chapter five

5 Top API configuration and management vulnerabilities

This chapter covers

Restricting resource consumption
Mitigating server-side request forgery
Configuring APIs safely
Managing the API attack surface
Consuming APIs safely

We continue our exploration of the most common API security risks by looking at API configuration- and management-related categories from the Open Worldwide Application Security Project (OWASP) API top 10 security risks. Whereas the vulnerabilities in chapter 4 relate to weak access controls to our system, resources, and business logic flows, the vulnerabilities in this chapter involve abuse of misconfiguration that allows threat actors to trigger random requests from our system, obtain sensitive system information, and more. You’ll learn about the importance of managing your API attack surface and see how threat actors look for old API versions or internal endpoints that are less protected.

5.1 Unrestricted resource consumption

5.1.1 Fending off a DoS attack

5.1.2 Addressing unrestricted resource consumption with code

5.2 Server-side request forgery

5.3 A practical example of mitigating SSRF

5.4 Security misconfiguration

5.5 A practical example of mitigating security misconfiguration

5.6 Improper inventory management

5.7 Unsafe consumption of APIs

5.8 Addressing unsafe consumption of APIs in practice

Summary