How to prevent API-induced breaches:  Implement OWASP API Security Guideline #8

‍

‍

As APIs proliferate across enterprises, so does the risk of API-induced security breaches.

While APIs introduce novel risks that haven’t been fully explored and protected against, significant progress has been made in identifying and remediating common vulnerabilities.

One such risk is Security Misconfigurations, highlighted as Guideline no. 8 in the OWASP Top 10 2023 Edition. Despite being fixable with straightforward steps, attacks related to this guideline are often overlooked, constituting 23% (the second-highest) of attack attempts.

This article outlines what security misconfigurations entail, their impact, and the steps you and your team should take to keep your APIs, company reputation, and customer loyalty intact.

‍

What are Security Misconfigurations:

In simple terms, security misconfigurations occur when custom, third-party, partner applications, APIs, or cloud services are incorrectly set up.

Ironically, security systems—when improperly configured—can inadvertently facilitate attacks instead of preventing them.

They provide attackers with an entry point into the enterprise network. This entry point is discovered during the reconnaissance phase and can be easily exploited to gain unauthorized access to sensitive data, cause data loss, or even take over the entire system.

Scanners alone cannot detect these misconfigurations, which extend beyond runtime custom applications and occur at various stages, including SDLC, third-party/partner integrations, and open-source components.

Nor can they be prevented from exploitation by WAFs and other incident response tools as they don't fall under the conventional high-volume attacks.

‍

Different types of security misconfigurations:

‍

1. Unpatched systems:

Inadequate monitoring leaves infrastructure vulnerable and unaddressed. For example, an overlooked API on a subdomain not secured by the DevSec team can easily lead to a PII leak.

2. Unchanged default configuration:

Merely deploying multiple security solutions without customization won't prevent breaches and can worsen them. The 2019 Capital One breach occurred due to a poorly configured open-source WAF not tailored to the enterprise's specific needs.

3. Missing, outdated, or misconfigured TLS:

Encryption protocols like TLS should always be used to safeguard data in transit for interception. Lack of which results in not just data sniffing but also unauthorized access, PII leak, and system takeover.

4. Exposed storage:

While decreased costs and higher flexibility are a result of cloud adoption then so are risks of data leaks, privacy violations, and unauthorized changes. Without strong encryption and access controls in place, all these risks are very real for enterprises that operate entirely on the cloud.

5. Missing or overly permissive CORS Policy:

It's obvious that if you prevent a breach then you should be able to define and control who can access your systems and what they can do. When your CORS Policy is unaligned from these decisions, it leads to data leaks and unauthorized access.  

6. Incorrect / Missing / Unnecessary HTTP Headers:

HTTP headers enable secure communication between system components. Missing headers allow unauthorized requests, while unnecessary headers increase the risk of XSS attacks.

7. Exposed Stack Traces:

Stack traces aid internal debugging but expose functions that cause errors to attackers, making exploitation easier.

8. Unnecessarily enabled features:

Inactive or low-activity APIs often lack proper security measures, making them easy targets for attackers. These should be promptly identified and disabled to prevent exploitation.

9. Excessive Data exposure:

APIs returning more data than necessary, including sensitive information, expose vulnerabilities through headers, error messages, and status codes, aiding attackers.

10. Missing/Inadequate Authentication Mechanisms:

Weak authentication (AuthN) mechanisms, like poor password policies and vulnerability to stuffing attacks, leave numerous endpoints unsecured. 40% of surveyed enterprises reported AuthN issues in production APIs.

11. Missing/Inadequate Authorization Mechanisms:

Even with strong authentication, inadequate authorization (AuthZ) allows attackers to access and manipulate user records. 78% of attacks come from seemingly legitimate users with malicious intent.

12. Improper/Absent Input Sanitization:

A failure to implement input sanitization control often culminates into a successful injection attack allowing attackers to execute commands and access information they shouldn’t be able to.

‍

T-Mobile Breach:

While all of the above factors are dangerous in isolation, they are often collectively responsible for breaches. And when they are, the repercussions are intense as seen with the T-Mobile Breach last year.

Improper access controls led to unauthorized access to sensitive data and the subsequent leak of personally identifiable information (PII) of 37 million customers, including names, billing addresses, emails, phone numbers, dates of birth, and T-Mobile account numbers.

The breach, which began in late 2022, went undetected until January 2023 due to insufficient logging and monitoring. This not only damaged customer loyalty but also resulted in estimated fines of around $500 million. To prevent such incidents, it's important to follow best practices.

‍

Best Practices:

‍

1. Automate Location of Configuration Flaws:

Your developers need continuous visibility into configuration parameters throughout the SDLC to identify and fix AuthN and AuthZ misconfigurations before production. Automation is essential for monitoring the configuration status of new APIs.

2. Restrict Admin Access:

Adopt a Zero Trust Model where no entity is trusted without proper AuthN & AuthZ. This limits damage from compromised accounts and mitigates insider threats, which surprisingly account for 60% of data breaches.

‍

3. Enforce RBAC:

Provide teams with only the API-related data they need. Infrastructure teams focus on load balancer events, product teams on APIM policy issues, and development teams on code-level vulnerabilities.

‍

4. Implement Rate Limiting:

Even Though brute force attacks like DDoS, and enumeration have subsided compared to reconnaissance attacks, they still happen. Rate limiting protects APIs from brute force attacks like DDoS and enumeration. Last year, 70% of publicly acknowledged breaches involved rate-limiting abuse. Strategies include:

• Leaky Bucket: Queue-based (FIFO).
• Token Bucket: Fixed capacity.
• Fixed Window: Time-based.
• Sliding Log: Time-stamped requests.

‍

5. Locate and protect sensitive data flows:

Even Though 70% of the public breaches last year indicated a rate-limiting abuse,  a deeper analysis reveals that the core issue is that sensitive data flows are not adequately protected. And how can it be when enterprises struggle even to locate the said data flows due to API Sprawl? As a result, automation should be used to locate, protect, and test APIs carrying sensitive data flows.

‍

6. Define and Enforce all Outputs:

Tools like Postman help ensure that consistent responses are received for all requests, but they cannot ensure that the said responses do not overexpose PII, traces especially in case of error messages.

‍

So define output across these parameters:

• response formats (JSON, XML, etc.).
• document expected fields
• status codes
• error structures.

And enforce them by:

• Specify response formats (JSON, XML, etc.).
• Document expected fields, status codes, and error structures.

‍

7. Enforce Comprehensive and Continuous Monitoring & Logging:

This practice, if implemented at both network and application levels, could have mitigated the impact of incidents like the T-Mobile breach.

‍

Automate API Security with Levo:

To prevent security breaches caused by misconfigurations, it's essential to continuously identify and address any issues before deployment. Levo's automated and proactive approach accomplishes this throughout the SDLC in the following ways:

‍

1. Our documentation portal provides a comprehensive view of API endpoints with weak or missing authentication and authorization mechanisms, highlighting misconfigured endpoints that handle sensitive data and prioritizing their remediation.

2. We identify the flow of sensitive data across custom, partner, third-party, and open-source applications.
3. Even after applications go live, integrations are deployed continuously. Don't miss any updates to additional API endpoints and their configuration status with our inventory portal.
4. We conduct rigorous tests to minimize the risk of enumeration attacks like injection flaws, and other exploitable misconfigurations.

5. Detailed logging and proactive alerting system, Levo.ai helps organizations maintain optimal security configurations.
6. Identification of zombie and inactive APIs, Robust SSO, and RBAC mechanisms are available within our platform.

‍

Book a demo to see this live in action!

‍