Hunting the OWASP API Security Top 10
Early 2019 we, at Char49, were challenged to research the most common API security issues. At that time API security was not exactly on the news, but APIs were becoming a fast-paced critical piece of modern applications architecture. We followed this technological change since its early days either due to our penetration testing services or responsible disclosure programs. That had given us a great understanding and experience on the API security scene, but we’ve dug deeper into API-related publicly available security incidents data. Our contribution was released later that year as part of the OWASP API Security Top 10 2019.
In this article, we won't go deeper into the ten most critical API security risks. You'll find a pretty neat summary here or, if you prefer a more hands-on approach, you can always watch our "API (in)Security TOP 10: Guided tour to the Wild Wild World" DefCon 28 AppSec Village talk with some of our already disclosed API security findings. Instead, we want to introduce you to another open-source contribution of ours to the API security scene and the AppSec community in general: MindAPI.
Assessing APIs' security is not the same as for traditional web applications. Security practitioners not only had to educate themselves on API-specific issues and exploitation techniques but also to build a new arsenal of tools. MindAPI was created to help everyone, from security enthusiasts to security practitioners, in this task. It is distributed under the CC0-1.0 license and it is open to contributions on GitHub.
You can always play with the latest MindAPI version online. If you do so, you'll notice we're essentially talking about a mindmap: the popular format to visually organize information. Playing with zoom (scroll up/down) and moving the mindmap around (dragging), you'll find two main branches: reconnaissance and testing.
Reconnaissance
Reconnaissance is essential for API security assessment. Although some API architectures are more predictable than others (e.g. REST vs GraphQL), it is very important to know as much as possible about the target. Following the MindAPI reconnaissance branch, you'll find insights and relevant tools on several topics such as architecture, automatic documentation, traffic analysis, or endpoints/methods enumeration.
Testing
After acquiring enough knowledge about your target, it is time to do the real security assessment.
The testing branch is organized according to the ten most critical security risks for APIs according to the OWASP API Security Top 10 2019 edition. Only Insufficient Logging and Monitoring is missing because it is difficult, if not impossible, to assess from a black-box perspective.
Again, following each branch you'll get plenty of insights on how to assess that specific risk, testing common issues, and what tools can help you on such a task.
After our foundational contribution to the OWASP API Security Project, sharing our knowledge and experience in the API security field sounded like a logical step. As said before MindAPI is open to contributions. If you're not ready yet to contribute with API security insights, methodology, or tools, you can always "buy us a coffee": donations will be forwarded to the Portuguese League Against Cancer.
If you would like to know more about MindAPI, don't lose the chance to hear it from our COO, David Sopas, at RSAC 2021 AppSec Village.