I’d like to propose an item in the top 10 relating to defensive programming across API boundaries, and the idea that the architecture of an API affects the risk level of applications that consume it.
This is something that would feel out of place in the broader web appsec top 10, but really becomes a concern when talking about APIs. It’s especially important for those that are consumed by a large amount of external applications, as opposed to just an SPA and/or mobile app. The main motivation for this is the content of the talk I gave at defcon and blackhat this year:
https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Maddux
I also noticed that it’s becoming a theme for trainings in API security. I don’t know what the training content entails, but it would be interesting to get the trainer’s thoughts on this, since there’s a section here to “Create APIs that are easy to use securely and hard to use insecurely” which is exactly what I’m talking about: https://www.blackhat.com/eu-19/training/schedule/index.html#attacking-and-securing-apis-15133
For the issue I pointed out in Apple Pay Web, the core idea is that the API requires merchants to implement an endpoint that is the textbook SSRF case, unless merchants’ developers are aware of SSRF and do careful validation, which has some tricky edge cases. It’s hopefully changing now that this has had some exposure at conferences. In the meantime it’s done a lot of damage, caused Apple some embarrassment, and earned me some bounties in sites that support Apple Pay.
A couple more examples:
Webhooks - This is one of the most broadly applicable cases, since there are a lot of unauthenticated webhook receivers out there. The majority of webhook senders simply provide an HMAC and hope that the consumer of the webhook will check it, but in practice this is overly optimistic. A more defensive approach adopted by some webhooks such as Plaid, is to just provide a cryptographically unique ID and expect the receiver to make a separate HTTP request to fetch the event with that ID. Another alternative is to still send the HMAC, but perform a couple of testing requests during registration to verify that the receiver does in fact verify the HMAC.
SOQL - Salesforce has a REST API that takes in a sql-like string as a parameter, and it’s fairly popular. Unfortunately, there’s no parametrization built into the API, so you get a lot of injection attacks in applications that consume this API. Obviously it would be difficult for Salesforce to walk back this decision, but if they had audited and designed the API with the idea I'm proposing in mind, they could have included, and perhaps enforced parameterized queries from the start. Importantly, this does not fall under A8/Injection against Salesforce’s API, since the injection doesn’t happen within Salesforce’s code. It manifests as passing the SOQL escaping burden to applications that consume the API: https://trailhead.salesforce.com/en/content/learn/modules/secdev_injection_vulnerabilities/secdev_inject_prevent_soql_injection
For some older precedent, a lot of past SAML stuff might fit under this category, since it’s similar in nature - there’s a single design detail that tends to manifest as a vulnerability across multiple implementations.
Some potential objections to including this in the top 10:
“The API security top 10 draft is already pretty good.” I agree! I think if anything, a couple of items might be consolidated, since it’s already a great list. One possibility might be to roll together Object+Function level access control (A1/A5), while keeping it at the top of the list since it’s really important. Or maybe one of the other items could be combined with A7.
“There’s not enough precedent.” This might be fair, and I’m not super familiar with the process for coming up with the top 10 lists. In the meantime this category is becoming my bug hunting MO, so there’s definitely going to be more precedent as time goes on.
If there is some interest in this, I would be happy to write a draft for the appropriate section in the Top 10 PDF, as well as cheat sheet content and relevant code for crAPI.
--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/5417798e-546a-4cdc-9aaf-840661ee21be%40owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAN%3DxGgOOR4D%2BHYmPdgDqnDcQxmSavbHRwuzwEoVfRPGwsiT2Cw%40mail.gmail.com.
Hello Mordecai,
That sounds very interesting. I am looking forward to seeing your slides.
Best,
Erez Yalon
OWASP API Security Project Co-Leader
OWASP Go-SCP Project Co-Leader
(Coming Soon) OWASP Software Composition Security Project Leader
Email: erez....@owasp.org
Mobile: +972505977720
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CADCsEAzV66rir2FoVxzYySToKe00BUTr1kr4TYHpw-6nZ3C39g%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/001201d56ef2%24a6b57af0%24f42070d0%24%40owasp.org.
Dmitry Sotnikov
VP, Cloud Platform
42 Crunch
Cell: +1.949.303.9653, Skype: DSotnikov, Twitter, LinkedIn
Hi Dmitry,
It makes a lot of sense that projects like JuiceShop, Pixi, and others, will cover API Security issues since API is the heart of every modern app.
While supporting and urging everyone who can to contribute to the above awesome projects, I believe there is an added value of having a specific project focused around API Security. This is not really re-inventing the wheel. Just making more wheels 😃
Best,
Erez Yalon
OWASP API Security Project Co-Leader
OWASP Go-SCP Project Co-Leader
(Coming Soon) OWASP Software Composition Security Project Leader
Email: erez....@owasp.org
Mobile: +972505977720