Dec 20, 2021
OWASP API Top 10 — Architecture Overview and Common Vulnerabilities
As organizations continue to expand the compatibility and coordination with each other and as companies do the switch to the cloud. APIs are the conjunctive tissue responsible for transferring information between systems in collaboration, together internally and externally.
According to Gartner, API will account for 90% of the attack surface, exploiting APIs will be the most common attack vector for data breaches within enterprise web applications. By 2022, API will become the most frequent attack vector!
API Overview:
API allows one application to communicate with another without having to have direct interoperability mechanisms built within.
Using an API, users of application ‘X’ can communicate and utilize data from application ‘Y’. This imparts opportunity for a company to leverage resources of Third-Party data and technologies.
API Architecture:
Two main categories of API architectures:
- REST: Representational State Transfer
REST architecture uses many different methods using HTTP & JSON. It also uses SSL as a mechanism.
Built on Client-Server Principle, it is lighter and easier to use across the web.
REST APIs are stateless and thus are also less complex. Stateless means that any server can handle the API request.
While considering API security, REST architecture must be uniform, meaning all requests must appear the same, so the servers handling the requests can properly handle them and none are dropped.
This facilitates the ‘Availability’ edge of the CIA triad.
2. SOAP: Simple Object Access Protocol
SOAP is not an architecture, it is a protocol that builds on REST API and uses more strict security standards to ensure the Integrity and Confidentiality. SOAP also uses SSL. Often used in sensitive environments such as Banking where sensitive information changes must be accessed across multiple resources.
API Types:
- OpenAPI:
OpenAPI also known as Public APIs.
Open APIs do not require authentication to access the API or its resources, it’s open to the public for anyone to use.
2. Internal API:
Internal APIs require authentication and are intended to be used for specific users. Eg: Banks {Banks would use the series of internal APIs like SOAP to allow interconnectivity across its internal structure }
3. Partner API:
Partner API used in the case of an organization extending its resources to third party (SaaS).
Partner APIs are not similar to Internal APIs, whereas Partner API is strictly used between a Client & Provider.
4. Composite API:
Composite APIs are a mix of different APIs that help to handle APIs more efficiently.
Composite APIs are considered to be an architectural solution to efficiency problems posted by REST APIs.
IoT, Smart Homes and autonomous vehicles will make APIs even more popular. And so will the attacks.
OWASP is a non-profit organization that works to improve the security of web applications & software.
Erez Yalon and Inon Shkedy created the OWASP API Security Project, the OWASP API Security Top Ten.
OWASP API Security Top Ten:
- A1 Broken Object Level Authorization
- A2 Broken Authentication
- A3 Excessive Data Exposure
- A4 Lack of Resources and Rate Limiting
- A5 Broken Function Level Authorization
- A6 Mass Assignment
- A7 Security Misconfiguration
- A8 Injection
- A9 Improper Assets Management
- A10 Insufficient Logging and Monitoring
Testing an API is little different from Web Pen Testing.
There is NO Screen to look at, testers must have a better understanding of the API or Application to successfully discover and exploit vulnerabilities.
Recommended Tools for API Pen Testing:
Postman: Popular API Development and Testing Tool
Burp Extensions (Autorize, JWT Attacker, Turbo Intruder, Auto Repeater)
References:
https://www.gartner.com/en/documents/3956746/api-security-what-you-need-to-do-to-protect-your-apis
