4 Top API authentication and authorization vulnerabilities

 

This chapter covers

  • Mitigating API authentication and authorization vulnerabilities
  • Common flaws in role-based access controls
  • Preventing unintended updates to our data
  • Mitigating sensitive data leakage
  • Preventing abuse of our business logic

APIs expose access to sensitive data and operations in our systems and it’s clear that we must protect them. But what are we protecting them against? What do API vulnerabilities look like and how are they exploited? How do we defend our APIs against those vulnerabilities? How and when do we know that we’ve done enough to mitigate the risks to our APIs? If these questions are bugging you, you’ve come to the right place. In this chapter, we examine the OWASP Top 10 API Security threats and we learn to mitigate them.

OWASP is a nonprofit organization created by Mark Curphey in 2001 to support a host of community-driven projects in cybersecurity. In 2003, OWASP launched its signature Top 10 Web Application Security Risks, which has since been regularly updated, with the latest list published in 2023 (https://owasp.org/www-project-top-ten/). As a developer, OWASP is your first stop to understand what kinds of threats your applications are facing and how to deal with them.

4.1 Running the code examples

4.2 Broken object-level authorization

4.2.1 Practical example of BOLA

4.3 Broken authentication

4.3.1 Practical example of broken authentication

4.4 Broken object property level authorization

4.4.1 Mass assignment

4.4.2 Excessive data exposure

4.5 Broken Function Level Authorization (BFLA)

4.5.1 Practical example of preventing BFLA

4.6 Unrestricted access to sensitive business flows

4.6.1 Practical example of mitigating abuse of vulnerable business flows

4.7 Summary