API10:2023 Unsafe Consumption of APIs
Unsafe Consumption of APIs has replaced Insufficient Logging and Monitoring as number 10 in the OWASP API Security Top 10 and it contains a mix of two common API issues:
- The consumption of API data itself, which was largely addressed in the Injection category of the 2019 list section. However, the Unsafe Consumption of APIs category goes further than the previous Injection threat to include attacks that are not explicitly injection-related, such as de-serialization issues, some types of desync attacks, and others. What all these attacks have in common is the fact that the back-end service is too permissive when accepting user-controlled input carried over APIs and sometimes even blindly uses them without applying any proper validations.
- Integrations, which could include any third-party service or functionality embedded into the API implementation or in their supporting back-end services. While it is closely related to the data consumption issue, this issue deals with another type of attack that abuses integration - a weak link in almost every modern system design. Integrations are usually written by a third party and often contain a large amount of codebase that can be very complex to understand. They can, however, be applied to your own service in just a few clicks or with a few lines of code. When a web service contains large amounts of unverified, third-party code, attackers can try to leverage this vulnerability to access sensitive information.
Although not exclusive to this category, API-based supply-chain attacks serve as a good example of this category's danger.
Learn top API security misconceptions that might be putting your critical data and services at risk.
Download NowPotential Impact of Unsafe Consumption of APIs
The unsafe consumption of APIs can lead to security breaches, exposing sensitive data, user credentials, or proprietary information, as attackers may exploit vulnerabilities in API usage to gain unauthorized access, execute arbitrary code, or perform unauthorized actions within the system.
Additionally, tampered API requests can lead to unauthorized modifications of data or sensitive information leaks, as well as inefficient data processing, overutilization of API resources and performance degradation.
Real-world Example: The Log4Shell Vulnerability
The Log4Shell vulnerability caused shockwaves around the world in December 2021. This critical flaw allowed users to run arbitrary code on almost every web service using the very popular Apache Log4j logging library, potentially leading to full control of the system.
The vulnerability behind the attack was caused by the unsafe consumption of APIs in Log4j, specifically the ability to deserialize user-supplied data without proper validation. Attackers could exploit this vulnerability by sending requests containing malicious code that could then be executed on the server.
Thanks to the widespread use of the affected logging library, this high-profile attack highlighted the importance of properly consuming APIs in software development and the need to validate and sanitize user input, especially when deserializing data.
Why Existing Tools Can’t Protect Against the Unsafe Consumption of APIs
API gateways and WAFs can provide some protection against common web application vulnerabilities and known attack patterns. However, they lack the granular understanding of the application logic and business context specific to each API. As a result, they cannot detect or prevent all instances of unsafe API consumption, which involve more complex interactions and custom data flows.
These traditional security controls don’t have detailed visibility into how consumers are actually using APIs. Since the unsafe consumption of APIs often involves API misuse, improper validation, or the exploitation of authentication and authorization mechanisms, these attacks will go undetected by these security solutions.
The dynamic nature of API consumption, with various protocols, formats, and custom logic, makes it difficult for rule-based tools to create rules that address all possible unsafe consumption scenarios. As a result, they can’t provide adequate coverage for the wide range of potential unsafe consumption issues.
How to Protect APIs Against Unsafe Consumption
To protect against the unsafe consumption of APIs, a security solution must be able to continuously analyse API traffic and create a baseline of typical behavior over time. Only by gathering the full context behind each API and its business logic, is it possible to understand the dynamic nature of API consumption, with its numerous protocols, formats, and unique logic, thus spotting any anomalies in API consumption patterns and blocking attackers’ attempts to exploit them.
To learn more about how Salt can help defend your organization from API risks, you can connect with a rep or schedule a personalized demo.
