Mitigation Measures
Ensure using a captcha to avoid requests from automated scripts and bots.
Ensure implementation of a limit, i.e., how often a client can call an API within a specified time and notify instantly when the limit is exceeded.
Ensure to define the maximum data size on all parameters and payloads, i.e., max string length and max number of array elements.
Broken Function Level Authorisation
How does it happen? Broken Function Level Authorisation reflects a scenario where a low privileged user (e.g., sales) bypasses system checks and gets access to confidential data by impersonating a high privileged user (Admin).
Broken Function Level Authorisation
How does it happen? Consider a scenario of complex access control policies with various hierarchies, roles, and groups and a vague separation between regular and administrative functions leading to severe authorisation flaws. By taking advantage of these issues, the intruders can easily access the unauthorised resources of another user or, most dangerously – the administrative functions.
Broken Function Level Authorisation
Reflects IDOR permission, where a user, most probably an intruder, can perform administrative-level tasks. APIs with complex user roles and permissions that can span the hierarchy are more prone to this attack.
Broken Function Level Authorisation
Likely Impact The attack primarily targets the authorisation and non-repudiation principles of security. Broken Functional Level Authorisation can lead an intruder to impersonate an authorised user and let the malicious actor get administrative rights to perform sensitive tasks.
Broken Function Level Authorization: Practical Example:
Bob has been assigned another task to develop an admin dashboard for company executives so that they can view all employee's data and perform specific tasks.
The issue can be resolved programmatically by implementing correct authorisation rules and checking the functional roles of each user in the database during the query. Bob implemented another endpoint /apirule5/users_s that validates each user's role and only shows employees' data if the role is Admin.
Broken Function Level Authorization
Mitigation Measures
Ensure proper design and testing of all authorisation systems and deny all access by default.
Ensure that the operations are only allowed to the users belonging to the authorised group.
Make sure to review API endpoints against flaws regarding functional level authorisation and keep in mind the apps and group hierarchy's business logic.
Mass Assignment
How does it happen? Mass assignment reflects a scenario where client-side data is automatically bound with server-side objects or class variables. However, hackers exploit the feature by first understanding the application's business logic and sending specially crafted data to the server, acquiring administrative access or inserting tampered data. This functionality is widely exploited in the latest frameworks like Laravel, Code Ignitor etc.
Mass Assignment
How does it happen?
Consider a user's profiles dashboard where users can update their profile like associated email, name, address etc. The username of the user is a read-only attribute and cannot be changed; however, a malicious actor can edit the username and submit the form. If necessary filtration is not enabled on the server side (model), it will simply insert/update the data in the database.
Mass Assignment
Likely Impact The attack may result in data tampering and privilege escalation from a regular user to an administrator.
Mass Assignment: Practical Example:
Bob has successfully designed the form and used the mass assignment feature in Laravel to store all the incoming data from the client side to the database (as shown below).
What is the problem here? Bob is not doing any filtering on the server side. Since using the mass assignment feature, he is also inserting credit values in the database (malicious actors can update that value).
Mass Assignment: Practical Example:
The solution to the problem is pretty simple. Bob must ensure necessary filtering on the server side (apirule6/user_s) and ensure that the default value of credit should be inserted as 50, even if more than 50 is received from the client side (as shown below).
Mass Assignment
Mitigation Measures
Before using any framework, one must study how the backend insertions and updates are carried out. In the Laravel framework, fillable and guarded arrays mitigate the above-mentioned scenarios.
Avoid using functions that bind an input from a client to code variables automatically.
Allowlist those properties only that need to get updated from the client side.
Security Misconfiguration Security misconfiguration depicts an implementation of incorrect and poorly configured security controls that put the security of the whole API at stake. Several factors can result in security misconfiguration, including improper/incomplete default configuration, publically accessible cloud storage, Cross-Origin Resource Sharing (CORS), and error messages displayed with sensitive data. Intruders can take advantage of these misconfigurations to perform detailed reconnaissance and get unauthorised access to the system.
Security Misconfiguration How does it happen?
Security misconfigurations are usually detected by vulnerability scanners or auditing tools and thus can be curtailed at the initial level. API documentation, a list of endpoints, error logs etc., must not be publically accessible to ensure safety against security misconfigurations. Typically, companies deploy security controls like web application firewalls, which are not configured to block undesired requests and attacks.
Security Misconfiguration
Likely Impact Security misconfiguration can give intruders complete knowledge of API components. Firstly, it allows intruders to bypass security mechanisms. Stack trace or other detailed errors can provide the malicious actor access to confidential data and essential system details, further aiding the intruder in profiling the system and gaining entry.