Get a free application, infrastructure and malware scan report - Scan Your Website Now

API7:2019 Security Misconfiguration: The What, Sample Exploits, and Prevention Methods

Posted DateMay 29, 2023
Posted Time 6   min Read

Security misconfigurations are very common security risks, not just in web applications but also in APIs. They have been consistently part of the OWASP Top 10 Web Application Vulnerabilities. They were part of the original OWASP Top 10 API Security Risks published in 2019 and have now made it to the updated 2023 list.

Security misconfiguration maintains its 7th rank in OWASP Top 10 API 2023 owing to its widespread prevalence, easy exploitability, and easy detectability.

What exactly are security misconfigurations? What causes them, and how to mitigate them? Keep reading to find out.

What is Security Misconfiguration?

Security misconfigurations are the errors and oversights made during an API’s configuration, implementation, or maintenance that can lead to security vulnerabilities. This happens when developers/ IT teams have not followed security best practices in implementing and configuring APIs.

Security misconfigurations can occur owing to the failure of developers and IT security teams to harden the attack surface with proper configurations adequately.

It simply means that essential API security settings were not implemented or incorrectly, leaving dangerous gaps and weaknesses in the API. Threat actors can exploit these gaps to orchestrate massive attacks and data breaches.

These misconfigurations may occur at different levels of the API stack, including the API server, API gateway, client application, the infrastructure supporting the API, network level, system level, application level, and so on. Almost no difference exists in how these misconfigurations affect web apps and APIs.


// Insecure API Endpoint
app.get('/api/user/:id', (req, res) => {
const userId = req.params.id;
// Fetch user data from the database without authentication or authorization
User.findById(userId, (err, user) => {
if (err) {
return res.status(500).json({ error: 'Internal Server Error' });
}
if (!user) {
return res.status(404).json({ error: 'User not found' });
}
// Return the user data
res.json(user);
});
});

In this example, the API endpoint /api/user/:id is designed to retrieve user data based on the provided id. However, there are no authentication or authorization checks in place.

The code directly fetches the user from the database without verifying the user’s identity or ensuring they have the necessary permissions.

An attacker exploiting this misconfiguration could simply send a GET request to /api/user/:id with any id parameter and retrieve user data without authentication or proper authorization. This exposes sensitive user information to unauthorized individuals.

System misconfiguration is a vulnerability that can be exploited, whether in APIs, web applications, networks, containers, or development platforms. If you leave APIs improperly, inadequately, or insecurely configured, you will leave the API open to a wide range of security risks.

What Causes OWASP API7:2019 Security Misconfigurations?

Security misconfiguration vulnerabilities come in all shapes and sizes, with varying levels of risk. Here are some examples of what could lead to these misconfigurations.

  • Improper patching practices and policies
  • Unpatched systems, vulnerabilities, and flaws
  • Unpatched legacy features/ components in APIs
  • Improper implementation of CORS (Cross-Origin Resource Sharing) policies
  • CORS doesn’t follow least privilege policies
  • Leaving APIs/ components with default configuration settings
  • Incomplete, ad-hoc, or missing configurations
  • Unnecessary or misconfigured HTTP headers
  • Verbose error messages that reveal sensitive information and enable attackers to orchestrate attacks
  • Excessive exposure of debug logs
  • Unnecessary features/ options enabled, such as HTTP verbs (GET, POST, PUT, DELETE, etc.)
  • Missing TLS protocols
  • Lack of hardening of security policies
  • Poor maintenance of APIs
  • Open cloud storage

Check out the complete list of API misconfigurations from our API pen-testing checklist.

Here are five examples of API misconfiguration attack scenarios and their potential implications:

Real-Life Instance

The Capital One breach of 2019 is a real-life example of exploiting security misconfigurations by attackers. In the case of Capital One, attackers found an open-source WAF was being used to secure the company’s apps and APIs. This WAF was not properly configured and tuned adequately to the needs and context of the company’s AWS environment. As a result, it did not follow the zero-trust and least privilege principles.

Being overly permissive, attackers could easily bypass the WAF. Attackers crafted an injection script to target the backend AWS cloud metadata service. The WAF could not inspect the message’s contents or filter it and allowed the injection request to be processed by the backend. Now, the attacker could harvest metadata they should not have accessed.

Using this metadata, they could compromise other systems within the IT environment through a server-side request forgery (SSRF) attack. Here is a closer look at API hacks and historical instances that fall under OWASP Top 10.

Why is Security Misconfiguration an OWASP Top 10 API Vulnerability?

Disastrous Consequences

One of the major impacts of security misconfigurations is that it exposes sensitive information and system details. The exposure to system details and configurations could lead to full server compromise that can be devastating to the organization.

Security misconfiguration is an OWASP API Top 10 vulnerability also because it enables attackers to orchestrate a wide range of attacks such as remote attacks, directory traversal attacks, SSRF attacks, authentication and authorization attacks, cloud-based attacks, and so on.

The other reason security misconfigurations are an OWASP API Top 10 vulnerability is that improperly configured APIs create a false sense of security for developers and the organization. So, developers think they are secure from threats since configurations are in place.

However, as we have seen, improper and inadequate configurations are worse than not having any configurations in place. They make it easy for attackers to do their bidding.

High Prevalence and Easy Exploitability

Security misconfigurations have a prevalence score of 3 and an exploitability score of 3. This means they are very common API vulnerabilities that are also easily exploitable. With the availability of automated tools, attackers can seamlessly find these misconfigurations and exploit them.

One of the main reasons for the high prevalence of these vulnerabilities is today’s fast-paced development cycles. Given the impossible deadlines, developers do not have enough time to adequately test and check for security misconfiguration before pushing an API functionality into production.

Further, the increasing complexity of IT infrastructures has also created a lack of visibility into the complete API environment. So, it is common for API features, endpoints, and dependencies to be forgotten.

How to Protect Yourself Against OWASP API7:2019 Security Misconfigurations?

Continuous Security Hardening Process

API security is an ongoing process. Continuously monitor, assess, and enhance security measures based on the evolving threat landscape, industry best practices, and lessons learned from security incidents. Regularly update your security guidelines and documentation to reflect changes or new insights.

This method allows you to identify and address vulnerabilities, validate configurations, and enforce best practices across your API infrastructure. This proactive approach helps in minimizing the risk of potential security breaches, unauthorized access, and data leaks.

Moreover, it ensures that security controls are properly configured and maintained, reducing the likelihood of misconfigurations that could expose sensitive information or compromise the integrity of the API ecosystem.

Review and Update Configurations

You must regularly review and update configurations across the API stack (API endpoints, networks, client apps, cloud storage, network, etc.). You should look for default configurations, unnecessary features, etc., and take instant steps to fix them.

Proper Vulnerability Management Mechanisms

This should include regular scanning and testing of APIs and the entire IT infrastructure for gaps and vulnerabilities. You should leverage intelligent tools and augment them with regular manual pen testing by trusted experts. This will help detect weaknesses, flaws, and gaps.

Closing security holes promptly after their discovery is the next objective. However, loaded lists developers, shifting priorities, and constant updates to application code frequently contribute to an average delay of 200 days in vulnerability remediation.

Virtual patching offers a compelling alternative. By implementing virtual patching, you can effectively enhance security measures and bridge the gap between vulnerability discovery and remediation.

Leverage API Security Tools

API security tools play a crucial role by automating the detection of misconfigurations and enforcing best practices. These tools help by continuously scanning your APIs for vulnerabilities, ensuring proper configuration settings, and providing actionable insights to fix security gaps. They also offer features like real-time monitoring, automated compliance checks, and configuration audits to prevent security missteps.

Dive deeper into how these tools can fortify your defenses by reading our comprehensive blog on the best API security software available in the market.

Other Measures

  • Use a secure channel for API to interact with static assets such as images
  • Review and update the CORS policies
  • Disable all unnecessary HTTP verbs and test regularly to ensure they are disabled
  • Review the Outputs, including error messages for various inputs
  • Implement zero-trust policies and restrict admin access

Conclusion

Security misconfigurations are dangerous API vulnerabilities, enabling attackers to bypass security mechanisms while providing organizations with a false sense of security. Organizations need to proactively identify and correct these misconfigurations to ensure robust API security.

Leverage API-focused security solutions like AppTrana WAAP to protect your APIs against security misconfigurations and other security risks.

Stay tuned for more relevant and interesting security updates. Follow Indusface on FacebookTwitter, and LinkedIn

AppTrana API Protection

Indusface
Indusface

Indusface is a leading application security SaaS company that secures critical Web, Mobile, and API applications of 5000+ global customers using its award-winning fully managed platform that integrates web application scanner, web application firewall, DDoS & BOT Mitigation, CDN, and threat intelligence engine.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Recent Notorious Hacks History
35 Most Notorious Hacks in History that Fall Under OWASP Top 10

What were the most notorious hacks in history? They’re subject to debate, but we bring you 27 of them, which would be strong candidates for the title.

Read More
What is new in OWASP API Top 10 2023
What’s New in OWASP API Top 10 2023: The Latest Changes and Enhancements

The OWASP API Top 10 2023 list has quite a few changes from the 2019 Top 10 API security risks. Here is updated OWASP API Top 10 2023 RC List.

Read More
Effective ways to securing APIs
API Security: Authorization, Rate Limiting, and Twelve Ways to Protect APIs

41% of organizations suffered an API security incident. Here are 12 methods that you need to incorporate in order to secure and protect APIs.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!