OWASP API notes

 Vulnerability I - Broken Object Level Authorization (BOLA) 

How does it Happen? 

BOLA refers to Insecure Direct Object Reference (IDOR) - which creates a scenario where the user uses the input functionality and gets access to the resources they are not authorized to access. In an API, such controls are usually implemented through programming in Models (Model-View-Controller Architecture) at the code level. 

 

Likely Impact 

The absence of controls to prevent unauthorized object access can lead to data leakage and, in some cases, complete account takeover. User's or subscribers' data in the database plays a critical role in an organization’s brand reputation; if such data is leaked over the internet, that may result in substantial financial loss. 

 

Mitigation Measures 

·        An authorization mechanism that relies on user policies and hierarchies should be adequately implemented.  

·        Strict access controls methods to check if the logged-in user is authorized to perform specific actions.  

·        Promote using completely random values (strong encryption and decryption mechanism) for nearly impossible-to-predict tokens. 

 

Vulnerability II - Broken User Authentication (BUA)

How does it happen? 

User authentication is the core aspect of developing any application containing sensitive data. Broken User Authentication (BUA) reflects a scenario where an API endpoint allows an attacker to access a database or acquire a higher privilege than the existing one. The primary reason behind BUA is either invalid implementation of authentication like using incorrect email/password queries etc., or the absence of security mechanisms like authorization headers, tokens etc. 

 

Consider a scenario in which an attacker acquires the capability to abuse an authentication API; it will eventually result in data leaks, deletion, modification, or even the complete account takeover by the attacker. Usually, hackers have created special scripts to profile, enumerate users on a system and identify authentication endpoints. A poorly implemented authentication system can lead any user to take on another user's identity.  

 

Likely Impact  

In broken user authentication, attackers can compromise the authentication mechanism and easily access sensitive data. Malicious actors can pretend to be someone authorized and can conduct an undesired activity, including a complete account takeover.  

 

Mitigation Measures  

Ensure complex passwords with higher entropy for end users. 

Do not expose sensitive credentials in GET or POST requests. 

Enable strong JSON Web Tokens (JWT), authorization headers etc. 

Ensure the implementation of multifactor authentication (where possible), account lockout, or a captcha system to mitigate brute force against particular users.  

Ensure that passwords are not saved in plain text in the database to avoid further account takeover by the attacker.  



Vulnerability III - Excessive Data Exposure 

How does it happen? 

Excessive data exposure occurs when applications tend to disclose more than desired information to the user through an API response. The application developers tend to expose all object properties (considering the generic implementations) without considering their sensitivity level. They leave the filtration task to the front-end developer before it is displayed to the user. Consequently, an attacker can intercept the response through the API and quickly extract the desired confidential data. The runtime detection tools or the general security scanning tools can give an alert on this kind of vulnerability. However, it cannot differentiate between legitimate data that is supposed to be returned or sensitive data.  

 

Likely Impact  

A malicious actor can successfully sniff the traffic and easily access confidential data, including personal details, such as account numbers, phone numbers, access tokens and much more. Typically, APIs respond with sensitive tokens that can be later on used to make calls to other critical endpoints. 

 
 

Mitigation Measures  

·        Never leave sensitive data filtration tasks to the front-end developer.  

·        Ensure time-to-time review of the response from the API to guarantee it returns only legitimate data and checks if it poses any security issue.  

·        Avoid using generic methods such as to_string() and to_json()

·        Use API endpoint testing through various test cases and verify through automated and manual tests if the API leaks additional data. 

 

Vulnerability IV - Lack of Resources & Rate Limiting 

 

How does it happen? 

Lack of resources and rate limiting means that APIs do not enforce any restriction on the frequency of clients' requested resources or the files' size, which badly affects the API server performance and leads to the DoS (Denial of Service) or non-availability of service. Consider a scenario where an API limit is not enforced, thus allowing a user (usually an intruder) to upload several GB files simultaneously or make any number of requests per second. Such API endpoints will result in excessive resource utilization in network, storage, compute etc. 

Nowadays, attackers are using such attacks to ensure the non-availability of service for an organization, thus tarnishing the brand reputation through increased downtime. A simple example is non-compliance with the Captcha system on the login form, allowing anyone to make numerous queries to the database through a small script written in Pytho 

 

Likely Impact  

The attack primarily targets the Availability principles of security; however, it can tarnish the brand's reputation and cause financial loss. 

 
 

Mitigation Measures  

·        Ensure using a captcha to avoid requests from automated scripts and bots. 

·        Ensure implementation of a limit, i.e., how often a client can call an API within a specified time and notify instantly when the limit is exceeded.  

·        Ensure to define the maximum data size on all parameters and payloads, i.e., max string length and max number of array elements. 

 

Vulnerability V - Broken Function Level Authorization 

How does it happen? 

Broken Function Level Authorization reflects a scenario where a low privileged user (e.g., sales) bypasses system checks and gets access to confidential data by impersonating a high privileged user (Admin). Consider a scenario of complex access control policies with various hierarchies, roles, and groups and a vague separation between regular and administrative functions leading to severe authorization flaws. By taking advantage of these issues, the intruders can easily access the unauthorized resources of another user or, most dangerously – the administrative functions.  
 

Broken Function Level Authorization reflects IDOR permission, where a user, most probably an intruder, can perform administrative-level tasks. APIs with complex user roles and permissions that can span the hierarchy are more prone to this attack.  

 
 

Likely Impact  

The attack primarily targets the authorization and non-repudiation principles of security. Broken Functional Level Authorization can lead an intruder to impersonate an authorized user and let the malicious actor get administrative rights to perform sensitive tasks.  

 
 

 

Mitigation Measures  

·        Ensure proper design and testing of all authorization systems and deny all access by default.  

·        Ensure that the operations are only allowed to the users belonging to the authorized group.  

·        Make sure to review API endpoints against flaws regarding functional level authorization and keep in mind the apps and group hierarchy's business logic.  

 

Vulnerability VI - Mass Assignment 

How does it happen? 

Mass assignment reflects a scenario where client-side data is automatically bound with server-side objects or class variables. However, hackers exploit the feature by first understanding the application's business logic and sending specially crafted data to the server, acquiring administrative access or inserting tampered data. This functionality is widely exploited in the latest frameworks like Laravel, Code Ignitor etc. 
 

Consider a user's profiles dashboard where users can update their profile like associated email, name, address etc. The username of the user is a read-only attribute and cannot be changed; however, a malicious actor can edit the username and submit the form. If necessary, filtration is not enabled on the server side (model), it will simply insert/update the data in the database.  

 
 

Likely Impact  

The attack may result in data tampering and privilege escalation from a regular user to an administrator.  

 

 

Mitigation Measures  

·        Avoid using functions that bind an input from a client to code variables automatically. 

·        Allowlist those properties only that need to get updated from the client side.  

 

Vulnerability VII - Security Misconfiguration

How does it happen? 

Security misconfiguration depicts an implementation of incorrect and poorly configured security controls that put the security of the whole API at stake. Several factors can result in security misconfiguration, including improper/incomplete default configuration, publicly accessible cloud storage, Cross-Origin Resource Sharing (CORS)and error messages displayed with sensitive data. Intruders can take advantage of these misconfigurations to perform detailed reconnaissance and get unauthorized access to the system.  

Security misconfigurations are usually detected by vulnerability scanners or auditing tools and thus can be curtailed at the initial level. API documentation, a list of endpoints, error logs etc., must not be publicly accessible to ensure safety against security misconfigurations. Typically, companies deploy security controls like web application firewalls, which are not configured to block undesired requests and attacks. 
 

 
 

Likely Impact  

Security misconfiguration can give intruders complete knowledge of API components. Firstly, it allows intruders to bypass security mechanisms. Stack trace or other detailed errors can provide the malicious actor access to confidential data and essential system details, further aiding the intruder in profiling the system and gaining entry.   

 

 

Mitigation Measures  

·        Limit access to the administrative interfaces for authorized users and disable them for other users.  

·        Disable default usernames and passwords for public-facing devices (routers, Web Application Firewall etc.). 

·        Disable directory listing and set proper permissions for every file and folder.  

·        Remove unnecessary pieces of code snippets, error logs etc. and turn off debugging while the code is in production. 



Vulnerability VIII - Injection 

How does it happen? 

Injection attacks are probably among the oldest API/web-based attacks and are still being carried out by hackers on real-world applications. Injection flaws occur when user input is not filtered and is directly processed by an API; thus, enabling the attacker to perform unintended API actions without authorization. An injection may come from Structure Query Language (SQL), operating system (OS) commands, Extensible Markup Language (XML) etc. Nowadays, frameworks offer functionality to protect against this attack through automatic sanitization of data; however, applications built in custom frameworks like core PHP are still susceptible to such attacks.  

 
 

Likely Impact  

Injection flaws may lead to information disclosure, data loss, DoS, and complete account takeover. The successful injection attacks may also cause the intruders to access the sensitive data or even create new functionality and perform remote code execution.  

 

 

Mitigation Measures 

·        Ensure to use a well-known library for client-side input validation. 

·        If a framework is not used, all client-provided data must be validated first and then filtered and sanitized.  

·        Add necessary security rules to the Web Application Firewall (WAF). Most of the time, injection flaws can be mitigated at the network level. 

·        Make use of built-in filters in frameworks like Laravel, Code Ignitor etc., to validate and filter data.  

 

Vulnerability IX - Improper Assets Management 

How does it happen? 

Inappropriate Asset Management refers to a scenario where we have two versions of an API available in our system; let's name them APIv1 and APIv2. Everything is wholly switched to APIv2, but the previous version, APIv1, has not been deleted yet. Considering this, one might easily guess that the older version of the API, i.e., APIv1, doesn't have the updated or the latest security features. Plenty of other obsolete features of APIv1 make it possible to find vulnerable scenarios, which may lead to data leakage and server takeover via a shared database amongst API versions. 

It is essentially about not properly tracking API endpoints. The potential reasons could be incomplete API documentation or absence of compliance with the Software Development Life CycleA properly maintained, up-to-date API inventory and proper documentation are more critical than hardware-based security control for an organization. 
 

 
 

Likely Impact  

The older or the unpatched API versions can allow the intruders to get unauthorized access to confidential data or even complete control of the system.  

 

 

Mitigation Measures  
 

·        Access to previously developed sensitive and deprecated API calls must be blocked at the network level. 

·        APIs developed for R&D, QA, production etc., must be segregated and hosted on separate servers. 

·        Ensure documentation of all API aspects, including authentication, redirects, errors, CORS policy, and rate limiting.  

·        Adopt open standards to generate documentation automatically. 

 

Vulnerability X - Insufficient Logging & Monitoring 

How does it happen? 

Insufficient logging & monitoring reflects a scenario when an attacker conducts malicious activity on your server; however, when you try to track the hacker, there is not enough evidence available due to the absence of logging and monitoring mechanisms. Several organizations only focus on infrastructure logging like network events or server logging but lack API logging and monitoring. Information like the visitor's IP address, endpoints accessed, input data etc., along with a timestamp, enables the identification of threat attack patterns. If logging mechanisms are not in place, it would be challenging to identify the attacker and their details. Nowadays, the latest web frameworks can automatically log requests at different levels like error, debug, info etc. These errors can be logged in a database or file or even passed to a SIEM solution for detailed analysis. 

 
 

Likely Impact  

Inability to identify attacker or hacker behind the attack.  

 

 

Mitigation Measures  

·        Ensure use of the Security Information and Event Management (SIEM) system for log management.  

·        Keep track of all denied accesses, failed authentication attempts, and input validation errors, using a format imported by SIEM and enough detail to identify the intruder. 

·        Handle logs as sensitive data and ensure their integrity at rest and transit. Moreover, implement custom alerts to detect suspicious activities as well.  

 


No comments :

Post a Comment