APIs
16
min of reading
December 5, 2017

Top 10 Security Risks on the Web (OWASP) and how to mitigate them with API Management

Nicholas Gimenes
Leader of Growth & Product Marketing
Passionate about using technology and data to leverage digital strategies
More about the author

APIs and APPs Security

Critical data in the cloud, mobile access from everywhere, IoT, Open Banking, API-enabled digital platforms, and security? How does that work?

APIs are the basis for digital transformation. The expansion of Web applications and digital ecosystems driven by Web APIs have increased security concerns due to their high degree of exposure. In the study conducted by Sensedia in collaboration with IDC, security was the most important topic considered in API strategies (85% of large and medium-sized companies).

OWASP (Open Web Application Security Project), in order to channel the efforts in the security of applications and APIs, carried out a global and collaborative survey with the 10 most critical security risks on the Web, known as OWASP TOP 10.

The ranking is based on data collected and in consultation with the community, classifying the risks according to the OWASP Risk Rating Methodology and assigning a 3-level ranking for the following criteria: Attack Difficulty (Exploitability), Risk Prevalence, Risk Detection (Detectability), and Technical Impacts.

In the preliminary text (RC1), the item “Unprotected APIs” was suggested to integrate the 2017 rankings, although it was withdrawn given that Web APIs are susceptible to several of the mentioned risks, and it does not make much sense to create a separate category. In the new text, however, new mentions were made to APIs and API Security Gateway.

The modifications in the items of the rankings were the following:

Topics removed, but not forgotten

  • 2013-A8 Cross-site Request Forgery (CSRF)
  • 2013-A10 Unvalidated Redirects and Forwards

Topics added

  • 2017-A4 XML External Entity (XXE)
  • or 2017-A8 Insecure Deserialization
  • 2017-A10 Insufficient Logging & Monitoring

Classification of risks: there may be variations according to the characteristics of each organization

According to RC1, detecting vulnerabilities in APIs can be more difficult than in applications, due to the lack of an interface (UI) for tests and the use of more complex data structures. On the other hand, APIs often have direct communication with critical systems and, when they have gaps, they can facilitate unauthorized access and manipulation of sensitive data, even reaching complete hijacking of the system.

The use of a complete API Management platform also acts as a backup layer for the backend, with resources for detecting faults and supporting the appropriate design of the APIs, as well as facilitating the separation of environments and implementing other mechanisms for security, control, and analysis.

A10 OWASP 2017 RC1 – item included in the partial version but removed from the final version

Ranking 2017 OWASP Top 10 Security Risks on the Web

The following are the 10 risks of the new OWASP 2017 rankings and the main ways to mitigate them:

A1 – Injection

Failures caused by injection (such as SQL injection) occur when malicious data is sent to an interpreter, which can be interpreted as commands or queries that may enable undesired actions.

How to prevent it?

To prevent this type of attack, it is necessary to validate if the data trafficked by the APIs contain recursive commands in SQL, JSON, or XML, among others, and to completely avoid the use of the interpreter, providing a parameterized interface. Read more: Injection Prevention Cheat Sheet – OWASP.

How to mitigate this risk with API Management

You can apply interceptors with SQL threat protection, JSON threat protection, and XML threat protection.

A2 – Authentication Break

Users can seize or compromise the authentication by keys, passwords or cookies and obtain unauthorized access.

How to prevent it?

It is important to use secure communication with two-way SSL and authentication standards (such as OAuth). Read more: Authentication Cheat Sheet – OWASP.

How to mitigate this risk with API Management

Enable two-way SSL communication and OAuth 2.0 authentication.

A3 – Exposure of Sensitive Data

Sensitive data could be exposed if they are recorded and not encrypted or used with weak keys in their generation and management, as well as poor algorithms or hashing techniques.

How to prevent it?

To prevent this vulnerability, it is possible to use log obfuscation and data obfuscation, encrypt the communication channel, and use Two-way SSL.

It is important not to store sensitive data if there is no need and to encrypt them, both when at rest and in transit.

Always disable “autocomplete” on forms and in the cache of pages that contain sensitive data. Read more: Cryptographic Storage Cheat Sheet – OWASP and Transport Layer Protection Cheat Sheet – OWASP.

How to mitigate this risk with API Management

In addition to communication with two-way SSL, enable Data Obfuscation, Log Obfuscation, and Cryptography.

A4 – XML ​​External Entities (XXE)

Many older XML processors allow the specification of an external entity, encompassing a URI without reference and evaluated during XML processing. This failure allows the extraction of data, making requests on the server, scanning internal systems, and performing DoS attacks, among others.

How to prevent it?

Apply corrections or update the XML processors, libraries and their dependencies, check if the XML or XSL upload performs validation, use whitelist input validation, and disable the processing of XXE and DTD. Consider using virtual patching, API security gateway or WAFs. Read more: XML External Entity (XXE) Prevention Cheat Sheet – OWASP.

How to mitigate this risk with API Management

Enable the security gateway API module, create whitelists, and apply the interceptor for XML threat protection.

A5 – Access Control with Failure

It happens when there are internal references for objects (such as a file, folder. or registry) without access control, which can be manipulated for undesired access.

How to prevent it?

To mitigate this risk, it is important to create indirect references to objects by user or session and verify the access of unreliable sources in the use of direct references. API rate limit can minimize possible damages. Read more: Access Control – OWASP.

How to mitigate this risk with API Management

Apply authentication with OAuth 2.0, validation of access to resources with Plans, and Rate Limit.

A6 – Incorrect Security Configuration

Users can achieve undesired actions due to lack of correct security settings.

How to prevent it?

Automatic and periodic sweeping is very useful to detect lack of updates, configuration errors, use of standardized accounts, etc. It is important to have a fast and efficient process to implement duly protected environments and keep them up-to-date, with an architecture that offers a safe separation of the components. Read more: Center for Internet Security CIS: Configuration Guidelines and Benchmarks.

How to mitigate this risk with API Management

Creation and separation of Environments, definition of Deploy Permissions, using OAuth 2.0, creation and revocation of tokens, centralized management, and audit of events.

A7 – Cross-Site Scripting (XSS)

In XSS attacks, scripts are added before the data is sent to the browser and executed to hijack sessions, redirect to malicious sites, or deface pages.


How to prevent it?

You should check the requests and the responses to ensure that they do not contain scripts. Read more: XSS (Cross Site Scripting) Prevention Cheat Sheet – OWASP.

How to mitigate this risk with API Management

Specific interceptor application of XSS threat protection for verification of malicious patterns.

A8 – Insecure Deserialization

Distributed applications with public listeners or applications that depend on the maintenance of the client’s state may probably adulteration of serialized data.

How to prevent it?

Do not accept serialized objects from unreliable sources or serialization that only allows primitive data types. If that is not possible, implement integrity checks or cryptography in the serialized objects to avoid hostile creation of objects or data adulteration. Strict-type restrictions can also be applied during deserialization and before the creation of the object. Another point is to isolate the deserialization code, as well as those executed in environments of very low privileges or temporary containers. It is important to record in a log the exceptions and deserialization failures. Restrict or monitor the inbound and outbound connectivity of containers or servers that deserialize and configure alerts for cases in which a user constantly performs deserialization. Read more: Deserialization Cheat Sheet – OWASP.

How to mitigate this risk with API Management

Define whitelists for reliable sources, create specific logs for each stage of the operation of the APIs, perform call tracing, and configure alerts.

A9 – Use of Components with Known Vulnerabilities

The attacker can identify vulnerable components through scanning or manual analysis.

How to prevent it?

Use tools to prepare an inventory of component versions and dependencies (server-side and client-side). Monitor vulnerabilities in components from public sources such as NVD and use software for automatic analysis. In addition, it is important to deactivate the components that will not be used and apply updates and patches from official sources to prevent vulnerabilities that can be explored. Read more: National Vulnerability Database – NVD.

How to mitigate this risk with API Management

Apply the String Match Conditions interceptor to validate calls to URLs with known vulnerabilities.

A10 – Insufficient Logging and Monitoring

Improperly registering faults, lack of alerts and blocking allow the attacker to continue testing vulnerabilities until one is explorable.

How to prevent it?

Use widely used formats as REST, GraphQL, and JSON and apply the security mechanisms to guarantee a secure communication, a strong authentication scheme and access control, in addition to the protections against all types of injections. Read more: Logging Cheat Sheet – OWASP.

How to mitigate this risk with API Management

Enable call tracing and logging interceptor, which can be applied in the processing stages of the APIs, configuration of alerts, and customized dashboards.

Sensedia API Platform – Security for your APIs and Backend

Sensedia’s Full Life Cycle API Management solution was classified as Visionary by Gartner and as a Strong Performer by Forrester and offers a series of mechanisms for protection and analysis of your APIs and your backend, offering tools for the optimization of resources and for development commitment, in addition to consulting for the secure construction of digital strategies and architectures based on microservices.

Want to learn more about how to protect your APIs and your backend?

Let’s talk about it. Leave your message and talk to our experts


Do you want to know more? Talk to one of our specialists, just fill the form below and soon we will get in touch ;)

Thanks for reading!