A brand new version of the OWASP API Safety Prime 10 is simply across the nook, so we determined to try the work in progress at OWASP to see what has been trending because the checklist was first compiled in 2019. Whereas present job has launch candidate standing, we do not count on any vital adjustments and can after all comply with up with a deep dive as quickly because the official checklist is introduced.
Evolution as an alternative of revolution
Whereas most of the class names are totally different at first look, the entire danger classes from the earlier version are nonetheless right here in a single type or one other. Previously 4 years, APIs have grown from extensions of core performance to a everlasting staple of internet software structure. This has highlighted safety points, permitting the classes to be redefined to raised match the particular dangers seen in actual internet environments.
General, the checklist of launch candidates consists of 4 classes that have not modified since 2019, 5 with title or scope adjustments, and one outdated useful resource that seems once more on this explicit checklist.
Damaged authentication remains to be first within the stack
The whole function of an software programming interface (API) is to offer entry to one thing inside or from the appliance, so entry management has at all times been the primary safety concern for APIs. Consequently, the #1 danger class has not modified since 2019: Damaged Merchandise Degree Authorization. Particularly when mixed with insecure direct object references, entry management flaws on the software object stage may end up in information publicity (as within the Optus breach), permitting malicious actors to freely extract delicate information through API.
Intently associated is one other entry management danger that hasn’t modified in title or rank since 2019, specifically Damaged perform stage authorization at 5. This class covers weaknesses that expose software performance relatively than information, though in apply, there’s vital overlap between the 2. For instance, if an attacker can entry the client report export operation, he may extract delicate data in bulk even when he can’t entry every separate buyer report object.
Earlier than any authorization comes authentication, so damaged authentication needed to make the checklist as soon as once more, staying at #2 (and barely renamed from Damaged person authentication). This class encompasses every kind of weaknesses that might permit an attacker to behave as a legitimate person, both by permitting credential stuffing for brute power entry, by not verifying token signatures, or just by permitting unauthenticated entry in some circumstances.
API administration as tough as ever
Different dangers that stay unchanged as of this writing are associated to API administration and administration. Safety misconfigurations staying at #7, protecting safety points at any stage of the API expertise stack that aren’t instantly brought on by flaws within the API or the appliance itself. These embody unpatched methods, lacking or inconsistent safety headers, inappropriate permissions on cloud providers, and lots of different safety dangers associated to configuring advanced API stacks.
Insufficient stock administration (previously “asset administration”) continues to rank 9 and can possible stay on the checklist as a result of inherent challenges of managing APIs all through their lifecycle. As interfaces and their underlying functions endure change (generally independently), any breaches in model management and documentation can expose extra assault surfaces within the type of outdated APIs which can be nonetheless accessible or undocumented API endpoints that go undetected throughout testing.
APIs are all about automation, so the failures to manage and restrict utilization are one other pillar of the highest 10 API safety, barely renamed to Unrestricted useful resource consumption at 4. Typically talking, these fall into two important classes. First, limitless API entry can expose internet providers and functions to denial-of-service (DoS) assaults brought on by useful resource exhaustion when a server within the API stack can’t deal with any extra requests. Simply as vital, the dearth of correct fee limitation can permit attackers to mount brute power assaults to, for instance, crack passwords or enumerate information information.
Enlargement of danger horizons
Three danger classes have been expanded and redefined to cowl a broader vary of safety points. In comparison with the 2019 checklist, extreme information publicity and mass allocation dangers at the moment are included in Damaged object property stage authorization at 3. That is carefully associated to authorization failures on the object stage, however applies at a extra granular stage, the place defining and implementing entry management is way more tough. Even with correct entry management to, say, buyer information information, you continue to have to outline who can carry out what operations on which information fields, and whether or not they can bulk import, export, or modify information.
renamed from Inadequate recording and monitoringnow we see the extra descriptive Lack of safety towards automated threats class at #8. Malicious bots and different automated assaults make up a big a part of internet visitors, and APIs are particularly designed for automated entry, so monitoring API utilization and being able to reply if suspicious habits is detected is essential. This class isn’t a lot about safety on a technical stage as it’s about figuring out and blocking malicious enterprise logic flows that might have unintended outcomes. A typical (and present) instance can be a ticketing website that does not cease bots from instantly shopping for all of the tickets to a high-profile occasion.
Injection defects have been moved below the broader heading of Unsafe API consumption (At 10). On this case, “unsafe consumption” refers to the usage of information retrieved from an API with out sanitizing and validating it to the identical customary as user-provided information. Particularly for communication between APIs (whether or not inner or exterior), there’s a danger that builders will implicitly belief the habits of the API with out checking whether or not it’s secure. Along with risking injection assaults through unsanitized information, this might additionally create encryption breaches or exhaust software assets if the consumed useful resource supplies information at the next fee than anticipated.
New however very outdated: SSRF
The one new class to date, and likewise the one vulnerability positioned in its personal class, is Server-side request forgery, at present sitting at #6. This displays the selection made for the final OWASP Prime 10 in 2021, the place SSRF additionally acquired its personal class for the primary time. Within the context of APIs, server-side request forgery vulnerabilities permit attackers to smuggle URLs by means of an API and trick a back-end server into sending a request to that URL. These sorts of vulnerabilities might be particularly harmful in fashionable software architectures, the place containerized cloud elements usually talk through APIs over predictable paths, significantly rising the potential of SSRF.
watch this house
Whereas it could be a while earlier than the ultimate API Safety Prime 10 arrives, the present launch candidate checklist is unlikely to vary a lot. All the most important danger areas for contemporary APIs are already coated, and the final development appears to be to make the classes extra generic for use extra as finest apply tips and fewer as a vulnerability guidelines (which was the method taken). for the primary OWASP). Listing of the ten finest in 2021). That being stated, the small print and examples supplied for some classes nonetheless fluctuate when it comes to format and depth of element, so work will possible proceed there. We’ll take an in depth technical have a look at the ultimate checklist when it arrives, similar to we did for the Prime 10 Safety APIs of 2019.
–
What’s coming in the OWASP API Security Top 10 for 2023
