• In Financial Services, City of London • Software Development Background • In Application Security space since 2006 • OWASP London Chapter Leader since 2015 • OWASP London Chapter volunteer since 2008 • OWASP Global Board Member since 2024 • Follow me on Twitter @securestep9 =>
to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of community members, and by hosting local and global conferences. Open Web Application Security Project Open Source Tools, Guidelines, Standards, Frameworks, Books Community - Chapters Worldwide Global Application Security Conferences: USA, Europe, Asia Worldwid e
security practitioners • A broad consensus about the most critical security risks to web applications • The 1st step towards changing the application development culture within your organization into one that produces more secure code • A Whitepaper Not a “Standard”! (However OWASP ASVS is) OWASP® Top 10
❖ "Data is the new oil and the APIs are the data pipelines" ❖ Provide direct access to data ❖ Can be discovered even if not published ❖ Overperimssioned, provide too much information, expose backend logic flaws ❖ APIs often handle vast amounts of traffic, making it challenging to distinguish between normal activity and malicious behavior. ❖ When API breaches happen you don't lose 10 or 100 records - you lose millions of records via the ‘leaky’ APIs ❖ Lack of visibility: Shadow APIs (unmonitored or undocumented APIs) or third-party APIs can create blind spots that attackers exploit ❖ Overlooked Security in API Design and Implementation
occurs when an API does not properly enforce authorization checks, allowing users to access data or resources they should not be able to. • Attack Vector: Attackers manipulate object identifiers (like user IDs or account/resource IDs) in API requests to gain unauthorized access to another user's data. For Example: Endpoint: GET /api/user/123/profile Exploit: Changing 123 to 456 could grant an attacker access to another user's profile if proper authorization checks are missing.
an API incorrectly handles the process of verifying a user’s identity. These failures can lead to unauthorized access, data breaches, and other security issues. Example 1: Some API endpoints are missing all authentication (e.g. Bearer token) - allows anonymous attacker to access the data Example 2: API endpoint fails to validate JWT signature (alg:none/expired token). May allow User A to login as User B Example 3: API endpoint allows credentials brute-force/credential stuffing (no lockout/rate limiting)
BOPLA (previously known as “Excessive Data Exposure/Mass Assignment” happens when the API allows access to or returns all of object’s properties. This could allow an attacker to update object properties that they should not have access to. • Example 1: a dating app allows to report a user for inappropriate behavior, however once the report is submitted the API returns the reported user object with all properties exposing sensitive details such as full name/address/payment card info etc • Example 2: a loyalty app allows users to edit their profile, however the update operation in API allows to update all user object properties which includes the loyalty points/miles balance
Unrestricted Rate Limiting happens when API requests consume resources such as CPU/memory/disk space or 3rd-party paid services without any limitation causing Denial of Service or financial impact • Example 1: a /forgot_password/ API call sends an SMS message. Each SMS message costs the app owner $0.05. An attacker sends millions of API requests to the endpoint causing a $100,000+ bill for the site owner • Example 2: a social media website allows image upload which then generates thumbnails. Each such operation consumes memory/disk space and CPU. An attacker sends millions of images to the endpoint causing the system to crash
to the improper implementation of authorization checks in APIs, which allows an attacker to perform unauthorized actions or access data beyond their privileges. • Missing Authorization Checks: The API might expose endpoints that do not have any authorization checks, allowing any user to access them. • Inconsistent Authorization: The API might apply authorization inconsistently across different endpoints. For example, while one endpoint checks a user’s role, another might not, leading to unauthorized access.(/admin/deleteUser/id) • Improper HTTP Method Handling : Attackers can potentially perform sensitive actions they should not have access to by simply changing the HTTP method e.g changing GET to PUT or DELETE • Elevating Privileges: An attacker might manipulate parameters in API requests to access higher privilege functions. For example, changing a user ID in a request to another user ID to perform actions on behalf of another user or sending {is_admin:true}
APIs do not adequately protect key business processes, allowing attackers to exploit them for malicious purposes. For example, automated scripts might abuse workflows like bulk purchasing, reservation systems, or promotional programs, leading to financial loss or service disruption Example: Purchasing a product flow - an attacker can buy all the stock of a high-demand item at once and resell for a higher price (scalping)
Forgery (SSRF) vulnerabilities occur when an API fetches a remote resource using a user-supplied URL without proper validation. This flaw allows an attacker to manipulate the URL and coerce the application into sending crafted requests to unintended destinations, such as internal networks that are otherwise protected by firewalls. Example: AWS Metadata http://169.254.169.254/
any level of the API stack, from the network level to the application level. Example 1: Lack of TLS on some endpoints (stop using unencrypted HTTP!) Example 2: A CDN is in use, but the a messaging app API fails to set the appropriate Cache-Control header. GET /dm/get_message?conversation_id=1234567 Because the API response does not include the Cache-Control HTTP response header, private conversations end-up cached by the CDN, allowing malicious actors to retrieve them
to the failure to maintain a proper inventory of API endpoints and resources, including proper documentation, visibility, and control. This can lead to exposed, forgotten, unmonitored or undocumented endpoints (aka “Shadow APIs”), which attackers can exploit to get unauthorized access (e.g. via an older version of the API) Example: Instagram had an older version of an API without rate limiting applied. This allowed attackers to reset passwords of user by having unlimited amount of tries to guess the 6-digit password reset code Remember - if you don’t know what you have you cannot possibly secure it!
vulnerable if: • Interacts with other APIs over an unencrypted channel (HTTP) • Does not properly validate and sanitize data gathered from other APIs prior to processing it or passing it to downstream components • Blindly follows redirections • Does not limit the number of resources available to process third-party services responses; • Does not implement timeouts for interactions with third-party services Example: An API relies on a third-party service to enrich user provided business addresses. When an address is supplied to the API by the end user, it is sent to the third-party service and the returned data is then stored on a local SQL-enabled database: GET https://api.company-information.service.gov.uk/company/SC656788
effort to establish a framework of security requirements and controls that focus on defining the functional and non-functional security controls required when designing, developing and testing modern web applications and web services.
will perform an injection attack (SQL, LDAP, XPath, or NoSQL queries, OS commands, XML parsers, SMTP headers, expression languages, and ORM queries) against input fields of the User or API interfaces As an attacker, I have access to hundreds of millions of valid username and password combinations to perform credential stuffing. As an attacker, I have default administrative account lists, automated brute force, and dictionary attack tools I use against login areas of the application and support systems. As an attacker, I manipulate session tokens using expired and fake tokens to gain access. As an attacker, I steal keys that were exposed in the application to get unauthorized access to the application or system. As an attacker, I leverage metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation. aka “Attacker Stories”
crAPI is an intentionally vulnerable API-driven, microservice-based web application that is a platform for vehicle owners. • crAPI is filled with API vulnerabilities for the purpose of teaching, learning, and practicing API security. • https://github.com/OWASP/crAPI
samstepanyanowasp
soudai
ammeep
destraynor
andyhume
michaelherold
kneath
sachag
bluesmoon
sstephenson
carmenintech
reverentgeek
malarkey
