This week, we have views from Matias Madou (CTO of Secure Code Warrior) on why API security needs a reset to focus on people and not tools, another excellent walkthrough of the vAPI vulnerable API, an article covering the five stages necessary to attain API security, and a quick guide on exploiting GraphQL endpoints.
Article: API security needs a reset
We have previously featured views on API security from Matias Madou (CTO of Secure Code Warrior) in this newsletter, and this week we feature a longer thought leadership piece courtesy of Techbeacon. In this article, Matias describes how many organizations struggle to scale their API security initiatives due to a surplus of security testing tools (the industry average is currently 76 tools). His underlying viewpoint is that the focus is predominantly on the tools rather than addressing the root causes of insecure APIs, namely, the developers building the APIs. He reiterates my own view that most data breaches are caused by human error.
Matias makes a case for a reset in our approach, moving away from a focus on tools and embracing broader best practices such as:
- Assigning API ownership: APIs tend to be over-permissioned and overshare information (consider how prevalent API 03:2019 — Excessive data exposure is in this newsletter). This tendency to over-communicate arises because APIs seldom have dedicated owners; the API evolves in an ad-hoc manner and tends to become overly verbose. Keep the focus on what the API should do for the business; do only that and no more.
- Treating APIs like humans: Just as we do with people in sensitive roles, we should apply the principles of least privilege, role-based authorization, and zero-trust to APIs.
- Incorporating a test-first mentality: Testing is frequently left too late, and this is particularly the case with APIs. Ensure your developers are testing as they code and embed those test fixtures into the entire SDLC.
- Including scenario simulations: Conducting simulations of various API situations can help development teams anticipate how their APIs may be abused or misbehave in a real-world situation.
- Changing performance-review metrics: All too frequently, developers are incentivized on the speed of delivery at the expense of almost everything else. Consider changing how you assess your developers, give them time to absorb security learning, and adjust their performance review metrics to reflect this focus.
This is a great read and addresses issues we see in many of our real-world breaches. Thanks to Matias for the contribution!
Guide: vAPI walkthrough
Walkthroughs and guides are always popular with our readers, and this week, we have another great contribution from Edward Lichtner (@EdwardLichtner), this time taking us through a very comprehensive tour of the vAPI vulnerable API application. We have previously featured Edward’s walkthroughs and also a walkthrough of the vAPI application.
This walkthrough is ideal for anyone starting out with API hacking since it assumes very little prior knowledge, covers the installation of the tools and environments, works through each of the OWASP API Security Top 10, and includes some bonus items. The attention to detail makes it very easy to follow the individual steps, each accompanied by a screenshot.
Thanks again for this excellent contribution to the community Edward; keep up the great work!
Article: Five stages to attain API security
The next article features views from Rakshith Rao on the five stages required to attain API security. The author highlights that APIs are becoming the top attack vector in 2023 (costing US companies between $12 and $23 billion in 2023 alone). He highlights some of the well-established reasons why existing security approaches are insufficient to achieve API security. In particular, outdated authorization methods and basic IP whitelisting afford scant protection. Many monitoring tools cannot monitor API activity and fail to provide any actionable information to security teams.
According to the author, the following five stages are key to attaining success with API security:
- Discover: Make sure you have an up-to-date view of your API inventory. Avoid using manual methods of discovery and classification; rather, rely on being able to monitor traffic.
- Observe: Analyze what you find and assess whether it should be present — for instance, take steps to identify and classify shadow and zombie APIs.
- Model: Build views of the system’s normal behavior by understanding data models and usual patterns of use. Be able to identify anomalies based on the usual patterns.
- Act: Perform regular activities to improve API security, such as API audits, tracking and tracing API calls, responses, and errors.
- Insights: Monitor the overall status and behavior of your API ecosystem and develop a culture of continuous improvement.
These are certainly great recommendations for a journey toward improved API security, but the devil is in the detail as ever.
Guide: Exploiting GraphQL endpoints
Finally, this week, we have another guide focusing on the basics of exploiting GraphQL endpoints using introspection, query, mutations, and tools. The article briefly introduces attacking GraphQL endpoints and assumes little prior knowledge.
Firstly, the article describes how to find common GraphQL endpoints using wordlists of common endpoints and then how to use introspection to gain further detail on the endpoints. Typically, introspection allows a user to discover the full schema of an endpoint, including the query, mutations, objects, fields, etc. In the event that introspection is disabled (it should be if you are serious about security!), then it is possible to use fuzzing techniques to build a map of the API. The author then looks at several different flaw types, such as query flaws (showing an example of BOLA) and mutation flaws (showing an example of mass assignment).
Finally, the author recommends some resources for further learning, namely:
- GraphQL Voyager
- InQL (Burp Suite)
- “Damn Vulnerable GraphQL Application” vulnerable API application
- “PoC graphql” vulnerable API application
Webinar: Something Old, Something New – OWASP API Security Top 10 in 2023
The OWASP API Security project has recently updated its Top 10 list of vulnerabilities that are commonly found in APIs. This list includes both well-known issues and new ones that are currently affecting APIs in the real world. It is crucial for those involved in the API industry to stay informed about these top threats and the OWASP Top 10 list is an excellent resource for doing so. By staying up-to-date with the latest security challenges, API professionals can better protect their systems and ensure the safety of their users’ data.
Join Colin Domoney (Chief Technology Evangelist) from 42Crunch at 9am PDT | 5pm BST on 1 August, 2023 as he takes a closer look at the 2023 Top 10, including:
- an overview of his research into API vulnerabilities of the last 12 months.
- the items dropping off the list and whether they are still a concern.
- the items remaining unchanged, and why they are more of a concern than ever.
- the three new items and why they warrant attention in 2023.
- we will also look at how 42Crunch can help you address these new items.
Join us to get the inside track on the new Top 10 concerns for API developers.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
