Article By: Eunice Mushawatu
The API Security project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. The Top Ten security threats include
1. Broken Object Level Authorization
2. Broken Authentication
3. Excessive Data Exposure
4. Lack of resources and Rate Limiting
5. Broken Function Level Authorization
6. Mass Assignment
7. Security Misconfigurations
9. Improper Asset Management
10. Insufficient logging and monitoring
According to the OWASP API Security project, broken function level authorization vulnerability occurs when an API relies on the client to use user level or admin level APIs as appropriate and attackers figure out ways to hidden admin API methods and invoke them directly. In this article, we will discuss the Broken Function Level Authorization threat and discuss how to use the Layer7 API Gateway to address it.
Some administrative functions are exposed as APIs and a non-privileged user figures out ways to manipulate the path, verbs or parameters and gain access to administrative functions. For example a user has access to an endpoint /api/users/v1/all and from the structure deducts the admin only endpoint /api/admins/v1/all.
The only way to mitigate this threat is to implement function-level authorization checks. Using the layer7 API gateway, this can be implemented in policy and need not be included in the application code.
1. Make sure that for each endpoint exposed, only the methods needed are enabled. For example an endpoint /api/users/v1 if users only need the HTTP method GET then requests with method POST should be blocked at the API gateway level.
Configure the following:
– Right-click the service or API.
– Select ‘Service Properties’.
– Click the HTTP/FTP tab.
– Then uncheck the ‘Allowed HTTP Methods’ that are not expected or will be in use for the service.
2. Once authenticated, requests should be checked against an established access control list to see what privileges can be granted to the requestor. An authenticated user’s request should be blocked at this stage if the correct permissions could not be granted. In the layer7 API gateway this can be achieved by authenticating and authorizing users against the Symantec Siteminder policy server.
[See the Integrating API gateway with Siteminder article]
3. Last but not least is proper auditing. It’s imperative that administrative transactions are properly audited to check for vulnerabilities and flaws. Access control is an ongoing process that requires continuous review and improvement. Effective audits will include subject IDs to easily identify requestor as well as resource requested. This can easily be implemented at the API gateway level by using the Add Audit Details assertion and referencing Siteminder attributes to collect user identification information.
Summary of Broken Function Level Authorization Protection
Authorization checks for a function or resource are usually managed via configuration, and sometimes at the code level. Implementing proper checks can be a mammoth task considering the many types of roles, groups and complex user hierarchies- the layer7 API gateway provides a central and flexible platform to build out these complex access control via policy be it role based, rule based, leveraging Siteminder and/or other authorization protocols such as OAuth.
Looking for additional help with mitigating security vulnerabilities and security breaches? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including the Broadcom API gateway, advanced authorization, and more. Take your interoperability to the next level, and contact an ISX consultant today.