Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

Technical

API10:2023 Unsafe Consumption of APIs

Stephanie Best
Jun 6, 2023

Unsafe Consumption of APIs has replaced Insufficient Logging and Monitoring as number 10 in the OWASP API Security Top 10 and it contains a mix of two common API issues:

  • The consumption of API data itself, which was largely addressed in the Injection category of the 2019 list section. However, the Unsafe Consumption of APIs category goes further than the previous Injection threat to include attacks that are not explicitly injection-related, such as de-serialization issues, some types of desync attacks, and others. What all these attacks have in common is the fact that the back-end service is too permissive when accepting user-controlled input carried over APIs and sometimes even blindly uses them without applying any proper validations.
  • Integrations, which could include any third-party service or functionality embedded into the API implementation or in their supporting back-end services.  While it is closely related to the data consumption issue, this issue deals with another type of attack that abuses integration — a weak link in almost every modern system design. Integrations are usually written by a third party and often contain a large amount of codebase that can be very complex to understand. They can, however, be applied to your own service in just a few clicks or with a few lines of code. When a web service contains large amounts of unverified, third-party code, attackers can try to leverage this vulnerability to access sensitive information.

Although not exclusive to this category, API-based supply-chain attacks serve as a good example of this category's danger.

Learn top API security misconceptions that might be putting your critical data and services at risk.

Potential Impact of Unsafe Consumption of APIs

The unsafe consumption of APIs can lead to security breaches, exposing sensitive data, user credentials, or proprietary information, as attackers may exploit vulnerabilities in API usage to gain unauthorized access, execute arbitrary code, or perform unauthorized actions within the system.

Additionally, tampered API requests can lead to unauthorized modifications of data or sensitive information leaks, as well as inefficient data processing, overutilization of API resources and performance degradation.

Real-world Example: The Log4Shell Vulnerability

The Log4Shell vulnerability caused shockwaves around the world in December 2021. This critical flaw allowed users to run arbitrary code on almost every web service using the very popular Apache Log4j logging library, potentially leading to full control of the system.

The vulnerability behind the attack was caused by the unsafe consumption of APIs in Log4j, specifically the ability to deserialize user-supplied data without proper validation. Attackers could exploit this vulnerability by sending requests containing malicious code that could then be executed on the server.

Thanks to the widespread use of the affected logging library, this high-profile attack highlighted the importance of properly consuming APIs in software development and the need to validate and sanitize user input, especially when deserializing data.

Why Existing Tools Can’t Protect Against the Unsafe Consumption of APIs

API gateways and WAFs can provide some protection against common web application vulnerabilities and known attack patterns. However, they lack the granular understanding of the application logic and business context specific to each API. As a result, they cannot detect or prevent all instances of unsafe API consumption, which involve more complex interactions and custom data flows.

These traditional security controls don’t have detailed visibility into how consumers are actually using APIs. Since the unsafe consumption of APIs often involves API misuse, improper validation, or the exploitation of authentication and authorization mechanisms, these attacks will go undetected by these security solutions.

The dynamic nature of API consumption, with various protocols, formats, and custom logic, makes it difficult for rule-based tools to create rules that address all possible unsafe consumption scenarios. As a result, they can’t provide adequate coverage for the wide range of potential unsafe consumption issues.

How to Protect APIs Against Unsafe Consumption

To protect against the unsafe consumption of APIs, a security solution must be able to continuously analyse API traffic and create a baseline of typical behavior over time. Only by gathering the full context behind each API and its business logic, is it possible to understand the dynamic nature of API consumption, with its numerous protocols, formats, and unique logic, thus spotting any anomalies in API consumption patterns and blocking attackers’ attempts to exploit them.

To learn more about how Salt can help defend your organization from API risks, you can connect with a rep or schedule a personalized demo.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

November 21, 2024

Eric Schwake
Head of Product Marketing

Industry

API (In)security: The Hidden Risk of Black Friday

Learn how, for online retailers, Black Friday represents both a lucrative opportunity and a significant cybersecurity challenge.

Read more

November 5, 2024

Eric Schwake
Head of Product Marketing

Industry

API Security: The Non-Negotiable for Modern Transportation

Airlines and transportation companies heavily rely on APIs to handle sensitive data, from customer information to payment details and flight schedules. While crucial for efficient operations, these APIs are also prime cyberattack targets.

Read more

October 31, 2024

Alexandria Nicosia
Social Media Manager

Industry

Securing APIs in Retail: Safeguarding Customer Data

In the fast-paced retail industry, where customer trust and data protection are critical, API security must be a top priority to ensure both reliability and a seamless customer experience, confidence, and trust in digital services.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back