OWASP Top 10 API Flashcards
API 1: What is Broken Object Level Authorization
Attacker substitutes ID of their resource in API call with an ID of a resource belonging to another user.
How to prevent Broken Object Level Authorization
- Implement authorization checks with user policies and hierarchy
- Do not rely on IDs sent from client.
- Check authorization each time there is a client
request to access database - Use random non guessable IDs (UUIDs)
API 2:What is Broken User Authentication
Poorly implemented API authentication allowing attackers to assume other users’ identities.
How to prevent Broken User Authorization
– Check all possible ways to authenticate to all APIs
– Use standard authentication, token generation, password storage, multi-factor authentication (MFA)
– Use short-lived access tokens
– Use rate-limiting for authentication, implement lockout policies and weak password checks
API 3: What is Excessive Data Exposure
API overexpose data to the client, relying on the client to do the filtering. Attacker goes directly to the API.
How to prevent Excessive Data Exposure
– Never rely on client to filter data
– Review all responses and adapt responses to what the API
consumers really need
– Define schemas of all the API responses
– Don’t forget about error responses
– Identify all the sensitive or PII info and justify its use
– Enforce response checks to prevent accidental data and exception leaks
API 4: Lack of Resources & Rate Limiting
API is not protected against an excessive amount of calls or payload sizes. Attackers use that for DoS and brute force attacks.
How to prevent Lack of Resources and Rate limiting
- Rate Limiting
- Payload size limit
- Add proper server side validation
API5: Broken Function Level Authorization
API relies on client to use user level or admin level APIs. Attacker figures out the “hidden” admin API methods and invokes them directly.
How to prevent Broken Function Level Authorization
– Deny all access by default
– Properly design and test authorization
– Role-based access control
– Do not rely on the client to enforce admin access
API6: Mass Assignment
Mass assignment is a computer vulnerability where an active record pattern in a web application is exploited to modify data items.
How to prevent Mass Assignment
– Don’t automatically bind incoming data and internal objects
– Explicitly define all the parameters and payloads you are expecting
– Set readOnly to true for object schemas and all properties that can be retrieved via APIs but should never be modified
API7: Security Misconfiguration
Poor configuration of the API servers allows
attackers to exploit them.
How to prevent security misconfiguration
– Repeatable hardening and patching processes
– Automated process to locate configuration flaws
– Disable unnecessary features
– Restrict administrative access
– Define and enforce all outputs including errors
API8: Injection
Attacker constructs API calls that include SQL-, NoSQL-, LDAP-, OS- and other commands that the API or back-end behind it blindly executes.
