The Open Web Application Security Project (OWASP for short) is a not-for-profit entity devoted to improving the security of software. Founded in 2001, OWASP is a global organization that supports thousands of volunteers globally to produce freely available articles, documentation, tutorials, and tooling.
OWASP is best known for its "Top 10" lists, which represent a broad consensus about the most critical security risks to web applications. These lists, updated every few years, serve as a vital benchmark for web application security, used by developers and security teams worldwide to ensure that their applications do not suffer from the most egregious, common, and dangerous vulnerabilities.
OWASP also publishes an API Security Top 10, focusing primarily on the top security risks to APIs. APIs are mission critical and they’re increasing under attack, with a forecasted 996% surge in attacks by 2030.
In this post, we’ll talk about the 2023 OWASP API Security Top 10 and recommendations from Kong to mitigate the risks around each.
2023 OWASP Top 10 API security risks
The 2023 OWASP API Security Top 10 focuses on the most common and most dangerous threats to modern APIs. APIs are fundamental in today’s app-driven world. They're critical to modern mobile, SaaS, and web applications and are foundational to innovation across industries. But because APIs expose sensitive application logic and data, they have therefore (surprising to no one) become an attractive target for attackers.
Ensuring API security allows for rapid innovation and helps safeguard organizations against potential threats — and security is an essential part of becoming an API-first company.
An API management platform can help improve API security, specifically addressing the high-priority threats described in the OWASP API Top 10 with things like access and authorization control down to the object level, granular rate-limiting and bot control, policy-based routing, and request and response validation and sanitation.
Next, we'll give an overview of each item on the 2023 OWASP Top 10 and discuss how Kong can help drive improved API security around each risk.
API1:2023 Broken Object Level Authorization
APIs often have endpoints that deal with object identifiers, leading to a broad attack surface for Object Level Access Control concerns. OWASP says it's crucial to incorporate object level authorization checks in every function that interacts with a data source using a user-provided ID.
Example attack scenarios include API endpoints being exposed that allow for accessing sensitive data through a simple script manipulating URLs to vulnerabilities that allow users to delete other users’ documents without proper permission checks.
Kong's recommendation
Kong recommends the use of authentication/authorization plugins using protocols and auth flows that prevent clients from accessing resources they’re not permissioned for.
Kong offers a number of authentication/authorization plugins that provide the required level of access control and can integrate with third-party identity providers to allow organizations to implement security best practices without having to write client or server side logic to communicate with the IDP.
Authentication metadata from the IDP is passed along to the upstream service which is then responsible for ensuring the authenticated user has privileges to access the object requested.
Resources:
- [Documentation] Kong Authentication Plugins
- [Hands-on Workshop] Kong Authentication and Authorization using OpenID Connect
API2:2023 Broken Authentication
Due to incorrect implementation of authentication mechanisms, attackers can exploit flaws to compromise authentication tokens or assume the identities of other users, either temporarily or permanently. When the system’s ability to identify the client or user is compromised, it undermines the overall security of the API.
An example attack scenario would include using an API that doesn't require identity verification via password to update the email associated with an account — potentially allowing bad actors to steal the auth token and take over an account with a password reset.
Kong's recommendation
Kong allows organizations to delegate authentication logic, configuration, and governance to the API gateway layer which significantly limits the scope of authentication logic that could be misconfigured or poorly implemented.
Centralizing authentication in Kong reduces the burden on backend and frontend developers writing secure and bug-free authentication code. This also allows security analysts and compliance officers to easily validate and audit authentication logic.
Resources:
- [Documentation] Kong Authentication Plugins
- [Documentation] Kong Authentication Reference Guide
- [Hands-on Workshop] Kong Authentication and Authorization using OpenID Connect
API3:2023 Broken Object Property Level Authorization
This category combines two previous entries on the list, API3:2019 Excessive Data Exposure and API6:2019 – Mass Assignment. But the new addition focuses on the source of the problem: an improper level of authorization validation at the object property level.
Example attack scenarios include accelerating brute-force logging into an account with GraphQL query batching to get around request rate limiting.
Kong's recommendation
While the determination of what content to include in an API response is primarily the responsibility of the backend service, Kong can perform response transformation to obfuscate and remove data that doesn’t need to be sent back to the client. Kong’s independence from the API service implementation allows administrators to apply this transformation logic at the gateway layer without relying on the service implementation team.
Kong can also prevent inadvertent acceptance of unpublished parameters and fields of backend data models by enforcing API requests to adhere to a schema using the Request Validator plugin.
This plugin provides the ability to:
- enforce a JSON request body schema using the JSON Schema spec
- enforce a parameter schema based on the OpenAPI specification
- and/or enforce specific allowed content types
Resources:
- [Documentation] Kong Response Transformation Plugin
- [Documentation] Kong XML Threat Detection Plugin
- [Documentation] Kong Request Validator Plugin
API4:2023 Unrestricted Resource Consumption
API request processing takes a lot of resources, including network bandwidth, CPU, memory, and storage. And resources like email and SMS or biometric validation are made thanks to APIs and are paid on a per-request basis. Attacks can lead to Denial of Service or increased costs.
An example attack scenario could include an organization getting hit by an unexpected massive bill due to a lack of consumption cost alerts or max cost allowances on cloud storage and a cache service mixup that has all clients pull a new version of a large file.
Kong's recommendation
Kong provides a number of mechanisms for preventing clients from inadvertently or maliciously requesting too many resources.
Kong offers a Rate Limiting plugin with numerous options for controlling the rate of requests made to backend services. Rate limiting can be applied at a global, service, route, or consumer level. Rate limiting counters can be tracked by consumer, IP address, credential, service, and header, regardless of what object level the plugin is configured at.
The rate limiting plugin is highly performant, offering integration with Redis to efficiently store and track counters. These options are essential in allowing the system to distinguish excessive rates of use from specific sources vs an overall spike in traffic.
Kong also offers a Request Size Limiting plugin to prevent unexpectedly large request payloads from overwhelming Kong and backend services. It offers options for specifying the payload size limit and requiring a Content-Length header.
Kong Resources:
- [Documentation] Kong Rate Limiting plugin
- [Documentation] Kong Request Size Limiting plugin
- [Hands-on Workshop] Getting Started with Rate Limiting
API5:2023 Broken Function Level Authorization
The complexity of access control policies can lead to authorization issues that may be used to gain unauthorized access.
An example attack would include an attacker with knowledge of an API's structure making an educated guess and accessing an endpoint intended only for admin use that returns user details and doesn't use function level authorization checks.
Kong's recommendation
Kong can enforce endpoint/route level authentication and authorization so in addition to validating a client is accessing the API with a known identity, authorization rules can also be added to prevent any consumer without the proper role from accessing a route. This is implemented with the Kong authentication/authorization Plugins.
In the case of an organization offering user vs admin APIs, a route can be defined specifically for the user APIs that allow authenticated users with user API permissions to access those resources. A separate route or set of routes can be defined for admin APIs that allow authenticated users with admin API permissions to access those routes.
Kong Resources:
- [Documentation] Kong ACL Plugin
- [Blog] Access Control Lists with Kong
- [Hands-on Workshop] Kong Authentication and Authorization using OpenID Connect
API6:2023 Unrestricted Access to Sensitive Business Flows
Business flows can expose a risk without accounting for how a function could be abused via automation to hurt the business.
An example of this could include an airline offering purchases with no cancellation fees. A bad actor could book a majority of seats on a flight and then cancel them, pushing the airline to discount tickets.
Kong's recommendation
Kong can use advanced rate-limiting features to provide granular control over how many HTTP requests can be made in a given time frame. Kong also provides bot detection, preventing automated entities from flooding the API and protecting performance and responsiveness for live users.
Kong Resources:
- [Documentation] Kong Rate Limiting plugin
- [Documentation] Kong Bot Detection plugin
- [Hands-on Workshop] Getting Started with Rate Limiting
API7:2023 Server Side Request Forgery
Server-Side Request Forgery (SSRF) forgery may happen when an API retrieves a remote resource but doesn't validate the URI. A bad actor can then use the application to send requests to unintended destinations.
An example of an attack using SSRF could be an application that allows for user-uploaded profile pictures. With the option to upload an image via a URL, an attacker can send a malicious URL and initiate port scanning to see if the port is open or not.
Kong's recommendation
Kong provides the Request Validator plugin, which allows API administrators to utilize Kong's schema validator, or provide their own JSON Schema Draft 4 compliant validator to define validation schema. In the case of SSRF attacks, this can be used to confirm that requests containing user-supplied URIs conform to expected input values, or to default to non-acceptance of requests containing pre-defined values (like localhost).
The Kong Request and Response Transformer plugins can also be used to capture request values, like URIs, and sanitize them before being passed to the upstream API endpoints.
Kong Resources:
- [Documentation] Kong Request Validator Plugin
- [Documentation] Kong Request Transformer Plugin
- [Documentation] Kong Response Transformer Plugin
API8:2023 Security Misconfiguration
The complicated configurations of APIs and their support systems allow for customization. But missed configurations or poor security practices can create vulnerabilities ripe for attack.
An example attack could be with an application that allows for direct messages. If new messages are retrieved via an API request missing the Cache-Control HTTP response header, the messages can get cached by the browser and then retrieved by a bad actor via the browser cache files in the filesystem.
Kong's recommendation
Kong provides a number of mechanisms to secure backend APIs that may be more exposed than necessary. The Kong Route object is the primary mechanism to narrow the scope of API endpoints, methods, and protocols that can be exposed for a backend service.
Kong offers a CORS Plugin with numerous options to granularly define CORS access.
Kong also offers Response Transformer and Exit Transformer plugins to modify or obfuscate response bodies and status codes to prevent leakage of sensitive information.
Kong Resources:
- [Hands-on Workshop] Getting Started with Services, Routes, and Plugins
- [Documentation] Kong Proxy Guide: Routes and Matching Capabilities
- [Documentation] Kong CORS plugin
- [Documentation] Kong Exit Transformer Plugin
- [Documentation] Kong Response Transformer Plugin
API9:2023 Improper Inventory Management
Proper, detailed, and up-to-date documentation and inventory are essential as APIs generally expose so many endpoints.
An example attack could include a malicious actor finding a beta API host missing a rate-limiting mechanism and brute force guessing a six-digit token.
Kong's recommendation
Kong’s Route object provides an abstraction layer to reduce the scope of exposure to backend services as described above in section API8:2023 Security Misconfiguration.
The Route abstraction also makes it easy to create additional endpoints to represent different API versions and transparently migrate backend API service implementations without impacting uptime for API clients.
Kong's Developer Portal allows organizations to document and publicize only the APIs that they want to provide exposure to. The Developer Portal can be integrated with third-party IdPs to securely manage developer access to the portal.
Kong Resources:
API10:2023 Unsafe Consumption of APIs
Developers may be lax on security standards when it comes to trusting data from third-party APIs. Knowing this, malicious actors may go after integrated services rather than the API.
An example attack would include a bad actor compromising a third-party API used to store sensitive data and making it respond with a permanent redirect to the attacker's server.
Kong's recommendation
There are several Kong plugins that can be used to limit the impact compromised third-party services and APIs can have on the primary API. Kong offers several methods through which users can implement "zero-trust" security in their APIs.
The Mutual TLS Authentication plugin adds TLS authentication based on client-supplied or server-supplied certificates and on the configured trusted CA list. TLS encryption ensures that sensitive data cannot be sniffed, even if a third-party intermediate service is compromised for a Man-in-the-Middle (MiTM) attack.
The Kong Request Validator Plugin, as well as the Request and Response Transformer plugins can be used to enforce request schemas, as well as sanitize requests that may contain non-conforming or malicious strings. Users can enable these plugins and apply policies against requests that come from potentially compromised third parties.
Kong Resources:
- [Documentation] Kong Mutual TLS Authentication
- [Documentation] Kong Request Validator Plugin
- [Documentation] Kong Request Transformer Plugin
- [Documentation] Kong Response Transformer Plugin
Conclusion
In the constantly shifting landscape of web application security, it's critical to stay informed about potential vulnerabilities and the best practices to mitigate them. The OWASP Top 10 helps by outlining the most critical security risks to web applications and APIs.
Kong’s cloud native API platform offers a variety of capabilities that can help mitigate or prevent the threats present in the OWASP API Top 10. From robust authentication mechanisms and rate limiting to secure data transmission and comprehensive logging and monitoring, Kong provides a holistic approach to safeguarding APIs against potential threats.
However, tools are only part of the story in maintaining an effective security posture. Ongoing security testing and monitoring are vital for keeping up with the evolving threat landscape. Furthermore, staying updated with the latest security trends and adapting your measures to counter new threats is an ongoing process.
As software systems continue to become more complex and more powerful, the role of API management in maintaining security becomes even more significant.
Developer agility meets compliance and security. Discover how Kong can help you become an API-first company.
