OWASP Top 10 API Security Assessment

[nandhued]

Part of https://github.com/5GSEC/SentryFlow/issues/9

[nandhued]

Doc WIP

[PrimalPimmy]

DOC: https://hackmd.io/@C8cLTtotQeS4jqmNB6K1Jw/H1KkNOhkJx

[PrimalPimmy]

Action items for analysis:

• [x] Checkout other api security projects like Akto and Astra and see their logic for API testing.
• [x] Check how the sentryflow logs can be used to detect attacks

[PrimalPimmy]

1. Broken Object Level Authorization

   • Check the authorization/JWT header token and see if the user is accessing another user's resources.

2. Broken Authentication

   • Check JWT's alg header, if this is empty, the token is not valid.

3. Broken Object Property Level Authorization

   • Could check if the IP where this request originates from is outside the enviroment.

4. Unrestricted Resource Consumption

   • Rate limit detection through observability API. Check the timestamp and number of events.

5. Broken Function Level Authorization

   • This usually means someone accessing a privileged endpoint. How would be check what's a privileged endpoint and what's not?

6. Unrestricted Access to Sensitive Business Flows

   • N/A

7. Server Side Request Forgery

   • Check for client-supplied input data sanitization. Not too tough to check for sanitization. This could also work for XSS and SQLi

8. Security Misconfiguration

   • Internal error revealing internal code. Not something we can check everywhere.

9. Improper Inventory Management

   • Old APIs get exploited if not depricated by newer APIs. Can't check for this using sentryflow

10. Unsafe Consumption of APIs

    • Santization of Data to be checked to prevent SQLi, XSS, SSRF, etc. Can be done by sanitizing Request body.