Mitigating OWASP API Security risks using BIG-IP
The introduction article covered the summary of OWASP API Security TOP 10 categories. As part of this article, we will focus on how we can protect our applications against some of these vulnerabilities using F5 BIG-IP Advanced Web Application Firewall (AdvancedWAF).
Excessive Data Exposure:
Problem Statement:
As shown below in one of the demo application API’s, Personally Identifiable Information (PII) data like Credit Card Numbers (CCN) and Social Security Numbers (SSN) are available which are highly sensitive and so we must hide these details to prevent personal data exploits.
Fig 1: API exposing social security numbers
Solution:
By configuring DataGuard related WAF settings in BIG-IP as below, we are able to mask these numbers thereby preventing data breaches. If needed, we can update settings to block this vulnerability after which all incoming requests for this endpoint will be blocked.
Fig 2: Image showing WAF policy masking configurationFig 3: Image showing data guard configurationFig 4: Image showing credit card numbers masked
Injection:
Problem Statement:
Customer login pages without secure coding practices may have flaws and intruders will use them to exploit credential validation using different types of injections like SQLi, Command Injections, etc. In our demo application, attackers were able to bypass validation using SQLi (Username as “' OR true --” and any password) thereby getting administrative access as below:
Fig 5: Image showing SQL exploit
Solution:
By configuring AdvancedWAF settings in BIG-IP and by enabling appropriate violation blocking settings, we are able to identify and block these types of known injection attacks as below.
Fig 6: Image showing WAF configurationFig 7: Image showing SQL Injection attack blocked
Improper Assets Management:
Problem Statement:
In our demo application, attackers have identified deprecated endpoints with a path starting with “/v1” which are currently not being maintained but are still available. Using these undocumented endpoints, attackers can get access to unwanted data causing loss of sensitive app information.
Fig 8: Image showing deprecated endpoint still available
Solution:
To avoid this specific use case, we have come up with OpenAPI or Swagger files for the demo application, uploaded them to BIG-IP and have configured AdvancedWAF to allow only these known URL’s. If attackers try to access deprecated URL’s which are not available in OpenAPI files, the requests will be blocked.
Fig 9: Image showing OpenAPI file
Fig 10: Image showing access to deprecated endpoint blocked
Insufficient Logging & Monitoring:
Problem Statement:
Appropriate logging and monitoring solutions play a pivotal role in identifying attacks and also in finding the root cause for any security issues. Without these solutions, applications are fully exposed to attackers and are completely blind in identifying details of users and resources being accessed.
Solution:
BIG-IP provides many dashboards like Statistics, Dos Visibility, Analytics, OWASP, etc for end-to-end visibility of every request being accessed and users have the ability to filter requests as per their requirements. By default, system provides different types of logging profiles and users can also create custom logging profiles. They can attach them to Load Balancers to track these data flows. BIG-IP also supports a reporting service to generate the timely reports as needed by users.
Fig 11: Image showing logging profiles
Fig 12: Image showing OWASP dashboard
Fig 13: Image showing performance statistics
Fig 14: Image showing traffic statistics
Fig 15: Image showing application events
Conclusion:
As demonstrated above, F5 BIG-IP AdvancedWAF can be used as a mitigation solution to prevent different OWASP security attacks against our modern applications running API’s.
Stay tuned for more OWASP videos. For getting started, check below links:
