API10:2019 Insufficient Logging & Monitoring - OWASP API Security Top 10
Learn about the security weakness that allows attackers to exploit the lack of logging and monitoring in APIs. Discover prevention steps and real-world attack scenarios.
Overview
Insufficient logging and monitoring in APIs can lead to abuse by attackers without being detected. Without proper logging and monitoring, it is difficult to track suspicious activities and respond in a timely manner, giving attackers ample time to compromise systems.
Description
The API10:2019 Insufficient Logging & Monitoring is a security weakness that allows attackers to take advantage of the lack of logging and monitoring in an API. This can occur when the API does not produce any logs, the logging level is not set correctly, or log messages do not include enough detail. It can also happen when log integrity is not guaranteed or when API infrastructure is not continuously monitored. Without the necessary visibility over ongoing malicious activities, attackers can fully compromise systems.
How to Prevent ?
To prevent insufficient logging and monitoring in APIs, it is important to take the following steps: - Log all failed authentication attempts, denied access, and input validation errors. - Write logs in a format suitable for consumption by a log management solution, and include enough detail to identify malicious actors. - Handle logs as sensitive data and ensure their integrity at rest and in transit. - Configure a monitoring system to continuously monitor the infrastructure, network, and API functioning. - Utilize a Security Information and Event Management (SIEM) system to aggregate and manage logs from all components of the API stack and hosts. - Configure custom dashboards and alerts to detect and respond to suspicious activities earlier.
Example Attack Scenarios:
Scenario #1: In this scenario, access keys of an administrative API were leaked on a public repository. Although the repository owner was notified about the potential leak, they took more than 48 hours to respond. Due to insufficient logging, the company is unable to assess what data was accessed by malicious actors.
Scenario #2: In this scenario, a video-sharing platform experienced a 'large-scale' credential stuffing attack. Despite failed logins being logged, no alerts were triggered during the attack. As a result, the attack was only detected after analyzing the API logs. The company had to publicly announce the incident and prompt users to reset their passwords.