(Based on OWASP API Top-10 Recommendations)
APIs were already ubiquitous in driving modern applications. However, the pandemic has further accelerated growth in innovation and expansion of digital services, making APIs even more widespread. In today’s world, rapid innovation would not be possible without secure APIs.
Attacks on APIs are increasing exponentially. Gartner suggests API abuses are the most significant attack vector since 2022. Hence securing APIs is more critical than ever in the past.
OWASP came up with a separate list of techniques used against API called OWASP API Top-10. A revision of the same is planned for 2023. Here’s a developers’ checklist to build Secure APIs based on techniques outlined in OWASP API Top-10.
APIs tend to expose endpoints that handle object identifiers, creating a broad attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user. Checklist:
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or exploit implementation flaws to assume other users’ identities temporarily or permanently. Compromising a system’s ability to identify the client/user compromises API security overall.
Looking forward to generic implementations, developers tend to expose all object properties without considering their sensitivity, relying on clients to filter data before displaying it to the user.
APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but it also leaves the door open to authentication flaws such as brute force.
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
Binding client-provided data (e.g., JSON) to data models without proper filtering properties based on a safelist usually leads to Mass Assignment. Either guessing object properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Suitable hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to attack systems further, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
