Fortifying APIs Against Cyber Threats: Insights from the OWASP API Top 10

October 22, 2024 · 10 min read
Table of Contents
API security serves as the backbone of modern web and mobile applications. APIs facilitate interactions between different software platforms and become prime targets for cyberattacks, making their security a crucial aspect of organizational cybersecurity strategy.
The Open Web Application Security Project (OWASP), a respected authority in development security, created a list similar to its top 10 security, which covers general development security for enhancing API security. This list provides guidance for identifying and mitigating the most pressing API security risks based on attacks seen, helping developers and organizations protect their digital assets effectively.
The OWASP API Top 10: A Closer Look
For developers, the API top 10 is an easy reference that lists APIs’ most critical security risks. Many security tools integrate this list and the OWASP top 10 in their findings. This allows developers to easily identify and address the most common risks, enhancing the security posture of their applications and building them in a way they are less likely to be exploited by bad actors.
Broken Object Level Authorization
One of the common API risks is a flaw where permissions are not adequately verified for each user and object accessed. This occurs when an API assumes that a request is authorized merely because the user is authenticated, neglecting checks against the user’s specific rights for the requested object.
To exploit this oversight, attackers trick the API into accessing unauthorized data or taking inappropriate actions. An example of this would be altering a user ID in a request so that it appears to come from a different user than themselves. For APIs with broken authorization, they will return the other person’s data, creating a privilege escalation in the application.
Broken Authentication
Other API vulnerabilities come about when security mechanisms fail to accurately verify the identification of users logging into the system. These vulnerabilities stem from flaws in the authentication process, such as ineffective password management, inadequate session handling, and improper implementation of multi-factor authentication systems.
Attackers can use these weaknesses to impersonate legitimate users and gain unauthorized access, often using stolen or compromised credentials. Once inside, they act as a normal user, gaining access to all the data that the user would. This opens up the attack to stealing sensitive data and attempting to escalate privileges to perform unauthorized actions. These breaches can rapidly escalate, allowing attackers to pivot into other connected systems on the network, granting them deeper access and creating a more widespread security breach.
Broken Object Property Level Authorization
Applications may also fail to enforce adequate permissions checks on the properties of objects that users wish to access or modify. This can occur when APIs or backend services assume that once access to an object is granted, the user implicitly has rights to all its properties. This can lead to the unauthorized viewing or alteration of sensitive data.
Attackers can manipulate API calls to access or modify properties of objects that they should not have access to, such as changing user roles, viewing personal data, or altering system configurations.
Unrestricted Resource Consumption
APIs may also be designed so there is no capacity to limit the frequency of requests. These APIs have no mechanism to associate the number of requests a user or token can make in a timeframe, setting limits restricting this. Developers often do this, not wanting to inhibit the system’s performance for users. Still, instead, they inadvertently allow the server to become overloaded, degrading performance and leading to system downtime due to abuse.
Using brute force attacks, threat actors make high volumes of requests in short periods, intending to crash the system or bypass security measures. These attacks may disrupt legitimate users’ services and, in the worst case, break other security controls, allowing attackers unauthorized access.
Broken Function Level Authorization
Even applications that have different levels of permissions, they are not always handled equally throughout the application. Applications may have hierarchies, groups, and roles but a poor separation between administrative and regular functions. This problem arises when security controls fail to properly verify a user’s permissions before allowing access to specific functions or commands. Without adequate checks, users can execute actions beyond their intended access rights.
Attackers can exploit this vulnerability by accessing unauthorized functionalities and gaining access to administrative features or sensitive user data management functions. Exploiting this vulnerability may allow them the ability to modify or access data that is not permitted for their user, which may even be used to compromise the entire application.
Unrestricted Access to Sensitive Business Flows
Applications may also fail to properly control access to business processes that should be restricted based on user roles or permissions. This lack of control can lead to scenarios where sensitive operations, such as financial transactions, administrative actions, or personal data handling, are accessible to unauthorized users or malicious actors.
Attackers exploit this oversight by accessing these unrestricted flows to carry out actions that can manipulate business outcomes to their advantage or disrupt normal business operations.
Server-Side Request Forgery (SSRF)
Misconfigurations in an API may also allow attackers to send crafted requests from the server to internal resources. This exploit occurs when an API inadequately validates user-supplied URLs before processing them, enabling attackers to manipulate the server into making requests to unintended locations. These vulnerabilities can expose internal services that are not directly accessible from the external network, leading to information leaks or more severe network breaches.
Attackers can leverage SSRF to access and interact with services within an organization’s infrastructure to isolate them from the external network. This could include accessing database management interfaces, cloud service metadata APIs, or internal application APIs, potentially allowing attackers to escalate privileges, extract sensitive data, or disrupt critical internal operations. The ability to send requests from the server’s perspective offers a powerful method for attackers to bridge the gap between the external internet and internal networks.
Security Misconfiguration
APIs may also have poorly defined, implemented, or maintained security settings across applications, databases, web servers, or platform stacks. It can arise from using default configurations, incomplete configurations, open cloud storage, unnecessary services running, or verbose error messages that provide attackers with clues about the system.
Attackers exploit these misconfigurations by scanning for known vulnerabilities or defaults in public-facing applications and services. Once a weak point is identified, they can gain unauthorized access or escalate privileges within the system. The consequences of such exploits can be severe, ranging from data breaches to complete system takeovers.
Improper Inventory Management
With so many APIs in an organization, there may be a lack of proper tracking and documenting of API versions and instances. This oversight can lead to scenarios where outdated or deprecated APIs remain in use without adequate security updates or oversight, exposing them to potential exploits.
Attackers can exploit such mismanagement by targeting these lesser-secured API endpoints to gain unauthorized access or extract sensitive data. The absence of a comprehensive API inventory means organizations may not even be aware of all entry points available to attackers, thereby significantly increasing the risk of security breaches.
Unsafe Consumption of APIs
Applications may also integrate external APIs without implementing adequate security measures to validate, sanitize, or authenticate the incoming data. These vulnerabilities result from an assumption that the data from third-party APIs is secure, which can lead to critical security breaches if malicious inputs are processed or unverified data is trusted implicitly.
Attackers exploit this vulnerability by manipulating the data sent from compromised or malicious APIs to perform actions like injection attacks, data breaches, or even cause denial of service. Since the consuming application does not properly check the integrity and authenticity of the data, it can inadvertently expose itself and its users to significant risks, undermining the entire system’s security.
Integrating OWASP Top 10 into the Development Lifecycle
Integrating the OWASP API Top 10 into the API development lifecycle is crucial for effectively securing API-driven applications. This begins with educating developers about API-specific security risks detailed in the OWASP API Top 10, emphasizing these vulnerabilities’ unique challenges and potential impacts on API integrity and functionality. This knowledge cultivates a security-first mindset, where API security is a core component of the development process from the outset.
To properly embed these security practices, developers must adopt secure coding standards tailored for API development, perform focused code reviews to identify API-specific vulnerabilities, and utilize tools that detect API security flaws. Regular security audits and timely updates should also be part of routine API maintenance to manage newly discovered threats and ensure adherence to evolving security standards. Such a proactive approach mitigates risks and integrates a culture of security throughout the development team, fostering the creation of more secure and resilient APIs.
Schedule a demo today to see how Probely can help your organization address OWASP’s top 10 vulnerabilities in its applications.