Owasp Api Top 10 Cheat Sheet

  



This week, API vulnerabilities were reported in Rittal cooling systems. In other news, there is an API vulnerability cheat sheet that you can print and put on your wall, an overview of common JWT attacks, and a GlobalData report on the trends in API management and API security.

Vulnerability: Rittal industrial cooling

Owasp Api Top 10 Cheat Sheet
  1. C H E A T S H E E T OWASP API Security Top 10 A9: IMPROPER ASSETS MANAGEMENT Attacker finds non-production versions of the API: such as staging, testing, beta or earlier versions - that are not as well protected, and uses those to launch the attack.
  2. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is.
  3. The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.
Owasp

Applied Risk has found two critical vulnerabilities in Rittal industrial cooling equipment. If attackers know the URLs to invoke, they can bypass authentication and turn cooling on or off or set the temperature.

Cheat Sheet: Addressing OWASP Top 10 Vulnerabilities in MuleSoft APIs If you're a MuleSoft API developer, you need to check out this list of vulnerabilities and remediations to ensure what you. Top 10 Cheat Sheet crAPI 2019 Q1 Prepare 2019 Q2 Kick-Off 2019 Q3 V1.0 Kick-Off Prepare 2019 Q4 Collaborate Kick-Off 2020 Q1 V1.0 Collaborate 2020 Q2 V1.0 OWASP GLOBAL APPSEC - AMSTERDAM The creation process of the Top10.

From the description, it is hard to figure out whether this is API2:2019 — Broken authentication or API5:2019 — Broken function level authorization.

The second vulnerability is not any better: the system also has hard-coded credentials.

Owasp Api Top 10 Cheat Sheet

IoT remains a big source of API vulnerability news. Vendors in that space are often used to caring more about the physical side of the product and not paying enough attention to the security of the software and services components.

OWASP API Security Top 10 cheat sheet

Cheat

We have covered the OWASP API Security Top 10 project in the past. This is a community effort (currently in the Release Candidate phase) to document the most frequent vulnerabilities in web APIs.

To make it easier for you to keep these in mind, we have created a cheat sheet that you can print and put on your wall.

Owasp Api Top 10 Cheat Sheet

The graphics and short descriptions make navigating the categories easier, and there’s also advice on how to mitigate the risks.

Download the OWASP API Security Top 10 cheat sheet here.

Hacking JSON Web Tokens (JWT)

JSON Web Tokens (JWT) are one of the most frequently used methods to pass caller information with REST API calls.

Unfortunately, it is also frequently misused and misunderstood. Hackers can take advantage of that to launch successful attacks on your APIs.

Vickie Li has just published a good quick overview of JWT and the most frequent vulnerabilities in its use.

Owasp Api Top 10 Cheat Sheet

The most common JWT attacks are:

  • Algorithm manipulation
    • Using None as the algorithm
    • Using symmetric encryption (HMAC) instead of asymmetric RSA
  • Lack of signature validation
  • Bruteforcing weak secret keys
  • Secret keys leaking through another attack (like directory traversal, XXE, or SSRF)
  • Key ID (KID) manipulation
    • Directory traversals
    • SQL injections
    • Command injections
  • JKU/JWK/x5u/x5c headers used sending rogue keys
  • Information leaks in JWT when developers forget that base64 encoding is not encrypting

Analysts: GlobalData

Charlotte Dunlap from GlobalData has published a new report “API Security tops API Management”. The highlights from the report include:

Owasp Session Management Cheat Sheet

  • A new API lifecycle management approach is founded on emerging security innovations (AI, DevSecOps, API Security by design).
  • Pure-play API security providers threaten to outshine API management leaders through the best-of-breed security.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy

Ref: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

Owasp Api Top 10 Cheat Sheet 2019

PresentationControllerModelTesting (OWASP Testing Guide V3)
A1 InjectionRender:
  • Set a correct content type
  • Set safe character set (UTF-8)
  • Set correct locale

On Submit:

  • Enforce input field type and lengths.
  • Validate fields and provide feedback.
  • Ensure option selects and radio contain only sent values.
Canonicalize using correct character setPositive input validation using correct character set(NR) Negative input validation. (LR) Sanitize input.Tip: updating a negative list (such as looking for “script”, “sCrIpT”, “ßCrîpt”, etc) will require expensive and constant deployments and will always fail as attackers work out your list of “bad” words. Positive validation is simpler, faster and usually more secure and needs updating far less than any other validation mechanism. *Parameterized queries
  • Object relational model (Hibernate).
  • Active Record design pattern.
  • Stored procedures.
  • Escape mechanisms such as ESAPI’s Encoder:
    • EncodeForLDAP()
    • Encoder.EncodeforOS()

Tip: All SQL Injection is due to dynamic SQL queries. Strongly consider prohibiting dynamic SQL queries within your organization

4.8.5 SQL Injection (OWASP-DV-005)4.8.6 LDAP Injection (OWASP-DV-006)4.8.7 ORM Injection (OWASP-DV-007)4.8.8 XML Injection (OWASP-DV-008)4.8.9 SSI Injection (OWASP-DV-009)4.8.10 XPath Injection (OWASP-DV-010)4.8.11 IMAP/SMTP Injection (OWASP-DV-011)4.8.12 Code Injection (OWASP-DV-012)4.8.13 OS Commanding (OWASP-DV-013)4.8.14 Buffer overflow (OWASP-DV-014)
A2 XSSRender:
  • Set correct content type
  • Set safe character set (UTF-8)
  • Set correct locale
  • Output encode all user data as per output context
  • Set input constraints

On Submit:

  • Enforce input field type and lengths.
  • Validate fields and provide feedback.
  • Ensure option selects and radio contain only sent values.
Canonicalize using correct character setPositive input validation using correct character set(NR) Negative input validation (LR) Sanitize inputTip: Only process data that is 100% trustworthy. Everything else is hostile and should be rejected.Tip: Do not store data HTML encoded in the database. This prevents new uses for the data, such as web services, RSS feeds, FTP batches, data warehousing, cloud computing, and so on.Tip: Use OWASP Scrubbr to clean tainted or hostile data from legacy data4.8.1 Testing for Reflected Cross Site Scripting (OWASP-DV-001)4.8.2 Testing for Stored Cross Site Scripting (OWASP-DV-002)4.8.3 Testing for DOM based Cross Site Scripting (OWASP-DV-003)4.8.4 Testing for Cross Site Flashing (OWASP-DV004)
A3 Weak authentication and session managementRender:
  • Validate user is authenticated.
  • Validate role is sufficient for this view.
  • Set “secure” and “HttpOnly” flags for session cookies.
  • Send CSRF token with forms.
Design:
  • Only use inbuilt session management.
  • Store secondary SSO / framework / custom session identifiers in native session object – do not send as additional headers or cookies.
  • Validate user is authenticated.
  • Validate role is sufficient to perform this action.
  • Validate CSRF token.
Validate role is sufficient to create, read, update, or delete dataTip: Consider the use of a “governor” to regulate the maximum number of requests per second / minute / hour that this user may perform. For example, a typical banking user should not perform more than ten transactions a minute, and one hundred per second is dangerous and should be blocked.4.4.2 Testing for user enumeration (OWASP-AT-002)4.4.3 Testing for Guessable (Dictionary) User Account (OWASP-AT-003)4.4.4 Brute Force Testing (OWASP-AT-004)4.4.6 Testing for vulnerable remember password and pwd reset (OWASP-AT-006)4.4.5 Testing for bypassing authentication schema (OWASP-AT-005)4.4.7 Testing for Logout and Browser Cache Management (OWASP-AT-007)4.4.8 Testing for CAPTCHA (OWASP-AT-008)4.4.9 Testing Multiple Factors Authentication (OWASP-AT-009)4.4.10 Testing for Race Conditions (OWASP-AT-010)4.5.1 Testing for Session Management Schema (OWASP-SM-001)4.5.2 Testing for Cookies attributes (OWASP-SM-002)4.5.3 Testing for Session Fixation (OWASP-SM_003)4.5.4 Testing for Exposed Session Variables (OWASP-SM-004)4.5.5 Testing for CSRF (OWASP-SM-005)4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)4.6.3 Testing for Privilege Escalation (OWASP-AZ-003)
A4 Insecure Direct Object ReferenceIf data is from internal trusted sources, no data is sent.OrRender:
  • Send indirect random access reference map value.
Obtain data from internal, trusted sources.OrObtain direct value from random access reference access map.Validate role is sufficient to create, read, update, or delete data.4.6.1 Testing for Path Traversal (OWASP-AZ-001)
A5 Cross Site Request ForgeryPre-render:
  • Validate user is authenticated
  • Validate role is sufficient for this view

Render:

  • Send CSRF token.
  • Set “secure” and “HttpOnly” flags for session cookies.
  • Validate CSRF token.
  • Validate role is sufficient to perform this action.
  • Validate role is sufficient.

Tip: CSRF is always possible if there is XSS, so make sure XSS is eliminated within your application.

Validate role is sufficient to create, read, update, or delete data4.5.5 Testing for CSRF (OWASP-SM-005)
A6 Security MisconfigurationEnsure web servers and application servers are hardened.PHP: Ensure allow_url_fopen and allow_url_include are both disabled in php.ini. Consider the use of Suhosin extensionEnsure web servers and application servers are hardenedXML: Ensure common web attacks (remote XSLT transforms, hostile XPath queries, recursive DTDs, and so on) are protected by your XML stack. Do not hand craft XML documents or queries – use the XML layer.Ensure database servers are hardened4.2.6 Analysis of Error Codes (OWASP-IG-006)4.3.2 DB Listener Testing (OWASP-CM-002)4.3.3 Infrastructure Configuration Management Testing (OWASP-CM-003)4.3.4 Application Configuration Management Testing (OWASP-CM-004)4.3.5 Testing for File Extensions Handling (OWASP-CM-005)4.3.6 Old, Backup and Unreferenced Files (OWASP-CM-006)4.3.7 Infrastructure and Application Admin Interfaces (OWASP-CM-007)4.3.8 Testing for HTTP Methods and XST (OWASP-CM-008)
A7 Insufficient Cryptographic StorageDesign:
  • Use strong ciphers (AES 128 or better).
  • Use strong hashes (SHA 256 or better) with salts for passwords.
  • Protect keys more than any other asset.

Render:

  • Do not send keys or hashes to the browser.
Design:
  • Use strong ciphers (AES 128 or better).
  • Use strong hashes (SHA 256 or better) with salts for passwords.
  • Protect keys more than any other asset.

Tip: Only certain personally identifiable information and sensitive values MUST be encrypted. Encrypt data that would be embarrassing or costly if it was leaked or stolen.

Tip: It is best to encrypt data on the application server, rather than the database server.

Design:Tip: Do not use RDBMS database, row or table level encryption. The data can be retrieved in the clear by anyone with direct access to the server, or over the network using the application credentials. It might even traverse the network in the clear despite being “encrypted” on disk.
A8 Failure to Restrict URL accessDesign:
  • Ensure all non-web data is outside the web root (logs, configuration, etc).
  • Use octet byte streaming instead of providing access to real files such as PDFs or CSVs or similar.
  • Ensure every page requires a role, even if it is “guest”.

Pre-render:

  • Validate user is authenticated.
  • Validate role is sufficient to view secured URL.

Render:

  • Send CSRF token.
  • Validate user is authenticated.
  • Validate role is sufficient to perform secured action.
  • Validate CSRF token.

Tip: It’s impossible to control access to secured resources that the web application server does not directly serve. Therefore, PDF reports or similar should be served by the web application server using binary octet streaming.

Tip: Assume attackers will learn where “hidden” directories and “random” filenames are, so do not store these files in the web root, even if they are not directly linked.

Validate role is sufficient to create, read, update, or delete data4.4.5 Testing for bypassing authentication schema (OWASP-AT-005)4.6.1 Testing for Path Traversal (OWASP-AZ-001)4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)
A9 Insufficient Transport Layer Protection
  • Use TLS 1.2 or later for all web communications.
  • Buy extended validation (EV) certificates for public web servers.

Tip: Use TLS 1.2 always – even internally. Most snooping is done within corporate networks – and it is as easy and unethical as fishing with dynamite.

  • Mandate strong encrypted communications between web and database servers and any other servers or administrative users.
  • Mandate strong encrypted communications with application servers and any other servers or administrative users.
4.3.1 SSL/TLS Testing (OWASP-CM-001)4.4.1 Credentials transport over an encrypted channel (OWASP-AT-001)
A10 Unvalidated Redirects and Forwards
  • Design the app without URL redirection parameters.

or

Render:

  • Use random indirect object references for redirection parameters.
  • Design the app without URL redirection parameters.

or

  • Obtain direct redirection parameter from random indirect reference access map.
  • (LR) Positive validation of redirection parameter.
  • (NR) Java – Do not forward() requests as this prevents SSO access control mechanisms.
  • Validate role is sufficient to create, read, update, or delete data.