OWASP API Security Top 10 RC

This project is intended for an ever-growing number of organizations that implement potentially sensitive APIs as part of their software solutions. APIs are used for internal tasks and for interacting with third-party services. Unfortunately, many APIs do not pass rigorous security testing that would make them safe from attacks, expanding the threat landscape for the web application.



The OWASP API Security Top 10 security project is designed to highlight the potential risks in unsafe APIs and propose measures to mitigate such risks.

OWASP

The OWASP project is referenced by many standards, tools and organizations, including MITRE, PCI DSS, DISA, FTC, and many others. Methodologies OWASP is a recognized methodology for assessing vulnerabilities in web applications worldwide. OWASP projects reflect the most significant threats to web and mobile applications, APIs, describe test methods and methodologies.



When working as developers or information security consultants, many people came across an API as part of a project. Although there are some resources to help create and evaluate these projects (for example, the OWASP REST security cheat sheet), no comprehensive security project has been developed to help developers, pentesters, and security professionals.

MODERN API

This document is in Release Candidat status; an official presentation is planned for the second quarter of 2020. The API Security focuses on strategies and solutions for understanding and mitigating the unique vulnerabilities and security risks of application programming interfaces (APIs).



What became the prerequisite for creating this sheet:

• Client devices are becoming more diverse and complex.
• Logic moves from the backend to the frontend (along with some vulnerabilities).
• Less layers of abstraction.
• The client and server (and database) "speak" in the same JSON language.
• The server is more used as a proxy for data.
• The rendering component is the client, not the server.
• Customers consume raw data.
• APIs reveal the underlying implementation of the application.
• User status is usually maintained and monitored by the client.
• Each HTTP request sends additional parameters (object identifiers,
• filters).

A modern web application is almost impossible to imagine without using an API.

OWASP API Security Top 10

A1 Incorrect authorization at the object level

Often, APIs expose endpoints that are responsible for identifiers, which opens up great opportunities for attacks on the level of access control. Object level authorization checks must be implemented in every function that accepts user input.

A2 Invalid authentication

Authentication mechanisms are often incorrectly implemented, which allows attackers to compromise authentication tokens or exploit errors in the implementation in order to impersonate another user temporarily or permanently. Compromising the ability of the system to identify the client / user compromises the security of the entire API.

A3 Issue of redundant information

Striving for standardization, developers can disclose all the parameters of the object, not taking into account the criticality of each of them, hoping that the client will filter the data before showing it to the user.

A4 Lack of limits on resources and requests

Quite often, APIs do not impose any restrictions on the size or quantity of resources requested by the user. This can lead not only to performance degradation and even DoS, but also to authentication attacks - for example bruteforce.

A5 Incorrect authorization of functions

Complex access policies with different hierarchies, groups and roles, as well as an opaque separation between administrative and normal functions, often lead to vulnerabilities in authorization. By exploiting these vulnerabilities, attackers gain access to the resources of other users, or to the administrator’s functionality.

A6 Parameter reassignment

Binding data received from the client (for example, in JSON) to data models without filtering usually leads to a reassignment of parameters. Attackers, exploring the API, reading the documentation, or simply guessing can add “extra” parameters to requests, changing objects to which they do not have access.

A7 Security Settings Errors

Errors in security settings are most often the result of the default settings, crutches, storage in the clouds, incorrect configuration of HTTP headers, unnecessary HTTP methods, overly wide CORS settings, and enabled error output.

A8 Injection

Injection vulnerabilities such as SQL, NoSQL, code / command injection, etc. happen when untrusted data is sent to the handler as part of a request or command. The data embedded by the attacker can “trick” the handler and it will execute an arbitrary command, or receive data without proper authorization.

A9 Incorrect resource management

APIs often provide more features than traditional web applications, so it’s especially important that the documentation is complete and up to date. Correctly installed and configured APIs play an important role in protecting against problems such as open access to older versions of the API and debugging functionality.

A10 Inadequate logging and monitoring

Inadequate logging and monitoring, coupled with poor or lack of integration in response processes, allows attackers to develop their attacks, gain a foothold in the network, capture new targets, download or destroy data. Most hacking investigations show that the average detection time exceeds 200 days, and the fact of hacking is detected by external contractors, rather than internal monitoring systems.



OWASP API Security Top 10 2019

---

OWASP Russia chapter: OWASP Russia

OWASP Russia chat: https://t.me/OWASP_Russia

OWASP Russia channel: https://t.me/OWASP_RU