Unsafe Consumption of APIs has replaced Insufficient Logging and Monitoring as number 10 in the OWASP API Security Top 10 and it contains a mix of two common API issues:
Although not exclusive to this category, API-based supply-chain attacks serve as a good example of this category's danger.
The unsafe consumption of APIs can lead to security breaches, exposing sensitive data, user credentials, or proprietary information, as attackers may exploit vulnerabilities in API usage to gain unauthorized access, execute arbitrary code, or perform unauthorized actions within the system.
Additionally, tampered API requests can lead to unauthorized modifications of data or sensitive information leaks, as well as inefficient data processing, overutilization of API resources and performance degradation.
The Log4Shell vulnerability caused shockwaves around the world in December 2021. This critical flaw allowed users to run arbitrary code on almost every web service using the very popular Apache Log4j logging library, potentially leading to full control of the system.
The vulnerability behind the attack was caused by the unsafe consumption of APIs in Log4j, specifically the ability to deserialize user-supplied data without proper validation. Attackers could exploit this vulnerability by sending requests containing malicious code that could then be executed on the server.
Thanks to the widespread use of the affected logging library, this high-profile attack highlighted the importance of properly consuming APIs in software development and the need to validate and sanitize user input, especially when deserializing data.
API gateways and WAFs can provide some protection against common web application vulnerabilities and known attack patterns. However, they lack the granular understanding of the application logic and business context specific to each API. As a result, they cannot detect or prevent all instances of unsafe API consumption, which involve more complex interactions and custom data flows.
These traditional security controls don’t have detailed visibility into how consumers are actually using APIs. Since the unsafe consumption of APIs often involves API misuse, improper validation, or the exploitation of authentication and authorization mechanisms, these attacks will go undetected by these security solutions.
The dynamic nature of API consumption, with various protocols, formats, and custom logic, makes it difficult for rule-based tools to create rules that address all possible unsafe consumption scenarios. As a result, they can’t provide adequate coverage for the wide range of potential unsafe consumption issues.
To protect against the unsafe consumption of APIs, a security solution must be able to continuously analyse API traffic and create a baseline of typical behavior over time. Only by gathering the full context behind each API and its business logic, is it possible to understand the dynamic nature of API consumption, with its numerous protocols, formats, and unique logic, thus spotting any anomalies in API consumption patterns and blocking attackers’ attempts to exploit them.
Improper Inventory Management is the ninth security threat listed in the OWASP API Security Top 10. By exploiting this vulnerability, attackers can gain unauthorized access to sensitive data, or even gain full server access through old, unpatched or vulnerable versions of APIs.
There are certainly cases where security misconfiguration can be the result of something basic like a missing patch, but some misconfigurations are far stealthier and can be obscured by complex architectures.