What are API Vulnerabilities?

Api's are a vital part of the application-driven world. They are integrated with modern mobile, software-as-a-service, and web applications to communicate with each other. API's are the messenger delivering your request to the provider you're requesting it from and then responding to you. API's can expose application logic and sensitive data such as PII (Personal Identifiable Information). 

Security of APIs focuses on solutions to mitigate the different types of vulnerabilities and associated risks. 

These are some of the top API vulnerabilities in 2021 according to OWASP:

Broken Access Control: Broken Access control focuses on the failure of policies that lead to unauthorized disclosure of data, permitting users to perform business functions outside their privileges as well as modification and deletion of information. This vulnerability can be exploited using infringement of the principle of least privilege, shared accounts, metadata modification, CORS misconfiguration, and bypassing access controls. 

Cryptographic Failures: Cryptographic failures focus on weak cryptography. Cryptographic failures occur because of weak cryptographic algorithms or protocols, faulty data flow from one system to another without encryption (in plaintext), reuse of cryptographic keys and no proper key management, a misconfiguration in certificates, and using deprecated cryptographic methods. 

Injections:  Injection attacks occur when user-supplied data is not validated, filtered, or sanitized with input fields of applications. Injection attacks can be executed when dynamic queries and non-parametrized calls are used and not validated. 

Insecure Design: Insecure design failures occur when security controls are not in place for the implemented system: design and the Lack of controls open gaps within the system against specific attacks to be exploited. One key factor contributing to insecure design is the Lack of business risks profiling and continuity structure and a risk management edifice. Secure design of an application is more related to a methodology & culture and more minor towards engineering. 

Security Misconfigurations: These failures occur because of missing security hardening efforts, unnecessary features enabled and installed, complex code, faulty error handling techniques, set up of default accounts, old versions of software and applications in use.  

Identification and Authentication Failures:  These failures occur because of inadequate protection for identifying a user, authentication, and insecure session management. They result in attacks such as credential stuffing, brute-forcing, ineffective or missing MFA, and a weak ability to validate a user's session ID, which results in the stealing of tokens. 

Insufficient security logging and monitoring:  These failures occur due to inadequate logging and monitoring of services which lead to the inability to detect data breaches, exploitation attempts, vulnerabilities, and gaps within the systems. Auditable events such as logins, payment transactions, user activity are not logged. Applications are not monitored for suspicious activity, and unclear warnings and error messages, proper alerting, detection, escalation, and triaging mechanisms are not in place. 

The other API vulnerabilities include Broken object-level authorization, Excessive data exposure, Lack of rate-limiting, Broken function-level authorization, Improper asset management, SSRF, etc.