[OWASP Top 10]: API Security Basics ~Series 2~ Risks and Countermeasures
Overview
5 min readJan 28, 2022
--
We will cover the OWASP top 10 API security basics
1:Broken Object Level Authorization (Insecure direct object reference)
what is it?
For example,
Let’s pretend that when I type this URL, I can see my credentials. But if I type
https://takahiro-oda.medium.com/messages/12344and credentials of another person show up?
This is Broken Object Level Authentication.
Why happens?
- Lack of authorization (No code to validate )
- Human error ( API mixing sensitive and non-sensitive data)
Automated Attack
Burp Suite
For example
https://takahiro-oda.medium.com/messages/<ID>Countermeasures
- Use unpredictable IDs ( random, hard to guess, not sequential)
- Validate user input
- Confirm authorized access
- Use automated testing to check
2:Broken User Authentication
What is broken user authentication?
It shows up when an API should have an authentication system but does not in practice, or when the authentication system is established but fails in specific instances, allowing attackers to impersonate a legitimate user.
Why this happens?
- When the public-facing instance authentication systems are too complex to be handled properly which opens vulnerabilities.
Common root cause and countermeasures
2.1:Insecure password storage
- should be hidden on client entry
- encrypted in transit & at rest
- avoid plaintext > hashing
![[AWS API Gateway, EKS] Access an Amazon EKS Cluster with an API Gateway!!](https://miro.medium.com/v2/resize:fit:1358/1*-w1mGhE3QuJemCBkS_B3Fw.png)
![[Splunk]How to capture log using Splunk Universal Forwarder](https://miro.medium.com/v2/resize:fit:1358/0*X-QInxolW5ienu77.png)
![[DevOps] Create your first CI/CD pipeline!!](https://miro.medium.com/v2/resize:fit:1358/1*XXbcbVCijb2DqX6SFHOlEA.png)
![[AWS security]How to query and analyze VPC flow logs in AWS](https://miro.medium.com/v2/resize:fit:1358/1*76gVKV1YukSaPF9pHfVGag.png)
