-
Ten Critical API Security Vulnerabilities from an OWASP Perspective
APIs usually expose functions that manage object identifiers and create a wide attack surface 1 to violate access control. control Authorizations at the object level should be in all functions that take input from the user to resources Data have access to be implemented. Authentication mechanisms are often not implemented correctly and cause attackers to gain access to authentication tokens and temporarily or permanently steal the identity of other users The use of defects in these mechanisms is a violation of the system's ability to identify the client or The user will lead to violation of API security Using public services The API allows developers to apply all the features of objects without considering the sensitivity of the single The only ones and only relying on data filtering before displaying to the user, by Calint , APIs usually have no data limit They do not apply the size or number of resources requested by the client or user. Not only this By negatively affecting the performance of the API server, it can lead to a denial of service (DoS) attack ), but also for breaching authentication through an attack such as Brute Force Complex access control mechanisms with hierarchy, group Different roles and unclear boundaries between normal and managerial functions cause authorization defects By exploiting these vulnerabilities, attackers attack other users' resources or administrative functions will be achieved. Linking data provided by the client (eg JSON objects (with data models) without properly filtering them based on a whitelist It can lead to assignment Collect P. By recognizing the features of objects, exploring other functions, reading documentation or Providing additional features on objects in the request body, the attacker can add features To manipulate objects that are not allowed for him. Incorrect security configuration as a result of Using insecure default configuration, incomplete or decentralized configuration, open cloud storage, etc Unprotected m, misconfigured HTTP headers, unnecessary HTTP methods, line Lax policies for cross-resource sharing (CORS) and detailed error messages Vulnerabilities based on injection such as SQL, NoSQL, command injection, etc. occur when uncertain data as Part of a command or query to be passed to the interpreter.This data Malicious can force the interpreter b Unwanted command execution or unauthorized access to data Common APIs They expose more functions than traditional web applications This doubles the importance of proper and up-to-date documentation. Having a list of hosts and API versions used play an important role in fixing version-related vulnerabilities The old API and functions related to debugging play Inadequate monitoring In addition to the absence of a process to respond to events 2 or its incomplete implementation to the attacker It is possible to establish access, attack other systems and extract/destroy data The conducted studies show that the time to become aware of the influence done to On average, it is more than 200 days after the penetration, and it is also appropriate to recognize it that by internal processes monitoring is done by third parties.