OWASP Top Ten API Vulnerabilities
Complete Developer Podcast - En podcast af BJ Burns and Will Gant - Torsdage
The Open Web Application Security Project (OWASP) creates a list of security vulnerabilities for web applications every few years. While the general web application security best practices also apply to application programming interfaces (APIs), in 2019 OWASP created a list of security vulnerabilities specific to APIs. This list focuses on security risks specific to APIs. A major portion of web traffic involves accessing an API. They are at the forefront of innovation in web development providing access to almost all of the data used in web applications. A pervasive theme through out this list is poor safeguards in the APIs. Most of the time this happens because proof-of-concept code gets pushed to production when it was only ever intended to show that something was possible. The terms Authentication and Authorization get thrown around a lot in API development as well as in the top ten list. Authentication is the first step in security. It validates that the user is who they say they are before moving forward. The most common way to do this is through username/password combinations. From here some kind of authentication token is created for subsequent calls to the API. Authorization on the other hand is a process where the system allows access to specific resources or functions based on permissions. Authorization follows authentication meaning that a user proves who they are before they are granted permission to access information. APIs are access points for services and web applications that provide an attack surface for nefarious users. This list of the top ten vulnerabilities is just the beginning of API security. Use it as a starting point for securing the APIs you design and build. When building or securing an API you may want to consider a vulnerability scanner to help identify weaknesses in your security. To help in securing your web applications OWASP provides a series of “cheat sheets” with concise information about specific languages and/or protocols for web development. Episode Breakdown Broken Object Level Authorization APIs contain endpoints that handle object identifiers, this creates a wide attack surface. In order to maintain an semblance of state, APIs tend to track the identity of a user within the API request. While useful for maintaining state across calls, the API should not fully trust the user identity as an attacker could use another user’s ID to gain access to their private data. Object level authorization checks should be applied on all calls to the API, especially those that accesses a data source. Broken User Authentication Authentication protocols and mechanisms in APIs are designed to provide access to sensitive data or protected functionality to those who have permission. Improperly implemented authentication can allow attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities. If an attacker gains access to an account on an API, they are able use functionality that they should not be able to access, steal confidential or important data, or even set up denial-of-service (DoS) attacks against the API. In order to provide adequate protection, authentication at minimum needs to implement proper authentication token validation, strong credential encryption, and login attempt limiting. Using encrypted JWT (JSON Web Tokens) tokens is a way for securely sending JSON objects and is considered to be best practice for authentication. Excessive Data Exposure APIs are designed to expose object properties, many times without even considering that individual properties may have different levels of confidentiality or sensitivity. Developers design APIs to allow for bulk data transfer with as little as possible overhead on the client or server side then rely on the clients to filter the data before exposing it to t...