Mitigation of OWASP API Security Risk: Unsafe Consumption of API using F5 XC Platform

Introduction:

The Introductory article covered a brief overview of OWASP Top 10 API Security risk/vulnerability. This article is a continuation of the series and shows mitigating API Vulnerability Unsafe Consumption of API using F5 Distributed Cloud (F5 XC) WAAP.

See F5 Distributed Cloud API Security in action.

Problem Description:

The Digital transformation and modernization of Apps is accelerating to meet the market demands, which results in proliferation of architecture in data center, private/public cloud and across multi cloud which results in organizations to scramble and to gain the competitive edge. As Apps modernization involves API-based systems, those endpoints are now distributed across multiple environments, including third-party services. These third-party APIs are exposing new security risks due to interaction with them. These endpoints are trusted and not verified due to. Developers tend to adopt weaker security standards for authentication/authorization, input validation and sanitization, thereby making these APIs attractive to attackers.

Solution from F5 XC:

F5 XC delivers a broad approach to API security with a combination of management, monitoring/visibility, and enforcement functionalities. This allows organizations to discover third-party API endpoints, their request/response schemas, sensitive data, authentication state easily and effectively. F5 XC helps in monitoring and securing these API endpoints by performing continuous learning and inspection to provide protection against malicious users.

Fig: validating and blocking the data received from third-party company upon internal app in company A made a request to it.

This article aims to demonstrate validation and sanitization of data received from the third-party integrated API before processing further.

Preventing unsafe consumption of API vulnerabilities using F5 XC SaaS console configs:

Below are the steps that are being followed to access valid API data from the third-party Integrated API,

1. Upload the modified swagger file
2. Configure API Protection for Endpoints

Step 1: Uploading the modified swagger file

We are updating the swagger file to define API groups and set rules to control access to APIs, enabling granular API access control ability. This ensures traffic from a third-party API complies with the specified schema. If the traffic does not conform to the API schema of third-party services, you can enable action to block the traffic, ensuring the security and integrity of your API.

Note: In this case, Endpoints and expected data associated to it in the Swagger file is validated properly by the developers before uploading in F5 XC console.

• Login to F5 XC console and click on Multi-cloud App Connect. Select the HTTP Load Balancer by selecting “…” > Manage configuration for your load balancer to which API Protection to be enabled.

• Select Edit Configuration on the manage configuration screen.
• Go to API Protection section, From the API definition menu, select Enable to use an API definition.
  • From the API Definition menu, select the API definition. Click “Add Item” to create a new definition.

• Enter name in metadata section. In Swagger Specs section, click on the drop-down menu and select “Upload Swagger file”.

• Enter the name in Metadata section of Swagger File. Click on Upload File button in Swagger Upload section to upload the swagger file.

A sample swagger file shown below validates the email address returned by the third-party server.

• Once the file is uploaded, click on Continue.

• Select the swagger file created above from the Swagger Specs drop-down and click on Continue and page will be redirected to LB configuration page.

Step 2: Configuring API Protection for Endpoints

• From Validation drop-down, select “All Endpoints” to enable validation for all the endpoints specified in the swagger file.

• In the “All endpoints” validation section, From the OpenAPI Validation Response Processing Mode menu, select validate.
• From the Response Validation Enforcement Type menu, select the type of enforcement as Block.
• From the Response Validation Properties menu, select HTTP Headers, Content-type, HTTP Body, and Response Code.
• Enable Show Advanced Fields button on the top right corner of the section and select Property Validation Settings to Custom and select “Disallow” for Allow/Disallow additional query parameters in Request. Click on Apply.

• Click on Save and Exit.

In this scenario, below is the data sent by the third-party API to store the details in the database server

If the third-party service returns data, which includes malicious SQL injection/payload that causes harm to the database servers during the process of transport security, authentication/authorization.

In this attack scenario, a third-party API returns data consisting of 'Admin' OR 1=1--' which tries to compromise the system. This is instantly identified, cautioned, and mitigated by F5 XC.

Json data logs for respective security analytics.

Conclusion:

With F5 XC things become easier to manage, monitor and enforce security to API services. F5 XC provides the feasibility of continuous discovery of APIs and inspecting data received from the third-party services when configured appropriately in the Load Balancer. This helps in secure and manage APIs with the modern App and API deployment with necessary management and protection against threats.

Related Links:

1. https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/
2. https://docs.cloud.f5.com/docs/how-to/app-security/apiep-discovery-control
3. https://docs.cloud.f5.com/docs/how-to/app-networking/http-load-balancer
4. Introduction to OWASP API Security Top 10 2023