This article is a continuation of the series of articles on OWASP API Security vulnerabilities and demonstrates a scenario for mitigating API Security Misconfiguration using F5 Distributed Cloud Platform.
Introduction to OWASP API Security Misconfiguration:
APIs are the backbone of the modern application development model and because of their heavy usage they often become victim of attacks. Sometimes these vulnerabilities arise if security best practices are missed and are not followed properly in application development life cycle.
Below are a few scenarios which fall under API Security Misconfiguration category:
Latest security patches are not applied.
Unnecessary HTTP verbs are enabled exposing APIs to get accessed by them.
Improper implementation of CORS policy.
Missing repeatable security hardening process.
Exposing detailed stack trace error messages or sensitive information.
There are many ways an attacker can take advantage of security misconfigurations by utilizing readily available automation tools.
In the demonstration below we will cover a scenario where the application is vulnerable for exposing stack trace information and will see how F5 Distributed Cloud WAAP can help in identifying and mitigating such threats.
What is Stack Trace?
Stack Trace is a system defined error message which occurs when program under execution gets abnormally terminated. This information is normally used for debugging purposes.
Application throwing stack trace information gives the attacker a picture of active subroutines at that point during its execution and may help him to find flaws in the system which eventually may lead to some harmful implications.
For the demonstration, we have already deployed a Load Balancer (LB) in the Distributed Cloud Console and attached the origin server to the LB. For configuration steps please follow the documentation
As you can see from the above screenshot, a specific API Endpoint in our application is throwing Internal server error message along with stack trace information.
F5 Distributed Cloud WAF engine can help in detecting such threats. For that you need to create a WAF policy with default configuration, enable WAF and attach the WAF policy to the LB. Configuration steps are covered in the documentation
In the above screenshot you can see thatDistributed Cloud WAF engine has successfully identified securitymisconfigurationin the API Endpoint.
From the suite of security solutions offered by F5 Distributed Cloud WAAP, here we have chosen to create an ‘API Protection Rule’ to restrict the access of API Endpoint throwing stack trace information.
Step1: Select Load Balancer service tile from Distributed Cloud console homepage.
Step2:On the right side of your LB click on three dots (ellipsis) and select ‘Manage Configuration’ as an action, click on ‘Edit Configuration’.
Step3: Scroll down, in ‘API Protection’, click ‘Configure’ API Protection Rules.
Step4: In ‘API Endpoints’, click ‘Add item’, Enter a name and configure a rule to deny access to the API Endpoint ‘/test’, Click ‘Apply’ then ‘Save and Exit’.
Step5:Re-visit the same API Endpoint, throwing stack trace information.
In the above screenshot you can see access to the vulnerable API Endpoint is restricted successfully.
As demonstrated, the F5 Distributed Cloud WAF engine can successfully detect security misconfiguration event and optionally applying API Protection Rule on top of it can add a layer of security, safeguarding application against potential threats.