Geographic rate limiting: To further increase security in certain geographic regions, developers can set rate limits for particular regions and particular time periods. In Part 1 of this series, you learned about what OWASP is, why we need to worry about the OWASP Top 10, what an API Gateway is, and detailed analysis about the first threat defined in the OWASP Top… the OWASP API Security Project wiki page, before digging deeper into the most critical API security risks. As a result of excessive data exposure, irrelevant but sensitive data may also be uncovered. APIs play a very important role in modern applications' architecture. In this article, we look at a couple of attacks that fall into this category and also review the protection mechanisms. Some examples are attempt to access protected resources without credentialsattempt to use invalid credentials, expired session tokens, provoke lockout of an account and validate the enforcement of locking logic/timeframeImplement security questions and/or multi factor authentication as required.Always use short-lived access tokens. This article will continue from there and go on to describe 3 more threats defined in the OWASP Top 10 list: If you haven’t read Part 1 of this series yet, please do so Authentication is a critical part of any application, but even seemingly solid authentication mechanisms suffer problems at the basic credential management functions including password change, account profile update, and other related functions.Authentication vulnerabilities may exist if an application lacks proper protection mechanisms (i.e. This type of vulnerability is difficult to mitigate via automated tools as it is hard to distinguish between sensitive data and data that is actually needed given the nature of the API.A scenario of exploitation of this vulnerability would be when an attacker identifies the API endpoint that is used as a data source for a comments section of an application:This also returns sensitive data about the authors of the comments, such as their passwords and addresses. Sekhar Chintaginjala is an experienced information security researcher who brings 15+ years of hands-on knowledge to the CloudVector team. This would mean that the user credentials are stored in the browser’s history even after the user has signed out. With OAuth 2.0, the authorization server can issue a short-lived access token and a long-lived refresh token. Since creating security awareness and innovation have different paces, it's important to focus on common API security weaknesses. Thereby making sure that sensitive or excess data never leave the Gateway.Another way to get rid of this vulnerability is to allow the Gateway to do certain processes where it is not feasible to change the back-end implementation.For example, let’s assume that there is an application that must know whether the user is This can be mitigated by placing a Gateway in between the client and back-end (shown below in Offloading of such a process to the Gateway instead of the client would mean that there would be minimal exposure of any unnecessary data.A simple scenario would be when an attacker exploits vulnerable queries that retrieve data from the server.
API endpoints that handle authentication must be protected with extra layers of security than regular API Endpoints) and if there is an incorrect implementation of the authentication mechanism (i.e. All It is essential to enforce the above discussed protection schemes consistently across all published API products, especially as the API landscape rapidly evolves within an organization. This scenario is explained diagrammatically below.Another example would be if an application allows attackers to perform Another important authentication vulnerability is not having proper session timeout mechanisms. Let’s take a look at how this would work.As shown in the diagram above, the client will first send a POST request to the Excessive data exposure is more prevalent with modern API-based applications since APIs return vast amounts of data back to the client for filtration. It evolved as Fielding wrote the HTTP/1.1 and URI specs and has been proven to be well-suited for developing distributed hypermedia applications. It is therefore important to treat it differently. At CloudVector, Sekhar is a member of the Security Research team and also leads efforts for new feature development that help protect from API abuses.Let us dive into the second item in the OWASP API Top 10 list: .
An Authentication API endpoint serves as the to the rest of the API. InAPI Security Checklist: Part 3 This is the final blog in the series outlining 15 best practices for strengthening API security with a shift-left approach. What is OWASP? REST Security Cheat Sheet¶ Introduction¶. Hello @chetans9, DESCRIPTION: I found a vulnerability in this project where I am able to brute force the add_customer function X number of times which may result in website breakage. The exposed data included millions of records of PII data and other financial and health records as well.Figure 1: Unauthenticated API calls to Publicly Exposed Firebase DBSoundCloud Vulnerability: Lack of rate-limiting for authentication endpoint example of authentication flaw is with online music platform SoundCloud, where authentication is enforced but the API endpoint does not implement account lockout based on failed login attempts thus allowing bruteforce via infinite number of API requests.from Checkmarx security research team, the API endpoint resource is responsible to authenticate and provide access token for further accessing other APIs. There are several authentication schemes available to be used with APIs but OAuth2.0 is the popular choice for securing APIs, and OAuth2.0 combined with OpenID Connect (OIDC) provides the required level of authentication and authorization for APIs. Should an attacker come across this client’s browser history, he would be able to gain access to the application via the exposed credentials.