Article By: Eunice Mushawatu
The API Security project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. The Top Ten security threats include:
1. Broken Object Level Authorization
2. Broken Authentication
3. Excessive Data Exposure
4. Lack of resources and Rate Limiting
5. Broken Function Level Authorization
6. Mass Assignment
7. Security Misconfigurations
9. Improper Asset Management
10. Insufficient logging and monitoring
According to the OWASP API Security project, APIs often lack restrictions on the size or number of resources that can be requested by a client or a user. This can impact the API server performance leading to Denial of Service (DoS) and risk authentication flaws such as brute force. Below are some common exploits, as well as how to use the Layer7 API gateway to mitigate risk posed by this vulnerability.
– Attackers send large sized requests that exceed what the API can process
– Attackers send a massive file archived to a small file that will overload the system when decompressing i.e. zip/ decompression bombs
– Attackers send more requests that the API server can handle
– Attackers congest the API by sending requests at a high rate exceeding the APIs processing speed
Define Proper Rate Limiting and Throttling
The layer7 API gateway allows you to enforce a limit to the number of transactions per second that pass through. To use just drag and drop the ‘Apply Rate Limit’ assertion to the API policy. Double click the assertion to specify limit details.
You have the option to limit:
– Each IP addresses.
– Authenticated user(s) or by the operation being performed.
The Layer7 API gateway also allows you to decide how to handle the requests when the limit has been exceeded. This will depend on the type of API, the client and the service it provides but the options available include throttling and shaping. Throttling renders the service unavailable until the rate is within limits and shaping slows down the service to stay within the limit without returning an error or making the service completely unavailable.
Limit Payload Sizes
The assertion Limit Message Size can be used check the size of the request and discard requests that are too large for specific APIs. This makes it harder for resource consuming DoS attacks to succeed.
The Limit Message Size assertion can also be applied to the response. Attackers may manipulate limit values on an API to return larger responses that can put a load on service memory. This can in turn make the service unavailable to cater for other requests.
Summary of Lack of Resources and Rate Limiting Protection
The lack of resources and rate limiting is only one of the Top 10 threats to API security. Having the Layer7 API Gateway as the central access point for all microservices in your organization is essential for the mitigation of these and the other API security threats. The use of powerful assertions in policy provides your organization with the ability to add threat protection on top of the API without having to change the backend code. Be on the lookout for the other articles in this series where we discuss measures to mitigate the threats from the other OWASP API security top 10.
Looking for additional help with mitigating security vulnerabilities and security breaches? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including the CA API gateway and more. Take your interoperability to the next level, and contact an ISX consultant today.