API Security Assessment

API Security Assessment

Mark September 7, 2021
REFSecurity CheckExample
1.1Inputs of an incorrect type must be rejected Inputs that are null, when a null is unacceptable, must be rejected.
1.2Inputs of an incorrect size must be rejectedRestrict using inputs/size which could cause resource constraints (OWASP API4-Lack or resources and rate limiting).
1.3For a given input value, the API must provide the expected outputOnly the information requested is returned and there no other data returned. (OWASP API3-Excessive data exposure)
1.4Authorization checks only allows access to resources belonging to service/userAttack is unable to substitute ID of their own resource with another belonging to another user. (OWASP API1-Broken object level authorization)
1.5Complex passwords, rotation of API keys and credentials/keys not used in the URL’s Default passwords and credentials are changed and managed (OWASP API2-Broken Authentication)
1.6Clear separation between administrative and regular function.Non-privileged users can access admin functions (OWASP API5-Broken function level authorization)
1.7Explicitly define all the parameters and payloads, do not automatically bind incoming data/internal objects.The API takes data that client provides and stores it without proper filtering for whitelisted properties. (OWSAP API6-Mass assignment)
1.8Poor configuration of the API servers allows attackers to exploit them.Unpatched systems, unprotected files or directories (OWASP API7- Security misconfiguration)
1.9Protections against attackers construct API calls that include SQL, NoSQL, LDAP, OS, or other commands that the API or the backend behind it blindly executes.Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization. (OWASP API8-Injection)
1.10Attackers find non-production versions of the API (for example, staging, testing, beta, or earlier versions) that are not as well protected as the production API, and use those to launch their attacks.APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints. (OWASP API9-Improper assets management)
1.11The API is monitored/logged an integrated in security tools (Security Information and Event Management – SIEM)Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. (OWASP API10 – Insufficient Logging & Monitoring)