OWASP Top 10 API Flashcards
API 1: What is Broken Object Level Authorization
Attacker substitutes ID of their resource in API call with an ID of a resource belonging to another user.
How to prevent Broken Object Level Authorization
- Implement authorization checks with user policies and hierarchy
- Do not rely on IDs sent from client.
- Check authorization each time there is a client
request to access database - Use random non guessable IDs (UUIDs)
API 2:What is Broken User Authentication
Poorly implemented API authentication allowing attackers to assume other users’ identities.
How to prevent Broken User Authorization
– Check all possible ways to authenticate to all APIs
– Use standard authentication, token generation, password storage, multi-factor authentication (MFA)
– Use short-lived access tokens
– Use rate-limiting for authentication, implement lockout policies and weak password checks
API 3: What is Excessive Data Exposure
API overexpose data to the client, relying on the client to do the filtering. Attacker goes directly to the API.
How to prevent Excessive Data Exposure
– Never rely on client to filter data
– Review all responses and adapt responses to what the API
consumers really need
– Define schemas of all the API responses
– Don’t forget about error responses
– Identify all the sensitive or PII info and justify its use
– Enforce response checks to prevent accidental data and exception leaks
API 4: Lack of Resources & Rate Limiting
API is not protected against an excessive amount of calls or payload sizes. Attackers use that for DoS and brute force attacks.
How to prevent Lack of Resources and Rate limiting
- Rate Limiting
- Payload size limit
- Add proper server side validation
API5: Broken Function Level Authorization
API relies on client to use user level or admin level APIs. Attacker figures out the “hidden” admin API methods and invokes them directly.
How to prevent Broken Function Level Authorization
– Deny all access by default
– Properly design and test authorization
– Role-based access control
– Do not rely on the client to enforce admin access
API6: Mass Assignment
Mass assignment is a computer vulnerability where an active record pattern in a web application is exploited to modify data items.
How to prevent Mass Assignment
– Don’t automatically bind incoming data and internal objects
– Explicitly define all the parameters and payloads you are expecting
– Set readOnly to true for object schemas and all properties that can be retrieved via APIs but should never be modified
API7: Security Misconfiguration
Poor configuration of the API servers allows
attackers to exploit them.
How to prevent security misconfiguration
– Repeatable hardening and patching processes
– Automated process to locate configuration flaws
– Disable unnecessary features
– Restrict administrative access
– Define and enforce all outputs including errors
API8: Injection
Attacker constructs API calls that include SQL-, NoSQL-, LDAP-, OS- and other commands that the API or back-end behind it blindly executes.
How to prevent injection
– Never trust your API consumers
– Strictly define all input data: schemas, types, string patterns - and enforce them at runtime
– Validate, filter, sanitize all incoming data
– Define, limit, and enforce API outputs to prevent data
leaks
API9: Improper Assets Management
Attacker finds non-production versions of the API: such as staging, testing, beta or earlier versions - that are not as well protected, and uses those to launch the attack.
How to prevent improper assets management
– Inventory all API hosts
– Limit access to anything that should not be public
– Limit access to production data. Segregate access to production and non-production data.
– Implement additional external controls such as API firewalls
API10: Insufficient Logging & Monitoring
Lack of proper logging, monitoring, and alerting let attacks go unnoticed.
How to prevent insufficient logging and monitoring
– Log failed attempts, denied access, input validation failures, any failures in security policy checks
– Ensure that logs are formatted to be consumable by other tools
– Protect logs as highly sensitive
– Include enough detail to identify attackers
– Avoid having sensitive data in logs
– Integrate with SIEMs and other dashboards, monitoring, alerting tools
