Help your team master API security best practices

Every few years since 2013, OWASP has been releasing their list of the top 10 most common web application security vulnerabilities. Due to the ubiquity of APIs (Application Programming Interfaces) nowadays, in 2019 OWASP created a new list for the first time dealing exclusively with vulnerabilities related to API security. They even incorporated community research and feedback into this list.

Discover Avatao’s API security training

api security exercises

There are some core differences between web application security and API security. Traditional web applications manage data handling on the server and the pre-rendered resource is sent to the browser in a completed state. In contrast, the APIs, which work like backend servers, perform only data processing and leave the rendering to the front end.

Avatao lets your developers practice with real-life API security scenarios, such as:

1. Broken object level authorization

Broken object level authentication is the cause for almost half of API-related threats. The attackers will change their own ID into another user’s ID in the API request, and without proper authorization checks are able to access sensitive data.

2. Broken authentication

Broken authentication in API allows an attacker to use stolen credentials, authentication tokens, and brute-force attacks to assume other users’ identities.

3. Excessive data exposure

When the API provides more data than the client needs, an attacker can use this “useless” data to further exploitations.

4. Lack of resources and rate limiting

The API needs to be protected against a huge amount of calls or payload sizes. Anyway, the attackers can flood the API with numerous requests and calls. In other words Denial of Service (DoS).

5. Broken function level authorization

If the API authorization is poorly implemented, attackers can find a way to use admin-level API paths to add, update, or delete customer records or user roles..

6. Mass assignment

When the API consumes input data directly without proper filtering and writes it to the business logic, the API is vulnerable to mass assignment. The attackers can try to find out critical data properties or provide additional ones that can lead to privilege escalation.

7. Security misconfiguration

There are numerous kinds of security misconfigurations like incomplete and ad-hoc, default API configurations, which can negatively impact API security and create vulnerable surfaces in the API.

8. Injection

The well-known vulnerability among IT developers is the injection. The attacker creates a malicious input that the API forwards blindly to an internal interpreter like SQL, NoSQL, LDAP, etc.

 

9. Improper assests management

Attackers find outdated or incomplete versions of the API like staging, beta, and test versions, which suffer from a lack of protection not like the original API in the production. The attackers can use these versions to exploit vulnerabilities.

10. Insufficient logging and monitoring

Insufficient logging and monitoring do not make the API vulnerable directly but deprive the opportunity to investigate the possible attacks against the API, so these attacks stay unnoticed.

Get started with API security training

 Get in touch with us and find out how your team could utilize Avatao’s learning platform.