Owasp Api Security Top 10 Cheat Sheet A4
Owasp Api Security Top 10 Cheat Sheet A4
The OWASP Top 10 project has for a long time been the
standard list of top vulnerabilities to look for and mitigate in
the world of web applications. APIs represent a significantly
different set of threats, attack vectors, and security best
42Crunch’s ability to
practices for enterprises. That is why the OWASP commu-
secure both the CI/CD
nity launched a new classification of Top 10 vulnerabilities,
pipeline & the runtime
specific to API Security.
environment makes it a
42Crunch offers end-to-end protection for APIs with a compelling candidate
developer-first platform that enables continuous, automat- for any API security
ed and scalable API security. Enterprises do not have to rely project.
on security by obscurity, manually configured rules, or
hope that some anomaly detection can report an attack.
With 42Crunch, our platform automatically protects your RIK TURNER
APIs from the OWASP Top 10 API Security Vulnerabilities Principal Analyst
and many additional threats. OMDIA
ones, which they guessed: • Don’t rely on IDs sent from client. Use IDs stored in the
/api/shop2/financial_details session object instead.
• The API does not check permissions and lets the call • Check authorization each time there is a client request
through to access database
• Problem is aggravated if IDs can be enumerated: • Use random non-guessable IDs (UUIDs)
/api/123/financial_details
2. BROKEN AUTHENTICATION
Poorly implemented API authentication allowing attackers to assume other users’ identities.
HOW TO PREVENT
get authenticated and should be protected just as seriously
• Weak, not rotating API keys
USE CASES
HOW TO PREVENT
• Review all responses and adapt responses to what the
• APIs return full data objects as they are stored by the
API consumers really need
USE CASES
database
• Define schemas of all the API responses
• Client application shows only the data that user needs
• Don’t forget about error responses
to see
• Identify all the sensitive or PII info and justify its use
• Attacker calls the API directly and gets sensitive data
• Enforce response checks to prevent accidental data and
exception leaks
• Rate limiting
• Attacker overloading the API
USE CASES
HOW TO PREVENT
• Non-privileged users can access these functions if they • Don’t rely on app to enforce admin access
USE CASES
know how
• Deny all access by default
• Can be a matter of knowing the URL, using a different
• Grant access based on specific roles
verb or parameter
• Properly design and test authorization
/api/users/v1/user/myinfo
/api/admins/v1/users/all
6. MASS ASSIGNMENT
HOW TO PREVENT
and stored • Explicitly define all the parameters and payloads you are
USE CASES
NodeJS: expecting
var user = new User(req.body); • For object schemas, use the readOnly set to true for all
user.save(); properties that can be retrieved via APIs but should never be
Rails: modified
@user = User.new(params[:user])
• Precisely define at design time the schemas, types, patterns
• Attackers can guess the fields by looking at the GET you will accept in requests and enforce them at runtime
request data
7. SECURITY MISCONFIGURATION
Poor configuration of the API servers allows attackers to exploit them.
• Unpatched systems
HOW TO PREVENT
• Unprotected files and directories
• Repeatable hardening and patching processes
• Unhardened images
USE CASES
8. INJECTION
Attacker constructs API calls that include SQL-, NoSQL-, LDAP-, OS- and other commands that the API
or backend behind it blindly executes.
HOW TO PREVENT
• SQL, NoSQL • Strictly define all input data: schemas, types, string patterns
• LDAP - and enforce them at runtime
• OS commands • Validate, filter, sanitize all incoming data
. XML parsers • Define, limit, and enforce API outputs to prevent data leaks
• Object-Relational Mapping (ORM)
9. IMPROPER ASSETS MANAGEMENT
Attacker finds non-production versions of the API: such as staging, testing, beta or earlier versions - that
are not as well protected, and uses those to launch the attack.
HOW TO PREVENT
versions) • Limit access to anything that should not be public
USE CASES
• Desire to maintain backward compatibility forces to leave • Limit access to production data. Segregate access to
old APIs running production and non-production data.
• Old or non-production versions are not properly maintained • Implement additional external controls such as API firewalls
• These endpoints still have access to production data • Properly retire old versions or backport security fixes
• Once authenticated with one endpoint, attacker may • Implement strict authentication, redirects, CORS, etc.
switch to the other
HOW TO PREVENT
• Ensure that logs are formatted to be consumable by other
unnoticed
tools
USE CASES
ABOUT 42CRUNCH
APIs are the core building block of every enterprise's digital
strategy, yet they are also the number one attack surface for
hackers. The time is right for a new approach to API security.
42Crunch offers the industry's only Developer-First API We meet the most rigorous
Security platform to empower your developers with a industry security standards.
shift-left approach to design and automate security into
your APIs. The platform's shield-right runtime enforcement
capability also provides security teams with full visibility and
control of security policy enforcement throughout the API
lifecycle. We contribute to
the community work on
San Francisco - Dublin - São Paulo - Montpellier - London the OpenAPI specification.
© 42Crunch.com 2021