Professional Documents
Culture Documents
API Security Top 10 RC PDF
API Security Top 10 RC PDF
API Security Top 10 RC PDF
TM
GLOBAL APPSEC DC
Founders and Sponsors
Traditional Get
Application
HTML
API Get
Modern
Application
Raw
A1 - Object Level
Bob
Users
A5 – Function Level
Configuration or Bob
Inon
Code Sub
user
Sub
user
#1 #2
• Sub users
• Users with
Decentralized different roles
Complex
Mechanism Hierarchies
• The name "IDOR" hints that the object reference (ID) should be
indirect (e.g.: a salted hash map)
• What would happen if you asked your developers to implement “Indirect”
mechanism in every place that receives ID?
• Why it is so common?
• REST Standard & API economy encourage developers to implement APIs in a
generic way
• Use of generic functions as "to_json" from the Model / ORM, without
thinking about who's the consumer
GET v1/users/profiles/717
• Found by Alex
Lomas, Pen
Test Partners
• http://socialnetwork.com/api/v1/users?limit=999999999
Legit
Admin
API
Regular
API
API
Public Layer
API
Malicious
Regular user
{“username”:”Inon”, ”pass”:”123456”}
POST /api/users/new
Might contain sensitive params that the user should not have access to
• Weak encryption
• Unnecessary exposed HTTP methods
• No CSRF protection
• Detailed errors
• Improper CORS
Bad Things
• NoSQL injection are a thing, but are usually not as common / severe
beta-api.xxx.com
/v2/download_transactions_as_pdf
/v2/transfer_money /v0/legacy_b2b/export_all_users
API Gateway
payments-api.xxx.com
Client
payment-api.xxx.com
mobile-api.xxx.com
Mailing List
https://groups.google.co
m/a/owasp.org/d/forum/
api-security-project
https://github.com/OWASP/API-Security
QUESTIONS?
TM
GLOBAL APPSEC DC
OWASP, Open Web Application Security Project, Global AppSec and AppSec Days are Trademarks of the OWASP Foundation, Inc.