cancel
Showing results for 
Search instead for 
Did you mean: 
Janibasha
F5 Employee
F5 Employee

Introduction to API’s: 

An application programming interface (API) is a combination of protocols, functions, etc. which we can utilize to get details about resources, services and features. APIs are fast, lightweight and reliable but they expose sensitive data and so they have become the targets of hackers. 

 

Overview of OWASP API Security:  

The simplicity of API’s has given hackers a chance to infiltrate them in a plethora of ways to steal personal and sensitive details. Increase in demand of API security caused a need for a project to keep track of latest API vulnerabilities and security procedures called OWASP API Security Top 10.  

As per the above project below are the top ten issues and their overview in API security as of 2019.  

  1. API1:2019 Broken Object Level Authorization
    APIs expose endpoints that manage objects using unique identifiers, providing hackers a chance to bypass access controls. To prevent this attacks authorized checks like credentials and API token should always be kept in place in the code if there is a request using a user input.  
  2. API2:2019 Broken User Authentication 
    Authentication mechanisms are sometimes implemented with less security, allowing attackers to compromise authentication tokens to take over other users’ identities. 
  3. API3:2019 Excessive Data Exposure 
    In most of the recent attacks it was observed developers are exposing unnecessary and sensitive object properties providing illegal users a way to exploit them. 
  4. API4:2019 Lack of Resources & Rate Limiting
    APIs do not have any restrictions on the size or number of resources that can be requested by the end user. Above mentioned scenarios sometimes lead to poor API server performance, Denial of Service (DoS) and brute force attacks. 
  5. API5:2019 Broken Function Level Authorization
    Most applications are composed of different groups, users and roles. If there are no restriction configurations like access controls will lead to authorization flaws providing access to other users’ resources.
  6. API6:2019 Mass Assignment 
    Code sanity should always be performed in response data and binding client data without filtering gives hackers a chance to guess objects properties by exploring other API endpoints, documentation, etc. allow attackers to modify object properties.
  7. API7:2019 Security Misconfiguration
    This attack is mostly caused because of misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages in logs containing sensitive information like usernames, PIN, IP addresses, etc.
  8. API8:2019 Injection
    OS commands, SQL, Command Injection, etc., occur if there are no restrictions on user requested schema as part of filter query. The malicious request can sometimes bypass these validations to execute unintended commands providing data access to sensitive information.
  9. API9:2019 Improper Assets Management
    A modern web application typically hosts thousands of requests and so maintaining documentation/swagger of all changes and newly implemented API’s up to date is very much needed. If they are not regularly updated hackers can explore and find any deprecated APIs which may sometimes expose debug endpoints.
  10. API10:2019 Insufficient Logging & Monitoring
    Any issues in logging and monitoring services will give attackers more ways to attack systems without being recognized. It’s always advised to configure the best monitoring solutions to keep track of all logs and to configure email alerts. Sometimes it’s best practice to keep logging details in a different location to avoid malicious user activity of erasing their log trails.

Overview of F5 Distributed Cloud WAAP: 

Web Application and API protection (WAAP) is a SAAS offering provided by F5 Distributed Cloud Services to protect applications and published APIs using Web Application Firewall (WAF), bot protection, API security, and DDoS mitigation. Once WAAP policy is applied on the load balancer, these service engines protect web applications and API endpoints with the latest automatic detection of WAF, Bot and DOS attack signatures. 

One of the key sections of Distributed Cloud WAAP is API security which focuses primarily on securing the API’s using different configurations like OpenAPI ingestion, automatic API discovery, service policies, rate limiting, Allow/Denied URLs, Etc. 

Below diagram shows how Distributed Cloud WAAP protects APIs: 

  1. Whenever there is a request originating from end users Distributed Cloud WAAP analyses the request metadata details like URL, filter parameters, Headers, etc. to find whether it’s a legitimate request.
  2. Once the request is screened, validated and approved then only the request is forwarded to the back-end servers. Back-end servers then return the requested details to the end user.
  3. If for any reason Distributed Cloud WAAP finds the request has discrepancies or is not valid the request will be blocked, and a security event will be generated in dashboard.
  4. Users or administrators can analyze the captured request details and can modify the existing Distributed Cloud WAAP configurations if needed to reach the business goals. 
    injection6.JPG

 

Note: This is an introduction article in this series, stay tuned for our upcoming articles on each of the OWASP API Security Top 10 and how to prevent them using F5 Distributed Cloud Web Application and API Protection (WAAP). 

 

Related Links: 

Version history
Last update:
‎11-Sep-2022 20:57
Updated by:
Contributors