São Paulo/SP – September 1, 2022. OWASP (Open Web Application Security Project), in 2019, created a version of their TOP 10 addressing API security, recognizing the role that APIs play in the architecture of applications today.
*By Leonardo Corazza
Nowadays, APIs are fundamental to ensure the functioning of mobile systems and applications. By default, the APIs are insecure and because of that, they have become a target for attackers.
OWASP (Open Web Application Security Project), in 2019, created a version of their TOP 10 addressing API security, recognizing the role that APIs play in the architecture of applications today.
Below is the TOP 10:
API1:2019 Broken Object Level Authorization
Allows an attacker to exploit an API endpoint by manipulating an object's ID, which can lead to unauthorized access to sensitive data. The flaw may also be known as IDOR (Insecure Direct Object Reference)
API2:2019 Broken User Authentication
The authentication mechanism is always an attack vector, and if it is not well configured, with strong cryptographic tokens and keys, it can allow an attacker to have control over other user accounts on the system.
API3:2019 Excessive Data Exposure
By design, the API returns sensitive data to the client. This data must be filtered before being presented to the user. Excessive data exposure can lead to sensitive data exposure.
API4:2019 Lack of Resources & Rate Limiting
The API must be protected against an excessive amount of requests and payload. If this type of protection is not available, attackers can carry out DoS (Denial of Service) attacks and brute force attacks, which can make the API unavailable.
API5:2019 Broken Function Level Authorization
Some administrative functions are often exposed as APIs. With this knowledge, attackers can carry out attacks with the aim of finding these functions, which can allow access to functions without authorization.
API6:2019 Mass Assignment
By design, an API can expose the name of properties. If there is no definition of the expected parameters, an attacker may try to guess object properties or provide additional properties, for the purpose of privilege escalation and data manipulation.
API7:2019 Security Misconfiguration
A flawed API in the configuration can allow exploitation by attackers, with the aim of exposing and collecting sensitive information
API8:2019 Injection
Injection failures occur when untrusted data is interpreted as part of a command. Attackers can carry out exploitation with the aim of extracting sensitive data
API9:2019 Improper Assets Management
Keeping an up-to-date inventory is critical and API documentation is critical. Old API or homologation versions may contain vulnerabilities and exposed data
API10:2019 Insufficient Logging & Monitoring
Failure to properly logging, monitoring and alerting can allow API attacks to go undetected.
There are some recommendations and best practices to avoid these vulnerabilities, such as:
- Do not use basic authentication, use OAuth or JWT
- Use strong secrets in tokens
- Set expiration date on token
- Using HTTPS and strong ciphers
- limit requests
- Validate user data input
- Use your own HTTP method for each operation
- Use UUID
- Disable debug mode
- Disable old API versions
Additionally, it is recommended to perform PenTests periodically in order to find weaknesses and validate that the controls are well applied.
— Leonardo Corazza is Cyber Security Specialist – RED TEAM at [SAFEWAY]
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!
