OWASP API Security Top 10–1 from TryHackMe:

You learn more about API:

➡️ OWASP API Security Top 10–1
➡️ Identification of authorization level issues.
➡️ Handling excessive data exposure.
➡️ Lack of resources and rate-limiting issues.

Task 2 Understanding APIs — A refresher

What is an API & Why is it important?

API stands for Application Programming Interface. It is a middleware that facilitates the communication of two software components utilizing a set of protocols and definitions. In the API context, the term ‘application’ refers to any software having specific functionality, and ‘interface’ refers to the service contract between two apps that make communication possible via requests and responses. The API documentation contains all the information on how developers have structured those responses and requests. The significance of APIs to app development is in just a single sentence, i.e., API is a building block for developing complex and enterprise-level applications.

Recent Data Breaches through APIs

• LinkedIn data breach: In June 2021, the data of over 700 million LinkedIn users were offered for sale on one of the dark web forums, which was scraped by exploiting the LinkedIn API. The hacker published a sample of 1 million records to confirm the legitimacy of the LinkedIn breach, containing full names of the users, email addresses, phone numbers, geolocation records, LinkedIn profile links, work experience information, and other social media account details.
• Twitter data breach: In June 2022, data of more than 5.4 Million Twitter users was released for sale on the dark web. Hackers conducted the breach by exploiting a zero-day in the Twitter API that showed Twitter’s handle against a mobile number or email.
• PIXLR data breach: In January 2021, PIXLR, an online photo editor app, suffered a data breach that impacted around 1.9 million users. All the data by the hackers was dumped on a dark web forum, which included usernames, email addresses, countries, and hashed passwords.

Now that we understand the threat and the damage caused due to non-adherence to mitigation measures — let’s discuss developing a secure API through OWASP API Security Top 10 principles.

Question 1 : In the LinkedIn breach (Jun 2021), how many million records (sample) were posted by a hacker on the dark web?

On June 22nd, a user of a popular hacker advertised data from 700 Million LinkedIn users for sale. The user of the forum posted up a sample of the data that includes 1 million LinkedIn users.

Question 2 : Is the API documentation a trivial item and not used after API development (yea/nay)?

Answer is : nay

The API documentation contains all the information on how developers have structured those responses and requests. The significance of APIs to app development is in just a single sentence, i.e., API is a building block for developing complex and enterprise-level applications.

Task 3 Vulnerability I — Broken Object Level Authorisation (BOLA)

• The solution for this problem is pretty simple; Bob will implement an authorization mechanism through which he can identify who can make API calls to access employee ID information.
• The purpose is achieved through access tokens or authorization tokens in the header. In the above example, Bob will add an authorization token so that only headers with valid authorization tokens can make a call to this endpoint.
• In the VM, if you add a valid Authorization-Token and call http://localhost:80/MHT/apirule1_s/user/1, only then will you be able to get the correct results. Moreover, all API calls with an invalid token will show 403 Forbidden an error message (as shown below).

Question 1 : Suppose the employee ID is an integer with incrementing value. Can you check through the vulnerable API endpoint the total number of employees in the company?

There is no response from ID 3, so there are 3 employees!

Question 2 : What is the flag associated with employee ID 2?

Question 3 :What is the username of employee ID 3?

I have changed the ID to 3 !

Task 4 Vulnerability II — Broken User Authentication (BUA)

Practical Example
Continue to use the Chrome browser and Talend API Tester for debugging in the VM.
Bob understands that authentication is critical and has been tasked to develop an API endpoint apirule2/user/login_v that will authenticate based on provided email and password.
The endpoint will return a token, which will be passed as an Authorisation-Token header (GET request) to apirule2/user/details to show details of the specific employee. Bob successfully developed the login endpoint; however, he only used email to validate the user from the user table and ignored the password field in the SQL query. An attacker only requires the victim’s email address to get a valid token or account takeover.
In the VM, you can test this by sending a POST request to http://localhost:80/MHT/apirule2/user/login_v with the email and password in the form parameters.

• As we can see, the vulnerable endpoint received a token that can be forwarded to /apirule2/user/details to get detail of a user.
• To fix this, we will update the login query logic and use both email and password for validation. The endpoint /apirule2/user/login_s is a valid endpoint, as shown below, that authorizes the user based on password and email both.

Question 1: Can you find the token of hr@mht.com?

Question 2 : To which country does sales@mht.com belong?

China

Question 3: Is it a good practice to send a username and password in a GET request (yea/nay)?

nay because it isn’t safe !

Task 5 Vulnerability III — Excessive Data Exposure

Practical Example

• Continue to use the Chrome browser and Talend API Tester for debugging in the VM.
• The company MHT launched a comment-based web portal that takes users’ comments and stores them in the database and other information like location, device info, etc., to improve the user experience.
• Bob was tasked to develop an endpoint for showing users’ comments on the company’s main website. He developed an endpoint apirule3/comment_v/{id} that fetches all information available for a comment from the database. Bob assumed that the front-end developer would filter out information while showing it on the company's main website.

• What is the issue here? The API is sending more data than desired. Instead of relying on a front-end engineer to filter out data, only relevant data must be sent from the database.
• Bob realising his mistake, updated the endpoint and created a valid endpoint /apirule3/comment_s/{id} that returns only the necessary information to the developer (as shown below).

Mitigation Measures

• Never leave sensitive data filtration tasks to the front-end developer.
• Ensure time-to-time review of the response from the API to guarantee it returns only legitimate data and checks if it poses any security issue.
• Avoid using generic methods such as to_string() and to_json().
• Use API endpoint testing through various test cases and verify through automated and manual tests if the API leaks additional data.

Question 1: What is the device ID value for post-ID 2?

Question 2: What is the username value for post-ID 3?

hacker#!

Question 3: Should we use network-level devices for controlling excessive data exposure instead of managing it through APIs (programmatically) — (yea/nay)?

nay

Task 6 Vulnerability IV — Lack of Resources & Rate Limiting

Practical Example

• Continue to use the Chrome browser and Talend API Tester for debugging in the VM.
• The company MHT purchased an email marketing plan (20K emails per month) for sending marketing, password recovery emails etc. Bob realised that he had successfully developed a login API, but there must be a “Forgot Password” option that can be used to recover an account.
• He started building an endpoint /apirule4/sendOTP_v that will send a 4-digit numeric code to the user's email address. An authenticated user will use that One Time Password (OTP) to recover the account.

• What is the issue here? Bob has not enabled any rate limiting in the endpoint. A malicious actor can write a small script and brute force the endpoint, sending many emails in a few seconds and using the company’s recently purchased email marketing plan (financial loss).
• Finally, Bob came up with an intelligent solution (/apirule4/sendOTP_s) and enabled rate limiting such that the user has to wait 2 minutes to request an OTP token again.

Question 1:Can rate limiting be carried out at the network level through firewalls etc. (yea/nay)?

yea

Question 2: What is the HTTP response code when you send a POST request to /apirule4/sendOTP_s using the email address hr@mht.com?

Question 3:What is the “msg key” value after an HTTP POST request to /apirule4/sendOTP_s using the email address sale@mht.com?

Task 7 Vulnerability V — Broken Function Level Authorisation

Practical Example

• Continue to use the Chrome browser and Talend API Tester for debugging in the VM.
• Bob has been assigned another task to develop an admin dashboard for company executives so that they can view all employee’s data and perform specific tasks.
• Bob developed an endpoint /apirule5/users_v to fetch data of all employees from the database. To add protection, he added another layer to security by adding a special header isAdmin in each request. The API only fetches employee information from the database if isAdmin=1 and Authorization-Token are correct. The authorisation token for HR user Alice is YWxpY2U6dGVzdCFAISM6Nzg5Nzg=.

• We can see that Alice is a non-admin user (HR) but can see all employee’s data by setting custom requests to the endpoint with isAdmin value = 1.
• The issue can be resolved programmatically by implementing correct authorization rules and checking the functional roles of each user in the database during the query. Bob implemented another endpoint /apirule5/users_s that validates each user's role and only shows employees' data if the role is Admin.

Question 1:What is the mobile number for the username Alice? answer below !

Question 2:Is it a good practice to send isAdmin value through the hidden fields in form requests — yea/nay?

nay !

Question 3:What is the address flag of username admin?

isAdmin=1

Authorization-Token = YWxpY2U6dGVzdCFAISM6Nzg5Nzg=

when you put the header information you will find the answers below !

That’s all for this room. In this room, we have studied the basic API development principles for Authorisation and Authentication and how excessive data exposure can lead to a complete account takeover.

Hope you enjoyed it! Happy learning :)