SlideShare a Scribd company logo

APISecurity_OWASP_MitigationGuide

Isabelle Mauny
Isabelle Mauny

Presentation from the OWASP 20th Anniversary conference. An overview of API Security issues and associated top 10 and how to address them.

Software
1 of 31
Download to read offline
Isabelle Mauny OWASP API Security Top 10: A Beginner's Guide to Mitigation How to prevent typical API issues from design time isabelle@42crunch.com
OWASP API Sec Top 10: A Mitigation Guide API Breaches are on the rise! • 350+ breaches reported on apisecurity.io since Oct. 2018 • And those are just the public ones! • Recurring Combination of: • Lack of Input validation • Lack of Rate Limiting • Data/Exception leakage • Authorization issues • Authentication issues https://siliconangle.com/2021/09/16/ibm-report-finds-two-thirds-cloud-breaches-traced-misconfigured-apis
WHY IS THIS HAPPENING? 3
OWASP API Sec Top 10: A Mitigation Guide WE ARE HUMANS!
OWASP API Sec Top 10: A Mitigation Guide Security is considered too late!
OWASP API Sec Top 10: A Mitigation Guide MANY APIS, MANY DEPLOYMENTS APPLICATION DEVELOPMENT APPLICATION SECURITY
Applications Architecture has changed! Source: https://apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm
“The perimeter has disappeared. It’s no longer about protecting boundaries, it’s about protecting data.”
OWASP API Sec Top 10: A Mitigation Guide OWASP API Security Top 10 APIs have different vulnerabilities • API1 : Broken Object Level Access Control • API2 : Broken Authentication • API3 : Excessive Data Exposure • API4 : Lack of Resources & Rate Limiting • API5 : Missing Function Level Access Control • API6 : Mass Assignment • API7 : Security Misconfiguration • API8 : Injection • API9 : Improper Assets Management • API10 : Insufficient Logging & Monitoring DOWNLOAD Data Protection Auth / Authorization Governance/Operations
OWASP API Sec Top 10: A Mitigation Guide Parler (January 2021) • Wild combination of issues! • 70 TB of user’s data leaked • Core Issues • No Authentication • No Rate limiting • Sequential IDs • Leaked raw metadata about posts, including location • Deleted data was not deleted, just hidden in the UI https://apisecurity.io/issue-116-facebook-parler-api-vulnerabilities-clairvoyance/ API2 API3 API4 API5 API6 API10 API9 API8 API7 API1
DATA PROTECTION 11
OWASP API Sec Top 10: A Mitigation Guide Excessive Data Exposure (API 3) Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. Mass Assignment (API 6) Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on an allowlist, usually leads to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to. Injection (API 8) Injection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
OWASP API Sec Top 10: A Mitigation Guide Input Data Validation • No Trust (even for internal APIs and for East-West traffic) • Validation can happen client side, but it must happen server-side! • Do not blindly update data records from request payloads • Avoid using the same data structures for reads and updates • Validate Inputs • Only accept information specified in schemas (contract-based, allowList approach) and headers - Reject all others. • Can be enforced: • In the code with annotations • In API Gateways • in API Firewalls • In general , the earlier the better !
OWASP API Sec Top 10: A Mitigation Guide Another API3 vector: JWTs! Recommended best practice: Use opaque tokens for external consumption Use JWTs for internal consumption
OWASP API Sec Top 10: A Mitigation Guide Output Data Validation • Review and approve data returned by APIs • Never rely on client apps to filter data : instead, create various APIs depending on consumer, with just the data they need • Take control of your JSON schemas ! • Describe the data thoroughly and enforce the format at runtime • Never expose tokens/sensitive/exploitable data in API responses • Beware of GraphQL queries! • Validate fields accessed via query • Validate headers (yes, also on the responses…)
AUTHENTICATION 16
OWASP API Sec Top 10: A Mitigation Guide Broken Authentication (API 2) Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.
OWASP API Sec Top 10: A Mitigation Guide Authentication Recommendations • No un-authenticated endpoints! • Define authentication based on risk. • Use short-lived access tokens and limit their scope • Use correct OAuth grant_types (most likely authorization_code with PKCE) • Use the Financial Grade security profiles as reference (https://openid.net/wg/fapi/) • Make sure you validate JWTs according to Best Practices (RFC 8725) - https://www.rfc- editor.org/rfc/rfc8725.txt • Use secure storage for credentials • Watch for tokens in code repos (for example Github Secret Scanning). • Test authentication resilience with all kind of combinations!
AUTHORIZATION 19
OWASP API Sec Top 10: A Mitigation Guide Broken Object Level Authorization: BOLA/aka IDOR (API1) APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user. Broken Function Level Authorization (API 5) Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
OWASP API Sec Top 10: A Mitigation Guide Avoiding BOLA • True fix : Fine-grained authorisation to resources in every controller layer • OAuth scopes are not the solution here, as they limit access to an operation and not to a resource. • At least, put in place mitigation! • Avoid guessable IDs (123, 124, 125…) • Avoid exposing internal IDs via the API • Alternative: GET https://myapis.com/phone/me • Mitigate potential data scrapping by putting rate limiting in place • Test this use case!
OWASP API Sec Top 10: A Mitigation Guide Preventing API5 Do not mix admin and non-admin operations in the same API Easy to discover via dictionary attacks Restrict access to admin APIs, for example: by Mutual TLS by IP Range Do not rely on the client apps to do that! Block unknown verbs and operations (that will block bots too…) Design properly your authorization policies and test them ! OAuth scopes can help here
LOGGING 23
OWASP API Sec Top 10: A Mitigation Guide Secure Logging • Goals: • Forensics • Non-repudiation • Need event logs for anything unusual • Rejected requests (auth issues, authorization issues, data validation, application errors). • Critical information needs to be logged at the lowest logging level (i.e. not the debug level) • Need to record: what happened, when, who was the caller, where (app/api details, machine name, pod name, etc.) • Recommendations: • Log early - Adding logs once code is written is a nightmare… • Invest in a shared framework / custom library that everyone uses and which implements those best practices - will make logging easier and coherent
OWASP API Sec Top 10: A Mitigation Guide Secure Logging • Careful with the data we log: • No PII • No tokens/API Keys • No Encryption keys • Anything sensitive for your business • Sensitive data needs to be : • Redacted (replaced with xxxxx for example) • Hashed : very useful for tokens/IPs for traceability • Encrypted • Logs file may need to be signed for non-repudiation purposes • More at : https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
OWASP API Sec Top 10: A Mitigation Guide Tokens/Keys passed as query param! • Anything in query param end logs in a log somewhere… • Then pushed to a central log manager… • Then visible in Dashboards.. • Always use headers to pass sensitive information (or body in a POST) • More at: https://www.fullcontact.com/blog/2016/04/29/never-put-secrets-urls-query- parameters/
PROACTIVE SECURITY 27
OWASP API Sec Top 10: A Mitigation Guide BAD DESIGN DECISIONS ARE HARD TO UNDO
OWASP API Sec Top 10: A Mitigation Guide IN AN API WORLD, IT MEANS Define what are we building => evaluating the risk ✓ Who will be the consumers ? Internal, external, admins ? ✓ Which data do we expose ? ✓ Do we need to sign / encrypt the data ? Interface design => what are we exposing to who ✓ Who has access and how (API2, API5) ✓ Reduce/Eliminate resources IDs exposure (API 1) ✓ Data structures for read / write operations (API3, API 6, API 8) ✓ Do we need admin operations (API 5) ? Who can access them ? How ? How will we operate it ? ✓ Logging / Monitoring (API 10) ✓ Rate Limiting (API 4) ✓ Manage versions (API 9)
OWASP API Sec Top 10: A Mitigation Guide CALL TO ACTION! Use API Top 10 as framework for design and testing Start worrying about API Security at design time ✓ A vulnerability discovered at production time costs up to 30x more to solve Hack yourselves! ✓ For each functional test, create 10 negative tests ✓ Hammer your APIs with bad data, bad tokens, bad users Automate Security ✓ Inject Security into DevOps practices and don’t rely on manual testing of APIs. ✓ Only solution to scale and have avoid human errors https://www.helpnetsecurity.com/2020/05/20/devops-software- development-teams/ “I think security, in most cases, is not a single person’s specialization. Security must be a practice of every member of the team from the frontend developer to the system administrator (also non tech roles).” 
 From: Gitlab DevSecOps report - 2021
OWASP API Sec Top 10: A Mitigation Guide ➡ For questions, please join me on the #20th- anniv-owaspstandardclassificatio slack channel! ➡ Subscribe to the apisecurity.io weekly newsletter for regular news on breaches, tools and best practices. Thanks!

Recommended

API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 

Recommended

API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
Apigee | Google Cloud
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's Perspective
RajniHatti
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
Apigee | Google Cloud
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
API Management in Digital Transformation
API Management in Digital TransformationAPI Management in Digital Transformation
API Management in Digital Transformation
Aditya Thatte
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 
API Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation FrameworkAPI Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation Framework
WSO2
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 

More Related Content

What's hot

API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 

What's hot (20)

Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's Perspective
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
API Management in Digital Transformation
API Management in Digital TransformationAPI Management in Digital Transformation
API Management in Digital Transformation
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
 
API Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation FrameworkAPI Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation Framework
 

Similar to APISecurity_OWASP_MitigationGuide

Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
AaronLieberman5
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
Theodore Kim
 

Similar to APISecurity_OWASP_MitigationGuide (20)

apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...
apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...
apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...
 
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons LearntOracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
API Hijacking.pdf
API Hijacking.pdfAPI Hijacking.pdf
API Hijacking.pdf
 
API Hijacking (1).pdf
API Hijacking (1).pdfAPI Hijacking (1).pdf
API Hijacking (1).pdf
 
API Hijacking.pdf
API Hijacking.pdfAPI Hijacking.pdf
API Hijacking.pdf
 

Recently uploaded

Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 

Recently uploaded (20)

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 

APISecurity_OWASP_MitigationGuide

  • 1. Isabelle Mauny OWASP API Security Top 10: A Beginner's Guide to Mitigation How to prevent typical API issues from design time isabelle@42crunch.com
  • 2. OWASP API Sec Top 10: A Mitigation Guide API Breaches are on the rise! • 350+ breaches reported on apisecurity.io since Oct. 2018 • And those are just the public ones! • Recurring Combination of: • Lack of Input validation • Lack of Rate Limiting • Data/Exception leakage • Authorization issues • Authentication issues https://siliconangle.com/2021/09/16/ibm-report-finds-two-thirds-cloud-breaches-traced-misconfigured-apis
  • 4. OWASP API Sec Top 10: A Mitigation Guide WE ARE HUMANS!
  • 5. OWASP API Sec Top 10: A Mitigation Guide Security is considered too late!
  • 6. OWASP API Sec Top 10: A Mitigation Guide MANY APIS, MANY DEPLOYMENTS APPLICATION DEVELOPMENT APPLICATION SECURITY
  • 7. Applications Architecture has changed! Source: https://apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm
  • 9. OWASP API Sec Top 10: A Mitigation Guide OWASP API Security Top 10 APIs have different vulnerabilities • API1 : Broken Object Level Access Control • API2 : Broken Authentication • API3 : Excessive Data Exposure • API4 : Lack of Resources & Rate Limiting • API5 : Missing Function Level Access Control • API6 : Mass Assignment • API7 : Security Misconfiguration • API8 : Injection • API9 : Improper Assets Management • API10 : Insufficient Logging & Monitoring DOWNLOAD Data Protection Auth / Authorization Governance/Operations
  • 10. OWASP API Sec Top 10: A Mitigation Guide Parler (January 2021) • Wild combination of issues! • 70 TB of user’s data leaked • Core Issues • No Authentication • No Rate limiting • Sequential IDs • Leaked raw metadata about posts, including location • Deleted data was not deleted, just hidden in the UI https://apisecurity.io/issue-116-facebook-parler-api-vulnerabilities-clairvoyance/ API2 API3 API4 API5 API6 API10 API9 API8 API7 API1
  • 12. OWASP API Sec Top 10: A Mitigation Guide Excessive Data Exposure (API 3) Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. Mass Assignment (API 6) Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on an allowlist, usually leads to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to. Injection (API 8) Injection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
  • 13. OWASP API Sec Top 10: A Mitigation Guide Input Data Validation • No Trust (even for internal APIs and for East-West traffic) • Validation can happen client side, but it must happen server-side! • Do not blindly update data records from request payloads • Avoid using the same data structures for reads and updates • Validate Inputs • Only accept information specified in schemas (contract-based, allowList approach) and headers - Reject all others. • Can be enforced: • In the code with annotations • In API Gateways • in API Firewalls • In general , the earlier the better !
  • 14. OWASP API Sec Top 10: A Mitigation Guide Another API3 vector: JWTs! Recommended best practice: Use opaque tokens for external consumption Use JWTs for internal consumption
  • 15. OWASP API Sec Top 10: A Mitigation Guide Output Data Validation • Review and approve data returned by APIs • Never rely on client apps to filter data : instead, create various APIs depending on consumer, with just the data they need • Take control of your JSON schemas ! • Describe the data thoroughly and enforce the format at runtime • Never expose tokens/sensitive/exploitable data in API responses • Beware of GraphQL queries! • Validate fields accessed via query • Validate headers (yes, also on the responses…)
  • 17. OWASP API Sec Top 10: A Mitigation Guide Broken Authentication (API 2) Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.
  • 18. OWASP API Sec Top 10: A Mitigation Guide Authentication Recommendations • No un-authenticated endpoints! • Define authentication based on risk. • Use short-lived access tokens and limit their scope • Use correct OAuth grant_types (most likely authorization_code with PKCE) • Use the Financial Grade security profiles as reference (https://openid.net/wg/fapi/) • Make sure you validate JWTs according to Best Practices (RFC 8725) - https://www.rfc- editor.org/rfc/rfc8725.txt • Use secure storage for credentials • Watch for tokens in code repos (for example Github Secret Scanning). • Test authentication resilience with all kind of combinations!
  • 20. OWASP API Sec Top 10: A Mitigation Guide Broken Object Level Authorization: BOLA/aka IDOR (API1) APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user. Broken Function Level Authorization (API 5) Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
  • 21. OWASP API Sec Top 10: A Mitigation Guide Avoiding BOLA • True fix : Fine-grained authorisation to resources in every controller layer • OAuth scopes are not the solution here, as they limit access to an operation and not to a resource. • At least, put in place mitigation! • Avoid guessable IDs (123, 124, 125…) • Avoid exposing internal IDs via the API • Alternative: GET https://myapis.com/phone/me • Mitigate potential data scrapping by putting rate limiting in place • Test this use case!
  • 22. OWASP API Sec Top 10: A Mitigation Guide Preventing API5 Do not mix admin and non-admin operations in the same API Easy to discover via dictionary attacks Restrict access to admin APIs, for example: by Mutual TLS by IP Range Do not rely on the client apps to do that! Block unknown verbs and operations (that will block bots too…) Design properly your authorization policies and test them ! OAuth scopes can help here
  • 24. OWASP API Sec Top 10: A Mitigation Guide Secure Logging • Goals: • Forensics • Non-repudiation • Need event logs for anything unusual • Rejected requests (auth issues, authorization issues, data validation, application errors). • Critical information needs to be logged at the lowest logging level (i.e. not the debug level) • Need to record: what happened, when, who was the caller, where (app/api details, machine name, pod name, etc.) • Recommendations: • Log early - Adding logs once code is written is a nightmare… • Invest in a shared framework / custom library that everyone uses and which implements those best practices - will make logging easier and coherent
  • 25. OWASP API Sec Top 10: A Mitigation Guide Secure Logging • Careful with the data we log: • No PII • No tokens/API Keys • No Encryption keys • Anything sensitive for your business • Sensitive data needs to be : • Redacted (replaced with xxxxx for example) • Hashed : very useful for tokens/IPs for traceability • Encrypted • Logs file may need to be signed for non-repudiation purposes • More at : https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
  • 26. OWASP API Sec Top 10: A Mitigation Guide Tokens/Keys passed as query param! • Anything in query param end logs in a log somewhere… • Then pushed to a central log manager… • Then visible in Dashboards.. • Always use headers to pass sensitive information (or body in a POST) • More at: https://www.fullcontact.com/blog/2016/04/29/never-put-secrets-urls-query- parameters/
  • 28. OWASP API Sec Top 10: A Mitigation Guide BAD DESIGN DECISIONS ARE HARD TO UNDO
  • 29. OWASP API Sec Top 10: A Mitigation Guide IN AN API WORLD, IT MEANS Define what are we building => evaluating the risk ✓ Who will be the consumers ? Internal, external, admins ? ✓ Which data do we expose ? ✓ Do we need to sign / encrypt the data ? Interface design => what are we exposing to who ✓ Who has access and how (API2, API5) ✓ Reduce/Eliminate resources IDs exposure (API 1) ✓ Data structures for read / write operations (API3, API 6, API 8) ✓ Do we need admin operations (API 5) ? Who can access them ? How ? How will we operate it ? ✓ Logging / Monitoring (API 10) ✓ Rate Limiting (API 4) ✓ Manage versions (API 9)
  • 30. OWASP API Sec Top 10: A Mitigation Guide CALL TO ACTION! Use API Top 10 as framework for design and testing Start worrying about API Security at design time ✓ A vulnerability discovered at production time costs up to 30x more to solve Hack yourselves! ✓ For each functional test, create 10 negative tests ✓ Hammer your APIs with bad data, bad tokens, bad users Automate Security ✓ Inject Security into DevOps practices and don’t rely on manual testing of APIs. ✓ Only solution to scale and have avoid human errors https://www.helpnetsecurity.com/2020/05/20/devops-software- development-teams/ “I think security, in most cases, is not a single person’s specialization. Security must be a practice of every member of the team from the frontend developer to the system administrator (also non tech roles).” 
 From: Gitlab DevSecOps report - 2021
  • 31. OWASP API Sec Top 10: A Mitigation Guide ➡ For questions, please join me on the #20th- anniv-owaspstandardclassificatio slack channel! ➡ Subscribe to the apisecurity.io weekly newsletter for regular news on breaches, tools and best practices. Thanks!