Friday, December 30, 2022

OWASP Security

 API Security

  1. Broken Object Level Authorization
    1. Aka IDOR (In-secured Direct Object Reference) - Accessing unauthorized objects using same token due to lack of authorization checks
    2. Mitigation
      • implement authorization checks with user policies and hierarchy
      • dont rely on IDs sent from client. Use IDs from session
      • Check authorization each time there is client request to access database
      • Use random non guessable IDs (UUIDs)
  2. Broken Authentication
    1. Due to Lack of best practices. 
    2. Mitigation
        • Check all possible ways to authenticate to all APIs 
          • Password reset APIs and one-time links also allow users to get authenticated and should be protected just as seriously 
            • Use standard authentication, token generation, password storage, MFA 
              • Use short-lived access tokens 
                • Authenticate your apps (so you know who is talking to you) 
                  • OAuth token is not authentication (hotel key analogy)
                    • Use stricter rate-limiting for authentication, implement lockout policies and weak password checks 
                1. Excessive Data Exposure
                  1. Exposing critical data to avoid regular updates ( eg. using * for db queries)
                  2. Mitigation:
                    • Never rely on client to filter data 
                    • Review all responses, only return what the API consumers really need 
                    • Define schemas of all the API responses 
                    • Don't forget about error responses 
                    • Identify all the sensitive or Pll info and justify its use 
                    • Enforce response checks to prevent accidental data and exception leaks 
                                1. Lack of Resources & Rate Limiting
                                  1. Denial of service to overwhelm the server
                                  2. Mitigation:
                                      • Rate limiting 
                                      • Payload size limits 
                                      • Rate limits specific to API methods, clients, addresses 
                                      • Checks on compression ratios 
                                      • Limits on container resources 
                                      • Check parsers on recursion vulnerabilities 
                                  3. Missing Function Level Authorization
                                    1. Similar to broken object level authorization
                                    2. Mitigation:
                                      • Don't rely on client app to enforce admin access 
                                      • Deny all access by default 
                                      • Only allow operation to users that belong to the appropriate group or role 
                                      • Properly design and test authorization
                                  4. Mass Assignment
                                  5. Security Misconfiguration
                                  6. Injection
                                  7. Improper Assets Management
                                  8. Insufficient Logging & Monitoring


                                  at

                                  No comments:

                                  Post a Comment

                                  Subscribe to: Post Comments (Atom)

                                  Cybersecurity Essential: OpenSSL

                                  In today’s digital landscape, securing data is paramount. Whether you’re building web applications, managing servers, or developing software...