API Security Assessment OWASP 2019 Test Cases

HTTP Request Smuggling
Everything about HTTP Request Smuggling
June 12, 2020
Cybersecurity Webinar: Zero-Trust Security Guide from Top to Bottom
June 25, 2020

June 17, 2020

An Application Programming Interface (API) is a component that enables communication between two different applications. They can be applications developed on different platforms and it uses a different server for the database. The API Security apps are used to get access data that enables working of multiple apps or services together and it also hides the complexity to developers allowing them to save time on figuring out how other platform applications work for the instance. APIs are also used to extend the functionality of the existing applications.

Importance of API Security Testing:

API security testing is essential as it provides the easiest access point for a hacker who wants to gain access to an organization’s systems eventually. The threats to that data need to be identified and eliminated to make the application more secure.

If there are any sort of security threats in the application, it affects the data of that particular application, but if there is a threat in the API, it affects every single application that relies on the API. So, the security issue in API can compromise your entire application as well as the external organization which relies on your API.

Misconfigured APIs or lack of API Security can lead to various types of attacks such as unauthorized access to sensitive data, Denial of service attack, or excessive data exposure. To secure the API, it is necessary to understand all the possible flaws in API which can be found with penetration testing on API.

API Security Penetration Testing:

API Security Penetration testing is a process in cyber-attack simulation against API to ensure that the API security is strong against from threats and secured from potential vulnerabilities such as Man in the Middle Attacks, Insecure endpoints, Lack of Authentication and Denial-of-Service Attack and Exposure of sensitive data such as credit card information, financial information, and business information.

As the risk associated with the insecure API plays a very important role in Secure Application, it has resulted in OWASP’s listed top 10 vulnerabilities of API as a separate project dedicated purely to the API security.

  1. API1:2019 Broken Object Level Authorization: API endpoints that use object identifiers for accessing resources can lead to the access control issue. Hence All endpoints accessed via object reference values should be validated for authorization of the user.
  2. API2:2019 Broken User Authentication: Poorly configured authentication for the API endpoints, such as weak security to access tokens allows attackers to exploit authentication flaws by compromising user identity can lead to compromise of entire API resources belonging to the user.
  3. API3:2019 Excessive Data Exposure: Excessive data exposure is possible by sniffing the traffic to analyze the API responses, looking for sensitive data exposure that should not be returned to the user. To prevent this attack, it is necessary to be aware of the client-side to filter sensitive data
  4. API4:2019 Lack of Resources & Rate Limiting: When the API Security is not guarded against an excessive number of requests or payloads sizes, attackers can abuse those API for Denial of Service (DoS) and authentication flaws like brute force attacks. It is necessary to implement a limit on how often a user can request the API within a defined time.
  5. API5:2019 Broken Function Level Authorization: Least privileged users can perform sensitive actions such as accessing administrative endpoints without authorization by enforcing endpoints belonging to only admin. It is necessary to implement proper measures to allow operations to the users based on their roles.
  6. API6:2019 Mass Assignment: When user-supplied input gets automatically converted into internal object properties without considering the sensitivity and the exposure of these properties. This allows an attacker to update object property which they are not authorized to access.
  7. API7:2019 Security Misconfiguration: Poorly configured API server such as misconfigured HTTP headers, unnecessary HTTP methods, Missing TLS, misconfigured cross-origin resource sharing, improper error handling, Unprotected files, and directories can lead to unauthorized access or knowledge of the system. It can be managed by establishing repeatable hardening and patching processes.
  8. API8:2019 Injection: When the untrusted data is sent to the server as a command and query, it can lead to injections flaws such as SQL, NoSQL, command injection, LDAP, or other commands that the API or the backend behind it blindly executes. It is mandatory to Validate, filter, and sanitize all incoming data.
  9. API9:2019 Improper Assets Management: Attackers find non-production or unused versions of the API such as older API version and may gain access to sensitive data, or even take over the server through old, unpatched API versions connected to the same database.
  10. API10:2019 Insufficient Logging & Monitoring:  Attackers take advantage of insufficient and ignorant logging and monitoring. Without visibility over on-going malicious activities, attackers have plenty of time to fully compromise systems.

API Security Assessment Approach:

To find out the vulnerabilities in API Security penetration testing, there are various methods including fuzzing API endpoints which can give access to sensitive information which is not allowed to access, also can test for SQL injection by giving special characters which can break queries or can help in enumerating the backend database information, here instead of giving valid data user can give input which can treat as SQL statement that ultimately gets executed on the database.

Users also can test for Client-side vulnerabilities such as XSS with providing JavaScript payloads as input to certain parameters in the request body which can further be used to hijack session information. With API documentation, users can get a complete picture of all the possible endpoints.

Users can also work on how to interact with the APIs. Based on the collected information, users can perform create, edit, view, and delete operations on all possible endpoints of the APIs and check for the unauthorized access to these operations.

Using API it is also possible to get excessive information from endpoints. Usually, the data is filtered on the client-side before being sent to the user. An attacker can easily sniff the traffic and look if he can access or view any sensitive data.

Here at SecureLayer7, we perform all possible approaches to finding vulnerabilities in API, which gives assurance of a safe and secure API to an organization.

How To Prevent API Security Attacks :

There are various attacks possible on API security. Below are a few mitigations to prevent API security risks :

  • Implement authorization checks based on the user’s group and role.
  • Implement anti-brute force mechanisms to mitigate credential stuffing, dictionary attack, and brute force attacks on your authentication endpoints.
  • Make sure responses from the API should not disclose any sensitive data rather than legitimate data.
  • Implement proper server-side validation for request body parameters.
  • Validate, filter, and sanitize all client-provided data, or other data coming from integrated systems.
  • Whitelist only the properties that should be updated by the client.

Conclusion:

API security is a critical aspect concerning the security of your organization’s sensitive data such as business-critical information, Payment details, Personal information, etc. Securelayer7 provides the solution with an advanced approach of API Security penetration testing and also provides the best mitigations for the problems on reliable  API which will help you to avoid consequences that can occur due to compromised API.

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks