DEV Community

Cover image for OWASP API10:2023 Unsafe Consumption of APIs
Panchanan Panigrahi
Panchanan Panigrahi

Posted on

OWASP API10:2023 Unsafe Consumption of APIs

Imagine you've built an amazing app, but a hacker finds a sneaky way to steal your user data. It all happens because of something called "unsafe API consumption."

unsafe API consumption

When you integrate with third-party APIs, you're essentially trusting them with your app's data. If those APIs aren't secure, your data is at risk. In this post, we'll break down the dangers of unsafe API consumption and show you how to keep your app and user data safe.


How to spot Unsafe Consumption of APIs Vulnerabilities? πŸ•΅οΈβ€β™‚οΈ

  1. Interacts with other APIs over an unencrypted channel;πŸš«πŸ”
  2. Does not properly validate and sanitize data gathered from other APIs prior to processing it or passing it to downstream components;πŸ›‘πŸ§Ή
  3. Blindly follows redirections;πŸ”„πŸ‘€
  4. Does not limit the number of resources available to process third-party service responses;πŸš€πŸ”
  5. Does not implement timeouts for interactions with third-party services;βŒ›πŸ”„

Example Attack Scenarios πŸŒβš”οΈ

Scenario 1: Man-in-the-Middle Attacks and Code Injection

An API integrates with a third-party service provider to safely store sensitive user medical information. Data is sent over a secure connection using an HTTP request like the one below:



POST /user/store_phr_record
{
  "genome": "ACTAGTAG__TTGADDAAIICCTT…"
}


Enter fullscreen mode Exit fullscreen mode

Bad actors found a way to compromise the third-party API and it starts responding with a 308 Permanent Redirect to requests like the previous one.



HTTP/1.1 308 Permanent Redirect
Location: https://attacker.com/


Enter fullscreen mode Exit fullscreen mode

Since the API blindly follows the third-party redirects, it will repeat the exact same request including the user's sensitive data, but this time to the attacker's server.


Scenario 2: Exploiting Untrusted Input and SQL Injection

An attacker can prepare a git repository named '; drop db;--.

Now, when an integration from an attacked application is done with the malicious repository, SQL injection payload is used on an application that builds an SQL query believing the repository's name is safe input.


How To Prevent Unsafe Consumption of APIs: 🚧

  1. When evaluating service providers, assess their API security posture. πŸ€”πŸ›‘οΈ
  2. Ensure all API interactions happen over a secure communication channel (TLS).πŸ”’πŸ”—
  3. Always validate and properly sanitize data received from integrated APIs before using it.🧹🩹
  4. Maintain an allowlist of well-known locations integrated APIs may redirect yours to: do not blindly follow redirects.πŸš«πŸ”„

Final Thoughts πŸ’‘

Unsafe API consumption can pose a significant risk to the security of your application and its users' data. This post has outlined the key vulnerabilities associated with this practice and provided valuable insights into identifying them and implementing appropriate mitigation strategies.

Key Takeaways:

  • Continuous Vigilance: Security is an ongoing journey, not a destination. Regularly assess API integrations and adapt your security posture to address evolving threats.πŸš¨πŸ‘€
  • Prioritize Encryption: Utilize secure communication protocols like TLS to safeguard data transmissions during API interactions.πŸ”πŸ”’
  • Validation and Sanitization are Crucial: Treat all incoming data with suspicion, regardless of its source. Implement robust validation and sanitization practices to neutralize potential threats.πŸšΏπŸ›‘
  • Stay Informed and Adapt: Continuously update your knowledge of emerging API vulnerabilities and mitigation techniques to stay ahead of security risks.πŸ“šπŸ”„

By diligently adhering to these recommendations, you can effectively mitigate the risks associated with unsafe API consumption and ensure the secure integration of external services within your application. This, in turn, fosters trust and protection for your user's data, a cornerstone of a robust and reliable application ecosystem.πŸŒπŸ›‘οΈ

Top comments (0)