OWASP API Top 10 — Architecture Overview and Common Vulnerabilities

As organizations continue to expand the compatibility and coordination with each other and as companies do the switch to the cloud. APIs are the conjunctive tissue responsible for transferring information between systems in collaboration, together internally and externally.

According to Gartner, API will account for 90% of the attack surface, exploiting APIs will be the most common attack vector for data breaches within enterprise web applications. By 2022, API will become the most frequent attack vector!

API Overview:

API allows one application to communicate with another without having to have direct interoperability mechanisms built within.

Using an API, users of application ‘X’ can communicate and utilize data from application ‘Y’. This imparts opportunity for a company to leverage resources of Third-Party data and technologies.

API Architecture:

Two main categories of API architectures:

  1. REST: Representational State Transfer

REST architecture uses many different methods using HTTP & JSON. It also uses SSL as a mechanism.

Built on Client-Server Principle, it is lighter and easier to use across the web.

REST APIs are stateless and thus are also less complex. Stateless means that any server can handle the API request.

While considering API security, REST architecture must be uniform, meaning all requests must appear the same, so the servers handling the requests can properly handle them and none are dropped.

This facilitates the ‘Availability’ edge of the CIA triad.

2. SOAP: Simple Object Access Protocol

SOAP is not an architecture, it is a protocol that builds on REST API and uses more strict security standards to ensure the Integrity and Confidentiality. SOAP also uses SSL. Often used in sensitive environments such as Banking where sensitive information changes must be accessed across multiple resources.

API Types:

  1. OpenAPI:

OpenAPI also known as Public APIs.

Open APIs do not require authentication to access the API or its resources, it’s open to the public for anyone to use.

2. Internal API:

Internal APIs require authentication and are intended to be used for specific users. Eg: Banks {Banks would use the series of internal APIs like SOAP to allow interconnectivity across its internal structure }

3. Partner API:

Partner API used in the case of an organization extending its resources to third party (SaaS).

Partner APIs are not similar to Internal APIs, whereas Partner API is strictly used between a Client & Provider.

4. Composite API:

Composite APIs are a mix of different APIs that help to handle APIs more efficiently.

Composite APIs are considered to be an architectural solution to efficiency problems posted by REST APIs.

IoT, Smart Homes and autonomous vehicles will make APIs even more popular. And so will the attacks.

OWASP is a non-profit organization that works to improve the security of web applications & software.

Erez Yalon and Inon Shkedy created the OWASP API Security Project, the OWASP API Security Top Ten.

OWASP API Security Top Ten:

  • A1 Broken Object Level Authorization
  • A2 Broken Authentication
  • A3 Excessive Data Exposure
  • A4 Lack of Resources and Rate Limiting
  • A5 Broken Function Level Authorization
  • A6 Mass Assignment
  • A7 Security Misconfiguration
  • A8 Injection
  • A9 Improper Assets Management
  • A10 Insufficient Logging and Monitoring

Testing an API is little different from Web Pen Testing.

There is NO Screen to look at, testers must have a better understanding of the API or Application to successfully discover and exploit vulnerabilities.

Recommended Tools for API Pen Testing:

Postman: Popular API Development and Testing Tool

Burp Extensions (Autorize, JWT Attacker, Turbo Intruder, Auto Repeater)

References:

https://www.gartner.com/en/documents/3956746/api-security-what-you-need-to-do-to-protect-your-apis

https://owasp.org/www-project-api-security/

--

--

--

💻 Cybersecurity Enthusiast: | 🌐 OSINT | 📈 Vulnerability Assesment | 🛠️ VAPT

Recommended from Medium

EDR Avoidance — LimaCharlie

PortSwigger Web Security Academy Labs — XXE Injection, CSRF, SSRF, CORS Apprentice Level

PrivacySwap! Featuring the Single Assets!

The biggest online advertising fraud in history, and how blockchain can make ad fraud history

Videocall apps and data security in times of pandemic

How To Delete Google Account On Phone Or Computer

{UPDATE} Rolly Cube 3D! Hack Free Resources Generator

How to claim KSM token

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Pratik Dhavade

Pratik Dhavade

💻 Cybersecurity Enthusiast: | 🌐 OSINT | 📈 Vulnerability Assesment | 🛠️ VAPT

More from Medium

API Pentesting using Postman and OWASP ZAP

Getting Started with Docker

Google cloud functions with Jest-Playwright

Hack The Box — Unified