Mitigating OWASP API Security Risk: Excessive Data Exposure using F5 BIG-IP

This article is a continuation of the OWASP Top 10 API Security series. It aims to give insight on Excessive Data Exposure and the way to mitigate it using F5 BIG-IP Advanced WAF.

Introduction to Excessive Data Exposure:

APIs are the building blocks of modern digital communication. They are widely used for building applications and integrating with other applications to send and receive data regularly, meeting customer needs. However, since APIs respond to requests and often lack sufficient restrictions, they can expose sensitive data such as Social Security Number (SSN), Credit Card Number (CCN), Personally Identifiable Information (PII) etc. These vulnerabilities create opportunities for attackers to access sensitive user data, which can then be sold or used in other exploits, such as credential stuffing.

APIs can expose sensitive data due to a lack of proper security measures in the application. Developers often tend to overlook these areas, leading to the unintended exposure of sensitive information.

Demo Attack and Mitigation steps using BIG-IP Advanced WAF:

F5 BIG-IP Advanced WAF has the tendency to sanitize the API response and can identify sensitive data like SSN, CCN and has the ability to mask it. It can also scan text in response, looking for the types of sensitive information that we specify, such as email addresses, phone number etc. Using Data Guard configurations in Advanced WAF, we can configure custom patterns using PCRE regular expressions to protect other forms of sensitive information and indicate exception patterns not to consider sensitive.

The steps mentioned below give some brief information about updating an existing security policy to enable Data Guard protection in Advanced WAF.

We generate Excessive Data Exposure vulnerability using a customized application developed for this demonstration using Flask and blocks the sensitive data using F5 BIG-IP.

Let us now see a quick demo of Excessive Data Exposure and mitigate it using BIG-IP Advanced WAF.

Note: The following configs and validations are done on F5 BIG-IP VE with version: BIG-IP 16.1.6 Build 0.0.3  

First, let’s perform the attack without the presence of BIG-IP and later, followed by vulnerable application protected by BIG-IP.

Accessing the vulnerable application without the presence of BIG-IP, returns the sensitive information.

From the above screenshot, you can be able to see vulnerable application responding with sensitive information containing SSN, CCN etc.

Let us now protect the Excessive Data Exposure from this vulnerable application using F5 BIG-IP.

Step 1: Enabling Data Guard configs in Security Policy

On the Main tab, click Security > Application Security > Security Policies > Policies List.
Select the name of the policy that you want to use.

Under Policy page, expand Advanced Protection and select Data Guard.
Toggle the switch to on to reveal the Data Guard configuration settings.
By default, Mask Sensitive Data is enabled, Credit Card Numbers and U.S Social Security Numbers are set to detect with Last 4 digits exposed. This can be modified as per the requirements.

Click on Save and click on Apply policy to save the Data Guard configuration.

Step 2: Attack Mitigation

Note: If a web server response contains a credit card number, U.S Social Security number, or any data pattern that matches a custom pattern provided, then the system responds based on the enforcement mode settings.

The default behavior in blocking mode is to block responses containing sensitive data, even if masking is enabled. BIG-IP returns blocking page to the client with this configuration.

To prevent this blocking behavior when the violation is triggered, we need to update the policy as mentioned below,

On the Main tab, click Security > Application Security > Policy Building > Learning and Blocking Settings.
Verify the policy name to make sure we are modifying the correct one.
Expand Data Guard, and for Data Guard: Information leakage detection violations, clear the Block check box.

Click on Save and then click on Apply Policy.

Let’s retry accessing the vulnerable application protected by Advanced WAF and observe the behavior.

From the above screenshot, we can see that the system masks the sensitive data, such as CCN & SSN by replacing them with asterisks (**) and returns the same to the client. We can also configure custom patterns using PCRE regular expressions to protect other forms of sensitive information.

Let’s now mask the sensitive data such as Phone Number from the above response data using PCRE regular expressions. For more details on PCRE regular expression, refer to link.

To do that, navigate back to Data Guard’s configuration of security policy as mentioned in step 1.

Select the Custom Patterns check box.
In the Add Pattern field, type a PCRE regular expression to specify the Phone Number’s sensitive data pattern, then click Add.
Click on Save and then click on Apply Policy.

Phone Numbers are masked with asterisks (**) as shown above.

Conclusion:

In this demonstration, we have seen how sensitive data exposure results in serious consequences for an organization. PII, SSN, CCN and other valuable data should be protected from reaching the client. BIG-IP Advanced WAF masks the sensitive data, thereby protecting the application from excessive data exposure vulnerabilities. This, in turn, safeguards the application and enhances overall security of the system.

References: 

For more detailed guidance on OWASP and steps to configuring Advanced WAF security policy on F5 BIG IP, refer to the official documentation below,   