Now that we understand how APIs are constructed, we will turn our attention to the core topic of this book—API security. In this chapter, we will focus on the different types of vulnerabilities that can adversely impact API security, gaining an understanding of the underlying cause, the impact, and the recommended prevention or mitigation for each.

In this chapter, we’re going to cover the following main topics:

• The importance of vulnerability classification
• The Open Worldwide Application Security Project API Security Top 10 vulnerabilities
• Vulnerabilities versus abuse cases
• Business logic vulnerabilities

Security researchers have long understood the importance of classifying vulnerabilities within software and hardware systems. Classification allows researchers to group similar vulnerabilities together based on their characteristics and then apply standard patterns for mitigation and protection.

Flaws versus vulnerabilities versus exploits versus threats versus risks

The preceding terms cause confusion in the security industry, so it is worth disambiguating them as they are subtly different.

A flaw is an implementation defect or weakness in code that may be latent or exploitable.A vulnerability is a flaw that can be exploited by an attacker. An exploit is a procedure or method used by an attacker to take advantage of a flaw, that is, it is the “how” of a vulnerability. A threat is anything that has the potential to do harm to a system, and it can be intentional (a hacker) or unintentional (forgetting to patch a system...

Let us now start our exploration of the Open Worldwide Application Security Project API Security Top 10 vulnerabilities. Although the standard Open Worldwide Application Security Project listing provides the vulnerabilities in decreasing order of severity, I have chosen to group them by vulnerability type and root cause to aid understanding. Shall we begin?

Object-level vulnerabilities

There is only one object-level vulnerability, which is the now infamous broken object-level authorization, which is number one in the Open Worldwide Application Security Project API Security Top 10.

API1:2019—Broken object-level authorization

The easiest real-world analogy to understand broken object-level authorization (BOLA) is that of a coat check-in at an entertainment venue. Upon arrival, you drop your coat off with the clerk and are given a ticket with a number, let’s say #10, for example. Now...

While the discussion so far has focused on vulnerabilities (flaws in software that can be exploited by an attacker), we need to also consider the impact of API abuse on API security. API abuse is generally defined as the use of an API in an unexpected way, leading to negative consequences. Normally, an API is designed to support a mobile application or website; however, since the API is exposed, curious users or adversaries can reverse-engineer the API and use it for their own purposes.

An excellent example comes from the supermarket industry in the United Kingdom during the first Covid-19 lockdown. Supermarket delivery services rapidly became oversubscribed, and supermarkets quickly implemented limiting controls on the web frontends to avoid total overload and failure. Curious developers quickly examined the APIs and found endpoints that allowed access to the booking system and were able to reserve precious delivery slots by bypassing the frontend...

The final category of vulnerability is that of business logic vulnerabilities, which allow an attacker to elicit unexpected behaviors with negative consequences. They are closely aligned with abuse cases and can be notoriously difficult to eliminate. The key is to think like an adversary—threat modeling exercises can be useful in highlighting business logic vulnerabilities.

There are several good examples of business logic vulnerabilities affecting APIs:

• Relying on client-side controls: One of the most nefarious and persistent weaknesses (highlighted frequently in this chapter) is the reliance on client-side controls to implement security. Simply put, they do not work and can always be defeated—do not use them.
• Trusting users: Avoid trusting that the user will behave in the way you intended; typical examples include not providing required parameters or supplying the wrong format of data.
• Trusting partners and third parties...

As mentioned earlier in this chapter, the Open Worldwide Application Security Project API Security Top 10 is undergoing changes to reflect the API threat landscape in 2023. At the time of writing, this update was still in a release candidate stage, with an ongoing request for comment (RFC) in place via the Open Worldwide Application Security Project GitHub repository (https://github.com/OWASP/API-Security/tree/master/editions/2023/en).

Let us take a quick look at the currently proposed Top 10, shown in summary here:

The rest of the chapter is locked

You have been reading a chapter from

Defending APIs

Published in: Feb 2024Publisher: PacktISBN-13: 9781804617120

© 2024 Packt Publishing Limited All Rights Reserved

Author (1)

Colin Domoney

Colin Domoney (BSc. MSc. CSSLP, CEH) is an API Security Research Specialist and Developer Advocate with deep expertise in the development of secure software. As VP of AppSec, he took on the challenge of securing software on a large scale and running the global AppSec program at Deutsche Bank. At Veracode, as an evangelist, he produces countless webinars, and blog posts, and speak globally at conferences. Currently, he has embraced the challenge of securing APIs with 42Crunch where he has produced the API industry's first security maturity model and contributed to numerous webinars, talks, and blogs. Currently, he is working on the industry's first defensive API developer training course. He is also the curator of the APISecurity weekly newsletter.
Read more about Colin Domoney

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages