API7:2019 Security Misconfiguration: The What, Sample Exploits, and Prevention Methods
May 29, 2023
Security misconfigurations are very common security risks, not just in web applications but also in APIs. They have been consistently part of the OWASP Top 10 Web Application Vulnerabilities. They were part of the original OWASP Top 10 API Security Risks published in 2019 and have now made it to the updated 2023 list.
Security misconfiguration maintains its 7th rank in OWASP Top 10 API 2023 owing to its widespread prevalence, easy exploitability, and easy detectability.
What exactly are security misconfigurations? What causes them, and how to mitigate them? Keep reading to find out.
What is Security Misconfiguration?
Security misconfigurations are the errors and oversights made during an API’s configuration, implementation, or maintenance that can lead to security vulnerabilities. This happens when developers/ IT teams have not followed security best practices in implementing and configuring APIs.
Security misconfigurations can occur owing to the failure of developers and IT security teams to harden the attack surface with proper configurations adequately.
It simply means that essential API security settings were not implemented or incorrectly, leaving dangerous gaps and weaknesses in the API. Threat actors can exploit these gaps to orchestrate massive attacks and data breaches.
These misconfigurations may occur at different levels of the API stack, including the API server, API gateway, client application, the infrastructure supporting the API, network level, system level, application level, and so on. Almost no difference exists in how these misconfigurations affect web apps and APIs.
// Insecure API Endpoint
app.get('/api/user/:id', (req, res) => {
const userId = req.params.id;
// Fetch user data from the database without authentication or authorization
User.findById(userId, (err, user) => {
if (err) {
return res.status(500).json({ error: 'Internal Server Error' });
}
if (!user) {
return res.status(404).json({ error: 'User not found' });
}
// Return the user data
res.json(user);
});
});
In this example, the API endpoint /api/user/:id is designed to retrieve user data based on the provided id. However, there are no authentication or authorization checks in place.
The code directly fetches the user from the database without verifying the user’s identity or ensuring they have the necessary permissions.
An attacker exploiting this misconfiguration could simply send a GET request to /api/user/:id with any id parameter and retrieve user data without authentication or proper authorization. This exposes sensitive user information to unauthorized individuals.
System misconfiguration is a vulnerability that can be exploited, whether in APIs, web applications, networks, containers, or development platforms. If you leave APIs improperly, inadequately, or insecurely configured, you will leave the API open to a wide range of security risks.
What Causes OWASP API7:2019 Security Misconfigurations?
Security misconfiguration vulnerabilities come in all shapes and sizes, with varying levels of risk. Here are some examples of what could lead to these misconfigurations.
- Improper patching practices and policies
- Unpatched systems, vulnerabilities, and flaws
- Unpatched legacy features/ components in APIs
- Improper implementation of CORS (Cross-Origin Resource Sharing) policies
- CORS doesn’t follow least privilege policies
- Leaving APIs/ components with default configuration settings
- Incomplete, ad-hoc, or missing configurations
- Unnecessary or misconfigured HTTP headers
- Verbose error messages that reveal sensitive information and enable attackers to orchestrate attacks
- Excessive exposure of debug logs
- Unnecessary features/ options enabled, such as HTTP verbs (GET, POST, PUT, DELETE, etc.)
- Missing TLS protocols
- Lack of hardening of security policies
- Poor maintenance of APIs
- Open cloud storage
Check out the complete list of API misconfigurations from our API pen-testing checklist.
Here are five examples of API misconfiguration attack scenarios and their potential implications:
Real-Life Instance
The Capital One breach of 2019 is a real-life example of exploiting security misconfigurations by attackers. In the case of Capital One, attackers found an open-source WAF was being used to secure the company’s apps and APIs. This WAF was not properly configured and tuned adequately to the needs and context of the company’s AWS environment. As a result, it did not follow the zero-trust and least privilege principles.
Being overly permissive, attackers could easily bypass the WAF. Attackers crafted an injection script to target the backend AWS cloud metadata service. The WAF could not inspect the message’s contents or filter it and allowed the injection request to be processed by the backend. Now, the attacker could harvest metadata they should not have accessed.
Using this metadata, they could compromise other systems within the IT environment through a server-side request forgery (SSRF) attack. Here is a closer look at API hacks and historical instances that fall under OWASP Top 10.
Why is Security Misconfiguration an OWASP Top 10 API Vulnerability?
Disastrous Consequences
One of the major impacts of security misconfigurations is that it exposes sensitive information and system details. The exposure to system details and configurations could lead to full server compromise that can be devastating to the organization.
Security misconfiguration is an OWASP API Top 10 vulnerability also because it enables attackers to orchestrate a wide range of attacks such as remote attacks, directory traversal attacks, SSRF attacks, authentication and authorization attacks, cloud-based attacks, and so on.
The other reason security misconfigurations are an OWASP API Top 10 vulnerability is that improperly configured APIs create a false sense of security for developers and the organization. So, developers think they are secure from threats since configurations are in place.
However, as we have seen, improper and inadequate configurations are worse than not having any configurations in place. They make it easy for attackers to do their bidding.
High Prevalence and Easy Exploitability
Security misconfigurations have a prevalence score of 3 and an exploitability score of 3. This means they are very common API vulnerabilities that are also easily exploitable. With the availability of automated tools, attackers can seamlessly find these misconfigurations and exploit them.
One of the main reasons for the high prevalence of these vulnerabilities is today’s fast-paced development cycles. Given the impossible deadlines, developers do not have enough time to adequately test and check for security misconfiguration before pushing an API functionality into production.
Further, the increasing complexity of IT infrastructures has also created a lack of visibility into the complete API environment. So, it is common for API features, endpoints, and dependencies to be forgotten.
How to Protect Yourself Against OWASP API7:2019 Security Misconfigurations?
Continuous Security Hardening Process
API security is an ongoing process. Continuously monitor, assess, and enhance security measures based on the evolving threat landscape, industry best practices, and lessons learned from security incidents. Regularly update your security guidelines and documentation to reflect changes or new insights.
This method allows you to identify and address vulnerabilities, validate configurations, and enforce best practices across your API infrastructure. This proactive approach helps in minimizing the risk of potential security breaches, unauthorized access, and data leaks.
Moreover, it ensures that security controls are properly configured and maintained, reducing the likelihood of misconfigurations that could expose sensitive information or compromise the integrity of the API ecosystem.
Review and Update Configurations
You must regularly review and update configurations across the API stack (API endpoints, networks, client apps, cloud storage, network, etc.). You should look for default configurations, unnecessary features, etc., and take instant steps to fix them.
Proper Vulnerability Management Mechanisms
This should include regular scanning and testing of APIs and the entire IT infrastructure for gaps and vulnerabilities. You should leverage intelligent tools and augment them with regular manual pen testing by trusted experts. This will help detect weaknesses, flaws, and gaps.
Closing security holes promptly after their discovery is the next objective. However, loaded lists developers, shifting priorities, and constant updates to application code frequently contribute to an average delay of 200 days in vulnerability remediation.
Virtual patching offers a compelling alternative. By implementing virtual patching, you can effectively enhance security measures and bridge the gap between vulnerability discovery and remediation.
Other Measures
- Use a secure channel for API to interact with static assets such as images
- Review and update the CORS policies
- Disable all unnecessary HTTP verbs and test regularly to ensure they are disabled
- Review the Outputs, including error messages for various inputs
- Implement zero-trust policies and restrict admin access
Conclusion
Security misconfigurations are dangerous API vulnerabilities, enabling attackers to bypass security mechanisms while providing organizations with a false sense of security. Organizations need to proactively identify and correct these misconfigurations to ensure robust API security.
Leverage API-focused security solutions like AppTrana WAAP to protect your APIs against security misconfigurations and other security risks.
Stay tuned for more relevant and interesting security updates. Follow Indusface on Facebook, Twitter, and LinkedIn
