What are we missing while securing API’s?
It is interesting to read the OWASP security report on API 2023, do check it out at https://owasp.org/API-Security/editions/2023/en/0x11-t10/; it shows the security aspects we take for granted and are usually exploited by the attackers for malicious purposes.
Let’s study the brief excerpt from OWASP before we dive into the ways to handle these problems.
Broken Object Level Authorization.
Object id’s are easily identifiable in a request (path or query string), or request headers, or payload and hence can be easily manipulated to gain access to other resources which are not in domain of the User. This can result in data disclosure to unauthorized parties and can eventually lead to account takeovers.
Object level authorization refers to access control mechanism that is implemented at code level to validate a User and only allow access to resources that it has permission to access.
For e.g. Suppose an e-commerce application provides a listing page with revenue information of their hosted shops, hypothetically an attacker can identify the API endpoints as the data source for them like ‘/shops/{shop-name}/revenue’, using another API that provides names of all the shops available on the platform this API can easily be used to fetch data of unrelated shops.
How to Prevent
- Implement robust Authorization mechanism that has User access policies clearly defined, a group-based hierarchal RBAC may be useful.
- If possible use random and unpredictable GUID.
- Write automation tests that can detect these vulnerabilities and can be tested before any deployment.
Broken Authentication.
This is one of the basics but still need good understanding and implementation for secured access, failing this attackers can gain complete control of other User accounts in the system and execute flows/requests on their behalf. Systems will also be not able to distinguish attacker’s action from legitimate User ones.
Some basic checks to see if the API are vulnerable
Important Security Measures to Always Follow.
Other important security measures that one should take to secure the API’s are
- Use HTTPS
HTTPS provides a stronger confidence that the client is communicating with a real API provider and getting authentic info, using TLS-1.3 enhances confidentiality, authenticity, and integrity of the application the clients are communicating with.
- Use OAuth2
OAuth is an authorization protocol that provides a secure and efficient way to access resources, its token-based approach is more secure than sending passwords directly with 3rd party apps.
A common 3-legged OAuth process has the following activities.
- Use WebAuthN
WebAuthN is a web standard published by W3C, they are mostly hardware tokens accessed over USB/BLE/NFC. It has several advantages like
Phishing-resistant 2FA.
Passwordless biometric-based authentication.
- Use API Keys (configure different permissions)
Not all endpoints should be accessible by all, one should configure API keys with different permissions. Remember the OWASP scenarios of object and functional level access control.
- Rate Limiting
To prevent an API from being overwhelmed, we should enforce a limit on the number of requests that will be served within a certain period of time. This ensures the stability and performance of the system and gives equal attention to all connecting clients.
- API Versioning
To efficiently manage the changes done to an API we should numerically version them and document the change that has been made,
— Use API Gateway for Whitelisting/Blacklisting
Whitelisting and Blacklisting both can be done which essentially provides the allow and block lists to filter the traffic coming into the network. If it is a closed network than whitelisting can allow traffic only from the trusted source while if it is a public server than blocking traffic from known mischievous networks can be blocked.
- Error Handling
The errors should not reveal the internal state of the system nor provide any stack trace that can be used to gauge the possible vulnerable points.
Error messages should be user-friendly and the technical errors should not bubble up to the end User.
- Input Validation
SQL Injection like vulnerabilities can be easily avoided if strict validation is performed on the input received, extra attributes or unsanitised data can result in breach which is easily avoided if the data is thoroughly checked.