We live in an app and API economy. According a report from Akamai, 83 percent of all web traffic today is API traffic. Though API usage grown exponentially, adoption of security practices to protect APIs lags.
APIs face a unique set of security risks and challenges that go beyond a traditional web application. For example, attackers can gain access to an account by either brute force or stolen credentials. And because APIs, by design, enable automation, they can be prone to automated attacks, especially by attackers using stolen credentials obtained through a third-party breach.
Another area of concern? Broken authorization. Attackers can leverage broken authorization flaws in APIs to obtain sensitive user information after a successful legitimate login. Rate limiting, in combination with stronger authentication and authorization policies for APIs, can help mitigate such automated attacks.
To help security admins address these unique security risks, the Open Source Web Application Security Project (OWASP) recently began publishing top threats facing APIs — the OWASP API Security Top 10. In this blog post, we’ll look at each of the Top 10 threats and how Citrix ADC can help to protect your APIs.
API1:2019 Broken Object Level Authorization
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface level access control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user.
How Citrix ADC can help:
- The AAA feature supports authentication, authorization, and auditing for all API traffic, including support for authentication protocols widely used by APIs such as JWT-based authentication.
- While authentication policies can be used to verify identity, authorization policies within the AAA module of an ADC appliance such as audience, scope, and claims-based authorization enable you to verify whether a specified request has the necessary permissions to access a resource.
API2:2019 Broken User Authentication
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other users’ identities temporarily or permanently. This can compromise a system’s ability to identify the client/user and the overall API security posture.
How Citrix ADC can help:
- Citrix ADC leverages security features that protect the tokens such as JWT token validation and Introspection. Token validation ensures the presence of a valid JWT in the Authorization header and only allows access if the token contains the required information.
- Token introspection involves defining the mechanism for API endpoints and resources to obtain information about a token while ensuring the validity of the token and the associated scope claims and user information.
API3:2019 Excessive Data Exposure
Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.
How Citrix ADC can help:
- Citrix ADC can set limits on request and response sizes, which prevents large amounts of data from being transmitted and ensures excessive data exposure is blocked .
- A rules-based responder policy can be configured to trigger on requests that match large amounts of data.
- The Citrix Analytics module for APIs uses machine learning to provide insights that automatically analyzes and alerts when requests are made for excessive amounts of data that deviate from normal baseline API traffic.
API4:2019 Lack of Resources and Rate Limiting
Frequently, APIs impose no restrictions on the size or number of resources that can be requested by the client/user. This can have an impact on API server performance, leading to denial of service (DoS) and leaves the door open to attacks such as brute force.
How Citrix ADC can help:
- Citrix ADC has a wide range of options to throttle and rate limit API traffic by defining a maximum load. The rate limiting feature enables you to configure the rate of traffic and limit any excessive or malicious traffic to ensure the availability of resources. You can also apply rate limiting policies based on a custom HTTP header.
- Admins can use responder policies to rate limit traffic.
API5:2019 Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, as well as an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
How Citrix ADC can help:
- Citrix ADC incorporates security features such as authentication, authorization, and auditing that block unauthorized access to resources. The authentication feature verifies credentials and allows valid users. Authorization verifies whether an entity is allowed access to a requested resource.
- Authentication profiles save configuration information such as host, the domain, and authentication level so that these settings can be used multiple times.
- Authorization policies can be associated with each of the users through a specific individual policy or a group policy that specifies the resource to which access must be authorized through an advanced rule-based expression.
API6:2019 Mass Assignment
Binding client-provided data (e.g., JSON) to data models without sufficient property filtering based on a permit list usually leads to mass assignment. Guessing an object’s properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads allows attackers to modify object properties they aren’t supposed to.
How Citrix ADC can help:
- Citrix Web App Firewall (WAF) policies such as field format protection and form field consistency can prevent mass assignment attacks. Field format protection leverages a regular expression-based rule to restrict any input parameter that relies on a user.
- Form field consistency validates each submitted form that is based on user input against a user session form to ensure validity of each field in the form.
API7:2019 Security Misconfiguration
Security misconfiguration is a common result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive cross-origin resource sharing (CORS), and verbose error messages containing sensitive information.
How Citrix ADC can help:
- Citrix ADC enables you to generate an app firewall configuration report that includes detailed information and lists policies that are active, as well as the content of the policy, the action (or profile) it is associated with, and global binding information.
- Application firewall reporting includes profiles and indicates the policy each profile is associated with.
- The application firewall supports Cenzic, IBM AppScan (Enterprise and Standard), Qualys, TrendMicro, WhiteHat, and custom vulnerability scan reports.
- Reports from scanning tools are converted to ADC signatures to automate WAF configuration and minimize misconfiguration errors.
- Citrix ADC protects from DoS CORS queries by authenticating requests against a list of authorized cross-origin domains prior to forwarding to the application server. Citrix ADC also adds an authorization header for CORS protocol compliance.
API8:2019 Injection
Injection flaws such as SQL, NoSQL, and command injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
How Citrix ADC can help:
- Citrix WAF profiles can be configured to protect API instances and endpoints.
- The SQL injection prevention feature protects against common injection attacks. Custom injection patterns can be uploaded to protect against any type of injection attack including XPath and LDAP. This is applicable to both HTML and XML payloads.
- Signatures are automatically updated to ensure protection against recent threats.
- Buffer overflow checks ensure that the URL, headers, and cookies are in the right limits, blocking any attempts to inject large scripts or code.
API9:2019 Improper Assets Management
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role in mitigating issues such as deprecated API versions and exposed endpoints.
How Citrix ADC can help:
- APIs that have been onboarded through API specification files can be maintained and updated in a seamless manner. An inventory of the deployed APIs is maintained and traffic management and security policies can be applied to the deployed APIs in a consistent manner.
API10:2019 Insufficient Logging and Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, enables attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, and extract or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, and they’re typically detected by external parties rather than internal processes or monitoring.
How Citrix ADC can help:
- Citrix ADC provides support for rich logging (CEF, Syslog, Export to Splunk, Kibana, Prometheus/Grafana) and ensures monitoring of events such as Auth Success/Failures and anomaly detection.
- When logs are enabled in signatures, it provides detailed information on requests and responses that have triggered the events.
- Citrix ADC identifies locations of the IP addresses from which malicious requests originate.
- Default format (PI) expressions give the flexibility to customize the information included in the logs with the option to add the specific data to capture in the application firewall generated log messages.
If you would like to learn more about how Citrix can help manage and protect your APIs, please reach out to your account team to schedule a demo. If you are an existing Citrix Application Delivery Management service customer and would like to enable API Gateway features on your instance, please reach out to the Citrix Application Security Product Management team at appsec-pm@citrix.com.