OWASP API Top 10 - Most Common Attacks and How to Prevent Them - Part I
![](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e53da6e2cf4a67d589df_OWASP-API-Top-10.jpg)
APIs (Application Programming Interfaces) play a vital role in connecting and integrating various software systems. However, as APIs become increasingly prevalent, they also become attractive targets for malicious actors seeking to exploit vulnerabilities. The OWASP (Open Web Application Security Project) API Top 10 vulnerabilities serve as a guide to understanding and addressing the most critical security risks faced by APIs.
Dive into the Top 10 OWASP API Vulnerabilities of 2023
In this blog, we will explore the first five vulnerabilities on the OWASP API Top 10 list for 2023: Broken Object Level Authorization, Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, and Broken Function Level Authorization. By examining these vulnerabilities, we can gain insights into the potential risks and effective preventive measures to ensure the security and integrity of our API implementations.
The following vulnerable apps were used to demonstrate vulnerabilities for each section:
OWASP – crAPI
https://github.com/OWASP/crAPI
Tools used:
![Burpsuite Tool](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e58695f21f9fb3379f3e_image-39.png)
![PostMan Tool](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e58621770bd789b93301_image-40.png)
![ffuf tool](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e58725162f4531e03fba_image-41.png)
![Hashcat tool](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e5868430d97a55e677c2_image-42.png)
Implications and Risks:
Exploiting broken object-level authorization can have severe repercussions, including:
Unauthorized Data Disclosure: Attackers can gain unauthorized access to sensitive data by manipulating object IDs. This can lead to the exposure of confidential information, undermining data privacy and compliance requirements.
Data Loss and Tampering: Unauthorized access to objects can enable attackers to modify or delete data, leading to data loss or manipulation. This can disrupt business operations, compromise data integrity, and impact the reliability of the API-driven system.
Account Compromise: In certain scenarios, broken object-level authorization can result in complete account compromise. Attackers can leverage unauthorized access to escalate privileges, gain control over user accounts, and potentially impersonate legitimate users.
Example with crAPI:
I created a user and a confirmation email was sent to localhost:8025
![Owasp api top 10](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e58670ea258fe9405737_image-1024x499.png)
I added the vehicle to my dashboard with the vehicle info:
![Vehicle Details Owasp API](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e587a0ee1fa8722f062c_image-1-1024x685.png)
![image 2](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e58a3ace19195c5654f8_image-2-1024x761.png)
Enter information into the form.
![Vehicle Details Owasp API](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e58601e9f0e575d3c347_image-3-1024x787.png)
Go to HTTP history and check the POST request.
![Vehicle Details Owasp crAPI](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e587ec4b28f600898d49_image-4-1024x544.png)
In the response, paste the report_link URL into the web browser:
![HTTP History check](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e5868baa08fd1d7f60a5_image-5-1024x559.png)
We can see information on our vehicle here:
![Report Link URL](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e586a1f5b8c05ae79cbf_image-6-1024x172.png)
Changing the id value to 5, will allow us to see another vehicle in the system that is owned by someone else.
![Information on our vehicle](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e587b927ff1854c87102_image-7-1024x134.png)
To protect API endpoints against broken object-level authorization vulnerabilities, consider implementing the following measures:
- Implement Proper Authorization Checks: Implement robust authorization mechanisms to ensure that only authorized users can access specific objects. Use strong authentication and enforce access controls based on user roles and permissions.
- Verify Object Ownership: Verify that the requesting user has appropriate ownership or access rights to the targeted object before allowing any operations.
- Employ Role-Based Access Control (RBAC): Implement RBAC to manage access control based on predefined roles, ensuring that users only have access to the objects and functionalities relevant to their assigned roles.
- Input Validation and Sanitization: Validate and sanitize all user input, especially object IDs, to prevent injection attacks or unauthorized manipulation of identifiers.
- Monitor and Detect Suspicious Activities: Implement robust logging and monitoring mechanisms to identify abnormal or unauthorized access attempts. Continuously monitor API traffic, detect patterns of unauthorized object access, and trigger alerts for suspicious activities.
- Regular Security Assessments: Conduct regular security assessments, including penetration testing and code reviews, to identify and address any weaknesses or vulnerabilities in the authorization process.
API2:2023 Broken Authentication
Authentication mechanisms that are implemented incorrectly or contain flaws create opportunities for attackers to compromise authentication tokens or exploit vulnerabilities to assume the identities of other users. The consequences of broken authentication extend beyond individual user accounts, as the overall security of the API ecosystem becomes compromised.
Attackers are attracted to authentication vulnerabilities due to the widespread exposure of these mechanisms to all users. Even attackers with limited technical skills can leverage readily available tools to exploit authentication issues, increasing the potential for successful attacks.
Exploiting broken authentication can grant attackers complete control over other users’ accounts, enabling unauthorized access to personal data and the ability to perform sensitive actions on their behalf. The challenge for systems lies in distinguishing the actions of an attacker from those of a legitimate user, making it crucial to implement robust security measures to mitigate these risks.
Also read: Enhancing Cybersecurity Defenses: An Introduction to iCAST
Attack Demonstration – hashcat:
Here is an example of a JWT token with a very weak secret that can be easily bruteforced by a wordlist. We will run the following command to crack the secret of this JWT token:
hashcat -a 0 -m 16500 eyJhbGciOiJIUzI1NiJ9.eyIzNDM2MzQyMCI6NTc2ODc1NDd9.f1nXZ3V_Hrr6ee-AFCTLaHRnrkiKmio2t3JqwL32guY /usr/share/wordlists/rockyou.txt
![vehicle in the system](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e587a481dcef9ca91378_image-8-1024x900.png)
Secure against broken authentication: Best practices:
- Secure Password Policies: Enforce strong password policies, including requirements for complexity, length, and periodic password changes. Encourage users to utilize unique and complex passwords.
- Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security beyond passwords. This can include factors such as one-time passwords (OTP), biometrics, or hardware tokens.
- Session Management: Implement secure session management techniques, including secure session tokens, token expiration, and proper logout functionality. Use secure transport protocols, such as HTTPS, to protect the transmission of session tokens.
- Regular Security Patching: Keep authentication mechanisms and related software up to date with the latest security patches to address known vulnerabilities.
- Account Lockout Mechanisms: Implement mechanisms to lock user accounts temporarily after a certain number of failed login attempts to mitigate brute-force attacks.
- User Account Monitoring: Monitor user accounts for suspicious activities, such as multiple failed login attempts or concurrent sessions from different locations. Implement automated alerts for potential unauthorized access.
- Security Testing and Code Reviews: Conduct regular security testing, including penetration testing and code reviews, to identify and address authentication vulnerabilities. This includes testing for common issues like weak password storage, predictable session IDs, and insecure authentication protocols.
API4:2023 – Unrestricted Resource Consumption
APIs are powered by various resources, including network bandwidth, CPU, memory, storage, and even services like emails, SMS, phone calls, or biometrics validation. These resources are typically provided by service providers via API integrations and are billed on a per-request basis. Unrestricted resource consumption occurs when APIs fail to impose limits on client interactions or resource utilization, leaving them vulnerable to exploitation.
Attackers can initiate simple API requests to consume resources maliciously, leading to two primary consequences:
- Denial of Service (DoS): By bombarding an API with a high volume of concurrent requests, attackers can overwhelm the system, causing it to become unresponsive or unavailable for legitimate users. This can disrupt essential services and impact user experience.
- Increased Operational Costs: Unrestricted resource consumption can result in significant operational costs for API providers. Attackers can exploit APIs to exhaust resources such as CPU, memory, storage, or other services, leading to increased expenses related to infrastructure, cloud storage needs, or usage-based service models.
Attack Demonstration – crAPI:
Click on forgot password in the login page:
![Shop Page OWASP API](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e587e6bbf6de422355cf_image-57.png)
Enter an email you created earlier:
![Attack Demonstration crAPI](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e5867fd0a0b22a1ff27b_image-58.png)
In the email server you’ll get an OTP to help you reset the password, but we don’t want to do that. We want to password brute force it.
![Email Creater](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e586bf89b9c4fad7716b_image-59-1024x719.png)
We can easily do this on burp pro by sending it to intruder and setting the payload to a 4 digit number. However, we will be using FFUF to automate a bruteforce attack on the app.
Set these parameters and send so we can get the HTTP request in burp http history:
![Email OTP](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e586607bc17ce3421494_image-60.png)
It will say invalid but that’s ok:
![Say Email OTP Owasp API](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e587b527ce80e7dfb80a_image-61.png)
Copy this request over to a .txt file:
![Proxy File](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e587b927ff1854c87108_image-62-1024x713.png)
Save as request.txt – replace the OTP parameter with FUZZ
POST /identity/api/auth/v2/check-otp HTTP/1.1
Host: localhost:8888
Content-Length: 75
sec-ch-ua: “Not:A-Brand”;v=”99″, “Chromium”;v=”112″
sec-ch-ua-platform: “Linux”
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://localhost:8888
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8888/forgot-password
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{“email”:”hacker@hacker.com”,”otp”:”FUZZ”,”password”:”Password@!1“}
Now run the following command in FFUF:
ffuf -request request.txt -request-proto http -w /usr/share/seclists/Fuzzing/4-digits-0000-9999.txt -mc 200
![protect APIs](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e586ee7a1b6b5b8feb61_image-63-1024x584.png)
To protect APIs from unrestricted resource consumption attacks, consider the following:
- Rate Limiting: Set limits on the number of requests allowed from individual clients within a specific timeframe. This helps prevent excessive resource utilization caused by malicious actors.
- Monitoring and Anomaly Detection: Employ robust monitoring solutions to track API traffic, resource utilization, and patterns of abnormal behavior. Implement anomaly detection mechanisms to identify suspicious resource consumption patterns.
- Implement API Throttling: Introduce mechanisms to control and limit the rate of API requests from clients, ensuring that the overall resource consumption remains within acceptable boundaries.
- Validate and Sanitize User Input: Implement strict input validation to prevent attackers from injecting malicious code or parameters that manipulate resource usage.
- Regular Security Assessments: Conduct regular security assessments, including vulnerability scans and penetration tests, to identify and address any potential weaknesses in API security.
Attack Demonstration – crAPI:
Create a profile or use the one from previous demo, we will click on the three dots under My Personal Video to open the file upload feature:
![Profile](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e588ec4b28f600898d83_image-64-1024x608.png)
Upload any .mp4 video to your profile:
![Edit My Profile](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e58748390c35479cf683_image-65-1024x834.png)
Go to the Burp Suite Proxy HTTP History and note the ID of the response which is 30 for our current user:
![Burp Suite Proxy HTTP History](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e586b036bebc2550b1da_image-66-1024x635.png)
Create another user and upload any video – can be the same as the previous one. Capture the request and add into Postman:
![Upload any video](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e587f27b1ebd4db210bc_image-67-1024x649.png)
Notice the ID is 32.
When we attempt to delete this we will get a response saying this is an admin function:
![Capture the request](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e587fe773d135093fff2_image-68-1024x649.png)
We can use the example above, to modify it to localhost:8888/identity/api/v2/admin/videos/32 and see if we can delete the video.
Oftentimes, using an older version of the API, in this example going from v3 to v2 and adding an “admin” endpoint can often result in finding a deprecated API that wasn’t meant to be exposed publicly.
If we try this again, we can see that the file was deleted successfully, even though the user wasn’t an admin.
![Broken Function Level Authorization vulnerabilities](https://cdn.prod.website-files.com/6739e34d53821f6427d39c56/6751e587d12708141d7589ac_image-69-1024x646.png)
To protect against Broken Function Level Authorization vulnerabilities, consider the following:
- Implement Secure Access Controls: Ensure proper access controls are in place, with well-defined roles, groups, and hierarchies. Regularly review and update these controls as the application evolves.
- Principle of Least Privilege: Apply the principle of least privilege, granting users only the permissions necessary for their specific functions or roles.
- Role-Based Access Control (RBAC): Implement RBAC to manage access to functions and resources based on predefined roles. Regularly review and update role assignments as needed.
- Robust Authorization Checks: Implement strong authorization checks at both the code and configuration levels to ensure that users are granted access only to the appropriate functions and resources.
- Regular Security Assessments: Conduct regular security assessments, including code reviews and penetration testing, to identify potential flaws in the authorization process and address them promptly.
- Security Training and Awareness: Educate developers and system administrators about the importance of proper authorization practices and the risks associated with Broken Function Level Authorization.
Conclusion
APIs play a crucial role in modern software systems, but their widespread adoption has made them attractive targets for cyber attackers seeking to exploit vulnerabilities. The OWASP API Top 10 vulnerabilities provide a comprehensive guide to understanding and mitigating the most critical security risks faced by APIs.
In this blog, we have delved into the first five vulnerabilities on the OWASP API Top 10 list for 2023, namely Broken Object Level Authorization, Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, and Broken Function Level Authorization. By exploring these vulnerabilities, we have gained valuable insights into potential risks and effective preventive measures to safeguard the security and integrity of our API implementations.
Throughout the demonstration, we used real-world examples from vulnerable applications, emphasizing the importance of robust security practices. To protect against these vulnerabilities, best practices include implementing proper authorization checks, securing authentication mechanisms, and conducting regular security assessments and testing.
As API usage continues to rise, it is paramount for developers and organizations to prioritize API security as an integral part of their overall security posture. By following the guidelines set forth in the OWASP API Top 10 and adopting proactive security measures, we can fortify our APIs against potential attacks and ensure a safer digital landscape for all users and applications.
We will be covering another series that addresses the next 5 vulnerabilities of the OWASP API Top 10.