5 Top API configuration and management vulnerabilities

 

This chapter covers

  • Restricting resource consumption
  • Mitigating Server-Side Request Forgery (SSRF)
  • Configuring our APIs safely
  • Managing our API attack surface securely
  • Consuming APIs safely

We continue our exploration of the most common API security risks by looking at API configuration and management-related categories from the OWASP API top 10. While the vulnerabilities in the previous chapter involved access controls to our system, resources, and business logic flows, the vulnerabilities in this chapter involve abuse of misconfiguration that allow threat actors to trigger random requests from our system, obtain sensitive system information, and more. You’ll also learn about the importance of managing your API attack surface and how threat actors look for old API versions or internal endpoints that are less protected.

5.1 Unrestricted resource consumption

5.1.1 Addressing unrestricted resource consumption with code

5.2 Server-Side Request Forgery (SSRF)

5.2.1 Practical example of mitigating SSRF

5.3 Security Misconfiguration

5.3.1 Practical example of mitigating security misconfiguration

5.4 Improper Inventory Management

5.5 Unsafe Consumption of APIs

5.5.1 Addressing unsafe consumption of APIs in practice

5.6 Summary