chapter four

4 Top API authentication and authorization vulnerabilities

This chapter covers

Mitigating API authentication and authorization vulnerabilities
Finding common flaws in role-based access controls
Preventing unintended updates to our data
Mitigating sensitive data leaks
Preventing abuse of our business logic

APIs expose access to sensitive data and operations in our systems, and it’s clear that we must protect them. But what are we protecting them from? What do API vulnerabilities look like and how are they exploited? How do we defend our APIs against those vulnerabilities? How and when do we know we’ve done enough to mitigate risks to our APIs? If these questions are bugging you, you’ve come to the right place. In this chapter, we examine Open Worldwide Application Security Project’s (OWASP’s) list of API security threats and learn to mitigate them.

OWASP is a not-for-profit organization created by Mark Curphey in 2001 to support a host of community-driven projects in cybersecurity. In 2003, OWASP launched its signature top 10 list of web-application security risks, which has since been updated regularly. OWASP is your first stop for understanding what kinds of threats your applications face and how to deal with them.

4.1 Running the code examples

4.2 Broken object-level authorization

4.3 A practical example of BOLA

4.4 Broken authentication

4.5 A practical example of broken authentication

4.6 Broken object property level authorization

4.6.1 Mass assignment

4.6.2 Excessive data exposure

4.6.3 Practical example of excessive data exposure

4.7 Broken function-level authorization

4.8 A practical example of preventing BFLA

4.9 Unrestricted access to sensitive business flows

4.10 A practical example of mitigating abuse of vulnerable business flows

Summary