Web APIs can be an extremely powerful resource for an organization and its customers. Instead of requiring users to manually interact with a website to collect information, a web API allows automation of common tasks or access to bulk data with limited overhead. This increases the efficiency of the system for the user and reduces load on the web site for the owner.
However, the power of web APIs makes web API security a significant concern. The same accessibility that is useful for valid customers is also valuable for an attacker performing data exfiltration. In order to help web API developers to secure their software, OWASP is working on a Top Ten List for web API vulnerabilities.
The OWASP API Top Ten List
The Open Web Application Security Project (OWASP) has developed lists of the top vulnerabilities in several different environments. The most famous list is for web application vulnerabilities, but OWASP has recently released a draft version of a list specifically for web APIs. This list describes the vulnerabilities that are the most common and have the greatest impact on web API security.
#1. Broken Object Level Authorization
Web APIs are designed to provide access to objects, and many objects can be stored on the same API endpoint. This can create an access control issue if a user is authorized to have access to one object via the API but not others. APIs must explicitly check for authorization to access each object.
#2. Broken Authentication
Authentication mechanisms are designed to limit access to the API to legitimate users. However, these mechanisms are often poorly implemented or flawed, allowing an attacker to bypass or exploit them. This grants the attacker authenticated access to the API and the potentially sensitive or proprietary data that it contains.
#3. Excessive Data Exposure
APIs are often designed for the general case with the expectation that users will tailor the results to their own use. As a result, an API developer may expose more data than necessary with the expectation that users will filter results before displaying them. If filtering does not occur, this exposes excessive data.
#4. Lack of Resources and Rate Limiting
If an API does not implement rate limiting, an authenticated user can request as much data as they wish. If a user requests too many resources; however, this can degrade or destroy the usability of the service. If authentication has no rate limiting, it can be used for brute force password guessing attacks.
#5. Broken Function Level Authorization
APIs often have complicated authorization structures designed to ensure that no user has access to functionality that they shouldn’t. However, this added complexity creates additional chances for logical or implementation errors that would allow an attacker to bypass authorization controls.
#6. Mass Assignment
Some APIs will assign user-provided data to objects en masse without checking which properties that the user should control. If a user can guess properties out of their control or read the documentation, providing values for these additional properties may allow the user to control their values on the system.
#7. Security Misconfiguration
Failing to properly configure security settings can leave an application open to attack. For example, overly expressive error messages can give an attacker useful information about how an application functions, which can be used to develop an attack.
Injection flaws occur when an application fails to properly validate or sanitize user input. Often, user input is intermixed with commands within queries to an application. If an attacker can get their input to be interpreted as commands, they can execute commands of their choice on an application.
#9. Improper Assets Management
Web APIs tend to be connected to more endpoints within an organization’s network than traditional web applications. As the functionality of the API changes and the network evolves, it is important to ensure that only necessary endpoints are exposed via the API. Otherwise, an attacker may be able to gain access to endpoints used in debugging and testing or deprecated functionality.
#10. Insufficient Logging and Monitoring
Failure to properly log activity on an API and to inspect these logs can amplify the impact of an attack. In many cases, an attack is only discovered by a third party and after a long interval, allowing an attacker unrestricted access to the system for some time. Proper logging and log analysis can allow an attacker to detect and remediate attacks more quickly.
The first step to securing web APIs is to work through the OWASP list and compare an implementation to the vulnerabilities and flaws listed there. If any apply to a given web API, it should be modified to fix the problem.
However, in some cases it may be difficult or impossible to identify and correct all vulnerabilities in a web API. Some vulnerabilities may be difficult or impossible to detect, and others may be necessary to achieve business needs. Also, the OWASP list covers only the most common vulnerabilities that a web API can include but does not cover all potentially exploitable issues.
In these circumstances, it is a good idea to deploy additional protections for a web API. A specialized web API security solution has the ability to detect and protect against attempts to exploit common web API vulnerabilities. Since a web API exposes a great deal of sensitive information and proprietary processing to the Internet, deploying an effective web API security solution is an important step in protecting this functionality from attack.