BLOG

How to Protect your APIs from Broken Authentication and Unrestricted Resource Consumption

In a follow-up to our recent blogpost which explored the OWASP API Authorization risks, this week we share highlights of our webinar which featured Philippe De Ryck and Isabelle Mauny talking about the Authentication challenges encountered when protecting your APIs

They explored just how potentially dangerous the combination of the two OWASP API Top 10 categories of Broken Authentication and Unrestricted Resource Consumption can be when an API endpoint is compromised and no rate limiting is implemented.

The Broken Authentication risk relates to poorly implemented API authentication which enables attackers access to or to assume other users’ identities to attack endpoints. Unrestricted Resource Consumption relates to where the API is not protected against an excessive amount of calls or payload sizes. Philippe highlighted how dangerous it can be when broken authentication is combined with a brute force attack on the forgot password functionality to enable unrestricted resource consumption. He cited the example of the smart weighing scale app vulnerability where no rate limiting restrictions were applied to the forgot password functionality which would allow attackers to effectively brute-force the six-digit code reset feature using a tool such as Burp Suite. 

In essence, this was a straightforward attack which could be compounded ten-fold with an account enumeration vulnerability where the endpoint discloses whether an account exists or not. Now an attacker could probe the API using lists of email addresses to determine which addresses had been registered, conduct an account takeover and easily access potentially vast amounts of sensitive personal data. Such an enumeration vulnerability amplifies the risk and it is not a trivial matter to perform rate limiting when endpoints are unauthenticated as part of the attack e.g. when a user forgets their password, they are not authenticated.

Scale API Endpoint Protection to Counter Brute Force Attacks

Isabelle then demonstrated how with the 42Crunch API security platform companies are able to scale the enforcement of rate-limiting policies across authorization and authentication API endpoints wherever they may reside. Rate limiting is enforced within the firewall, not the API itself. This policy is implemented in the IDE (VS Code example in the diagram  below) and deployed in the CI/CD pipeline (Azure DevOps example in the diagram below) to scale. 

42Crunch API security testing and protection architecture example with VS Code and Azure DevOps

42Crunch enforces rate limiting on every single request hitting the API

Avoid JWT Pitfalls – Only Accept What You Expect

Next up was the combination of Broken Authentication with Security Misconfiguration. Security misconfiguration not only exposes sensitive user data but also system details that can lead to full server compromise. JSON Web Tokens or JWTs are identified as being in widespread usage to implement custom security mechanisms, but that they also lie at the heart of numerous API security failures, in particular features such as authentication and authorization. 

Philippe quoted the example of the Apache Pulsar bug which permitted account takeovers due to a JWT vulnerability, namely the signature of the token was not validated if the algorithm of the presented token was set to “none”. This is known as the alg:none problem and was well documented at the time.  

The IETF best current practices’ memo for JWT (Request for Comments RFC: 8725) recommends that companies should adopt an approach to using JWT and this includes favoring that the tokens are signed by a specified cryptographic algorithm. 


Ensure that you also specify the cryptographic algorithm to sign the token

Isabelle then demonstrated how 42Crunch enables a proactive approach to enforcing API security policies that prevents the combination of Broken Authentication and Security Misconfiguration at design time and enforce these policies at runtime. By enabling development and security teams to adopt a positive security model approach, 42Crunch’s platform specifies exactly what is expected and acceptable by the API at runtime and ensures that any requests outside of these parameters are automatically rejected. For example, it will ensure that a specific cryptographic algorithm should be used to sign the token and in accordance with any particular libraries that are being used to create the JWT in a specific programming language.

More comprehensive details on JWT can be found in our original blogpost on “7 Ways to avoid JWT Security Pitfalls.”

Full webinar recording here: https://42crunch.com/webinar-top-things-you-need-to-know-about-api-security/

Latest Resources

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protection as attacks on automotive APIs climb within and among vehicle, cloud and mobile  DALLAS and TOKYO, May 29, 2024—VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch  to enhance the security of application programming […]

DataSheet

APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protection as attacks on automotive APIs climb within and among vehicle, cloud and mobile  DALLAS and TOKYO, May 29, 2024—VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch  to enhance the security of application programming […]

DataSheet

Datasheet Cover Images P1-02

Product Datasheet Addressing API Security Challenges

APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.