Mitigating OWASP API Security Risks: Improper Inventory Management using BIG-IP

As web applications continue to evolve, APIs have become the essential backbone for system communication. With this growing reliance, however, comes the critical responsibility of properly managing and securing these APIs. One of the most prominent risks to API security is improper inventory management, a vulnerability emphasized by the Open Web Application Security Project (OWASP). When organizations lack a comprehensive and up-to-date inventory of active API endpoints, versions, and associated hosts, they expose themselves to numerous security threats, including outdated APIs, misconfigured endpoints, and unaddressed vulnerabilities.

This article examines the issue of improper API inventory management, highlights the associated risks, and provides practical advice on how to establish an effective API inventory system to mitigate these security challenges and strengthen overall protection using BIG-IP Advanced WAF.

 

What Is Improper Inventory Management?

Improper Inventory Management involves the failure to properly document, monitor, and manage API endpoints. This includes issues such as exposed debug endpoints, unpublished APIs, inconsistent security policies, and a lack of comprehensive API documentation, among others.

This can result in:

• Forgotten or Shadow APIs: Endpoints that are no longer in use but remain accessible.
• Unsecured Development or Testing Endpoints: APIs meant for internal purposes that are exposed in production environments.
• API Versioning Problems: Outdated API versions that remain active without proper deprecation or security patches.

Potential Consequences:

• Unauthorized Access: Attackers may take advantage of unprotected or hidden endpoints.
• Data Exposure: Sensitive information could be leaked due to neglected or forgotten APIs.
• Service Interruptions: API manipulation can result in service outages or disruptions.
• Regulatory Non-Compliance: Failure to secure endpoints can lead to violations of legal and regulatory standards.

Topology Diagram:

Demonstration:

In this use case, we are using vAPI   as our demo application. You can refer to the document for more details and deployment of  vAPI. Also, we need to add the vAPI application as a pool member to the BIG-IP virtual server. Please go through adding-pool-info document if you need any assistance.

Let’s begin by logging into vAPI v2 demo application with the provided credentials.

As you can see in the above screenshot, rate limiting is enabled, which helps prevent brute-force attacks by restricting the number of failed login attempts. This effectively reduces the risk of unauthorized access.

 

Examining API v1: A Forgotten Security Risk:

Let’s modify the API endpoint by replacing "v2" with "v1", checking whether an older version is still accessible.

In the above screenshot, you can observe that rate limiting is disabled in v1, making it an easy target for attackers.

 

Exploiting the Vulnerability:

With no rate-limiting in place, an attacker can execute a brute-force attack on v1 to systematically guess credentials. Once they obtain valid login details, such as a PIN code, they could use them to bypass the protections in v2, gaining unauthorized access.

 

Mitigation using BIG-IP WAF Security URLs:

1. Log in to the BIG-IP console, go to Security > Application Security > URLs > Allowed URLs > Allowed HTTP URLs. Create a new allowed URL with the below options.
   1. URL Example: Wildcard
   2. Protocol: HTTP
   3. Expression: /vapi/api9/v2/*

       

2. Also, go to Security > Application Security > URLs > Disallowed URLs > Disallowed HTTP URLs. Create a new disallowed URL with the below options.
   1. URL Example: Wildcard
   2. Protocol: HTTP
   3. Expression: /vapi/api9/v1/* 
      
3. As the v2 endpoint has been added to the allowed URLs, let’s attempt to log in to the v2 endpoint using the provided credentials.
   
4. Now, try to log into vAPI using v1 with the given credentials.
   

   Next, try to attempt the brute-force attack on v1 to guess the credentials.

   

   The screenshot above provided gives the detailed information of how BIG-IP Advanced WAF detects and blocks attacks, based on the security policy configuration in place under URL’s section.

 

Conclusion:

In conclusion, as demonstrated, the BIG-IP Advanced WAF successfully detected and mitigated vulnerabilities on the API endpoints by leveraging robust API protection rules. This ensures that potential security risks are identified and blocked, providing enhanced protection for APIs and safeguarding sensitive data from unauthorized access or exploitation.

 

Reference Links:

Introduction to OWASP API Security Top 10

Improper Inventory Management 2023

OWASP API Security