OWASP Top 10 API security risks: Security misconfiguration

Number eight on the Open Worldwide Application Security Project® (OWASP) Top 10 API Security Risks for 2023 is security misconfiguration.

Security misconfiguration attacks are widespread and can have significant implications for businesses. However, proactive monitoring and automated security probes can detect misconfigurations that require remediation.

Attack vectors

Attackers search API endpoints for unpatched flaws, unprotected files, or insecure default configurations. Because most configurations follow a set pattern, attackers probe common endpoints to map systems and gain unauthorized access. Failure to change the default settings or discrepancies in how requests are handled or processed can leave vectors open for exploitation.

Unnecessary services and legacy options can also create additional pathways for attackers.

Security weaknesses

Security misconfiguration can happen at any level of the API stack, from network to application. While misconfigurations are easy to exploit, they are also easy to detect. Automated tools can uncover security weaknesses that require attention.

Business impacts

OWASP rates the potential business impact as severe. Attacks can:

• Expose sensitive user data
• Bypass security measures and controls
• Create pathways for account takeover or server compromise
• Lead to complete system takeover

How security misconfiguration attacks work

Network infrastructures today are complex. Even if you have secured endpoints, misconfigured security settings can allow attackers to find flaws. For example, threat actors might search for out-of-date software or software that does not have the latest patch applied.

Once a misconfiguration is identified, attackers can employ a variety of tactics to exploit API vulnerabilities, such as:

• Code injection or command injection
• Brute force credential stuffing
• Buffer overflow
• Cross-site scripting (XSS)
• Server-side request forgery (SSRF)

Real-world examples

There have been several high-profile security misconfiguration attacks, including those aimed at the United States Army Intelligence and Security Command leading to the exposure of top-secret documents, and at Accenture, which exposed passwords, keys, and customer data.

An improperly set permission within Jira exposed the personal data of NASA employees and information about scheduled projects. A system administrator creating a dashboard inadvertently assigned “all users” permissions within an app thinking it restricted access to those within the organization. It did not.

Detecting security misconfiguration vulnerabilities

Security misconfigurations can easily go unnoticed until they are exploited. As systems are rarely static, a repeatable hardening process with continuous automation to evaluate the effectiveness of configurations and settings is essential across all environments.

Common areas to probe for security misconfigurations include:

• Using vendor-supplied default passwords
• Not requiring complex passwords
• Unprotected files or directories
• Unpatched software
• Improperly configured security features
• Failure to block unpublished URLs
• Directory traversal

Preventing security misconfiguration vulnerabilities

Preventing security misconfiguration vulnerabilities requires management of the whole API lifecycle to ensure a properly locked-down environment. Admins should review and update configurations across the entire API stack, including API components, cloud services and permissions, and orchestration files.

OWASP also recommends:

• All incoming content types and data formats are restricted to only those that meet business and functional requirements.
• All API communication to API servers and any upstream or downstream components occur over an encrypted communication channel — whether it is a public-facing or internal API.
• Enforce API response payload schemas to prevent being data sent back that can be useful to attackers.

Preventing API security misconfiguration vulnerabilities requires a proactive approach to continuously evaluate the environment to detect and remediate errors. Admins should also pay close attention to these three areas.

Error messages

Limit error messages to relevant information. Often, error messages return data such as stack traces, system information, database structure, and custom signatures that can be used to define attack vectors.

Misconfigured HTTP headers

Another common misconfiguration is missing HTTP headers or improperly used HTTP headers. If not properly configured, attackers can find security flaws. APIs accessible from a browser-based client should implement a cross-origin resource sharing (CORS) policy, including applicable security headers, and ensure all servers in the server chain process incoming requests consistently to limit misconfigurations.

Unnecessary services

Failing to close down unnecessary services also leaves API vulnerable. Often, unused services do not have the proper security applied because they aren’t intended to be used. However, leaving them open allows pathways for attackers to exploit.