LAST UPDATED September 21, 2023
No. 8 on the 2023 OWASP API Top 10 vulnerabilities list is security misconfiguration. Vulnerability 8 is a catch-all for any design flaws in an API that could make it vulnerable.
OWASP says of this flaw, “Attackers will often attempt to find unpatched flaws, common endpoints, services running with insecure default configurations, or unprotected files and directories to gain unauthorized access or knowledge of the system. Most of this is public knowledge and exploits may be available.”
How Do Security Misconfiguration-Related Exploits Work?
OWASP gives this example:
A social network website offers a “Direct Message” feature that allows users to keep private conversations. To retrieve new messages for a specific conversation, the website issues the following API request (user interaction is not required):
GET /dm/user_updates.json?conversation_id=1234567&cursor=GRlFp7LCUAAAABecause the API response does not include the Cache-Control HTTP response header, private conversations end-up cached by the web browser, allowing malicious actors to retrieve them from the browser cache files in the filesystem.
An attacker could also find new endpoints on the API that are used only by the DevOps team and are not documented.
Another example is administrative web interfaces that are supposed to be locked down, but are sometimes left exposed. phpMyAdmin is notorious on this front.
How to Prevent Security Misconfiguration
Having a strong security mindset at the outset of development can help to identify the possible security misconfiguration vectors upfront and to develop monitoring/alerting scripts to ensure those misconfigurations never occur in production. This assumes your development team has strong security chops or is working closely and effectively with a security group.
However, the fact is that many enterprises are running APIs they didn’t even develop in the first place. Even if they did develop the APIs, the original developers might be long gone, and the tribal knowledge of security misconfiguration vectors are nowhere to be found. In this case, look to rigorous pen testing and aggressive restraints that limit the interface to only the known-good interaction paths.
How ThreatX Can Help
Ultimately, identifying security misconfigurations in an API is going to take a lot of trial and error on the attacker’s part. ThreatX would identify that behavior as anomalous, and flag and start watching that user. Once the behavior moves from anomalous to malicious, we would immediately block them. In addition, if there is continued anomalous behavior at a large enough quantity, we would also block the user.
How Our Approach Is Unique
Real-Time Blocking
Some API security solutions simply highlight potential API vulnerabilities, leaving security teams to investigate and recommend code changes. Other API solutions can identify an attacking IP, but require security teams to try to model the complex behavior in a third-party WAF (or try to block one IP at a time after the fact). ThreatX doesn’t just tell you about your API vulnerabilities or attempted attacks; we also block API attacks in real-time. ThreatX proxies and scans all inbound API traffic – in real time – identifying and blocking attacks.
ThreatX recognizes attacker behavior indicative of an attempt to exploit security misconfigurations, then flags and watches that user. This real-time monitoring enables ThreatX to execute advanced threat engagement techniques, such as IP interrogation, fingerprinting, and tarpitting. When a series of user interactions cross our default (or your customized) risk threshold, we block the attack.
Get a 1:1 demo of the ThreatX platform to see our real-time blocking first-hand: https://www.threatx.com/request-a-demo/
Step One of N…
In many cases, attackers aren’t just going to attack by attempting to exploit a security misconfiguration; they’re going to string together a series of attacks over time, often using federated and sophisticated botnets. Countering this approach requires the ability to correlate attack traffic across multiple IPs, the use of advanced bot protection, and the ability to detect identifiers and techniques to associate the traffic to a unique attacker. Rather than requiring a single, significantly risky event or identifying a known signature, ThreatX analyzes behaviors from multiple vantage points. This lets the ThreatX Platform identify and block more threats, more accurately than competing API security tools.
Less False Positives
As risk rises, ThreatX immediately blocks an attack – stopping the threat in its tracks. ThreatX’s blocking modes are designed to block malicious requests and deter suspicious entities from attacking your APIs, while allowing benign traffic and real users through. Legacy WAFs struggle with false positives because they only make blocking decisions based on rules, but attackers and legitimate users don’t always follow the rules. Sometimes a legitimate user who forgot their password looks like an attacker, and sometimes an attacker cycling through usernames and passwords looks like a legitimate user. ThreatX can tell the difference.
Learn more about other OWASP Top 10 API vulnerabilities, and the 2023 list:
2023 list: https://www.threatx.com/blog/owasp-api-security-top-10-2023-release-candidate-published/
Broken Function Level Authorization: https://www.threatx.com/blog/broken-function-level-authorization-what-it-is-how-we-can-help/
Broken User Authentication: https://www.threatx.com/blog/broken-user-authentication-what-it-is-how-we-can-help/
BOLA: https://www.threatx.com/blog/broken-object-level-authorization-bola-what-it-is-how-threatx-can-help/
