Article By: Eunice Mushawatu
The API Security project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. The Top Ten security threats include
- Broken Object Level Authorization
- Broken Authentication
- Excessive Data Exposure
- Lack of resources and Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfigurations
- Improper Asset Management
- Insufficient logging and monitoring
According to the OWASP API Security project, excessive data exposure vulnerability typically results from developers exposing all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. If attackers access the APIs directly that means they gain access to it all. Below are some ways that the Layer7 API gateway can be used to mitigate risk posed by this vulnerability.
Use the Layer7 API Gateway as an Abstraction Layer to Your APIs
The first and perhaps the most important remediation to the excessive data exposure vulnerability is front ending your APIs with an API gateway. A proper implementation means that the Layer7 API gateway should be the single point of entry for all the APIs in an organization.
Do Not Rely on the Client to Filter Data
One of the OWASP recommendations is to never rely on the client to filter data. With the Layer7 API gateway as the single point of entry for all API traffic, developers can build APIs for maximum functionality and leave the data filtering to the gateway.
Adapt API Responses to Match Client Needs
The Layer7 API gateway gives us the ability to alter an API without altering its code. Many APIs are built to expose a certain functionality, but different clients may have different needs. If clients called the API directly, they would get the generic response that may contain much more data than they really need, data that attackers can take advantage of. With the Layer7 API gateway, API policy can be written to process the API response by filtering and altering it to send only what the client needs.
Define Schemas That Will Govern All the API Responses
The description of the response is known as the response schema. It defines all possible elements in the response. The response schema documents the response in a comprehensive, general way, listing each property that could possibly be returned, what each property contains, the data format of the values, the structure, and other details. Using schema validation on the Layer7 API gateway means that the responses to the client can be predefined and anything that is not expected can be easily identified.
Carefully Manage Error Responses
Often error responses are not given as much attention as 200 responses. The goal is to give just enough information to define the problem and possibly a solution without giving out too much information to potential attackers. Many times this means using the Layer7 API gateway to parse the error response from the backend API and sanitizing before returning it to the client.
Summary of Excessive Data Exposure Protection
By introducing the API gateway as the only bridge to the APIs, your organization gains the ability to include filtering and sanitization of data before it goes to the client. When this filtering is done properly through policy on the API gateway we are able to control what the client sees and reduce the risk of exposing too much data unnecessarily.
Looking for additional help with mitigating security vulnerabilities? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including the Broadcom API gateway and more. Take your interoperability to the next level, and contact an ISX consultant today.