API7:2019 Security Misconfiguration
Security misconfiguration can happen at any level of the API stack, leading to unauthorized access and server compromise. Learn how to prevent misconfigurations.
Overview
Security misconfiguration can happen at any level of the API stack, from the network level to the application level. Attackers often exploit misconfigurations to gain unauthorized access to sensitive user data or compromise the server.
Description
API7:2019 Security Misconfiguration is a security risk identified by OWASP API Security Top 10. It involves the presence of misconfigurations in the API stack, which can include network level misconfigurations, application level misconfigurations, or improperly configured permissions on cloud services. These misconfigurations can allow attackers to gain unauthorized access to user data or compromise the server. This risk can be prevented through proper security hardening, regular review and update of configurations, secure communication channels, and the implementation of security measures such as CORS policies and proper handling of API response payloads.
How to Prevent ?
To prevent API security misconfigurations, the API life cycle should include a repeatable hardening process for deployment, regular review and update of configurations, secure communication channels, and continuous assessment of configuration effectiveness. It is also important to define and enforce API response payload schemas to prevent valuable information from being sent to attackers, disable unnecessary HTTP verbs, and implement proper Cross-Origin Resource Sharing (CORS) policies.
Example Attack Scenarios:
Scenario #1: An attacker finds the .bash_history file and gains access to API endpoints used by the DevOps team, allowing unauthorized access to sensitive data.
Scenario #2: An attacker discovers a misconfigured database management system, with authentication disabled by default, and gains access to millions of records containing PII and authentication data.
Scenario #3: An attacker identifies HTTP traffic performed without TLS, specifically for downloading profile images, and exploits this vulnerability to track user preferences and gather sensitive information.