Unsafe Consumption of APIs

Introduction

API10:2023 Unsafe Consumption of APIs is the only item on the top ten list that focuses less on the risks of being an API provider and more on the API consumer. Unsafe consumption is really a trust issue. When an application is consuming the data of third-party APIs it should treat those with a similar trust to user input. By that, I mean, there should be little to no trust. So, data consumed from third-party APIs should be treated with similar security standards as end-user-supplied input. If a third-party API provider is compromised then that insecure API connection back to the consumer becomes a new vector for the attacker to leverage. In the case of an insecure API connection, that could mean the complete compromise of organizations insecurely consuming data from that provider.

OWASP Attack Vector Description

Exploiting this issue requires attackers to identify and potentially compromise other APIs/services the target API integrated with. Usually, this information is not publicly available or the integrated API/service is not easily exploitable.

OWASP Security Weakness Description

Developers tend to trust and not verify the endpoints that interact with external or third-party APIs, relying on weaker security requirements such as those regarding transport security, authentication/authorization, and input validation and sanitization. Attackers need to identify services the target API integrates with (data sources) and, eventually, compromise them.

OWASP Impacts Description

The impact varies according to what the target API does with pulled data. Successful exploitation may lead to sensitive information exposure to unauthorized actors, many kinds of injections, or denial of service.

Summary

Most of the 2023 OWASP API Security Top 10 is about APIs and the API provider. An API can often serve as the path of least resistance for an attacker. So, if an attacker compromises a third-party API provider, then that third party's connections to other businesses can become an additional attack vector. If that API is over an unencrypted connection then an attacker would be able to capture sensitive data in clear text. If that third-party API isn't held to similar security standards as an Internet-facing API then it could also be vulnerable to injection, authorization, and other compromising attacks.

OWASP Preventative Measures

• When evaluating service providers, assess their API security posture.

• Ensure all API interactions happen over a secure communication channel (TLS).

• Always validate and properly sanitize data received from integrated APIs before using it.

• Maintain an allowlist of well-known locations integrated APIs may redirect yours to: do not blindly follow redirects.

Additional Resources

• Web Service Security Cheat Sheet

• Injection Flaws

• Input Validation Cheat Sheet

• Injection Prevention Cheat Sheet

• Transport Layer Protection Cheat Sheet

• Unvalidated Redirects and Forwards Cheat Sheet

• CWE-20: Improper Input Validation

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

• CWE-319: Cleartext Transmission of Sensitive Information