Welcome to the 12th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. In this series we are taking an in-depth look at each category – the details, the impact and what you can do about it. To see previous posts you might have missed, click here.
This post will put a spotlight on Injection, which used to be its own category (OWASP API8:2019) but has now been subsumed into OWASP API10:2023 (Unsafe Consumption of APIs).
API injections involve malicious data or code being inserted into an API, posing risks like unauthorized access and data breaches. Our data show injections constitute the largest single API risk group, so we recommend you treat them as a critical part of your API security program.
An API injection attack, often referred to as Injection, is a type of security vulnerability that occurs when an attacker is able to manipulate or inject malicious code into an API request. This malicious code is typically designed to exploit the API’s processing mechanism and execute unintended actions on the server. However, the most recent OWASP Top-10 2021 moved client-side injections (aka Cross-Site Scripting or XSS) into the Injection class (A03:2021). So, it seems that since 2021 injections are officially not a server-side threat anymore.
While we’ve counted more than 50 injection-related CWEs in our vulnerability data, the most common API injection attacks we saw in our most recent API ThreatStats™report included:
Note the first two – XSS and SQLi – accounted for over 40% of all injection-related CVEs analyzed in Q2-2023, or over 12.5% of all vulnerabilities examined. And even if we ignore XSS, server-side injections remain the most dangerous threat for APIs (based on Risk X Likelihood analysis), as discussed in our 2022 Year-End API ThreatStats™ Report.
By the way, Injection Attacks are also no. 1 in our ChatGPT generated API Security Top-10, based on analysis of the most complete set of API security bulletins, bug bounty reports, CVEs, and exploits data gathered over the past 25 years.
API injection attacks can have severe consequences on the targeted application, potentially leading to data breaches, data manipulation, unauthorized access, and even system compromise. The impact varies depending on the type of injection attack and the specific vulnerabilities present, but it can result in:
The press is rife with examples of API Injection attacks, including the recent MOVEit vulnerabilities which have impacted 2000+ organizations and 62M+ people so far, or the infamous Log4j vulnerability reported in late-2021 which is still plaguing some organizations.
To prevent API injection attacks and protect your application, you should follow security best practices, including:
By following these best practices and keeping your APIs secure, you can significantly reduce the risk of API injection attacks and protect your application and data from potential threats.
Wallarm provides automatic detection and blocking of Injection vulnerabilities, including XSS, RCE, SQLi / NoSQLi, CRFLi, LDAPi, SSTi, SSI, Email Injection, XXE and more. Our monitoring nodes actively watch API traffic for these threats, while our vulnerability assessments identify weaknesses in your APIs and endpoints that could be exploited. This proactive approach helps safeguard your business-critical applications and minimizes security risks.
Come back next week as we wrap up this weekly series of posts on the new 2023 OWASP Top-10 API Security Risks list – or click here to see previous posts you might have missed.
In the meantime, here are some other resources which might help on your journey to end-to-end API security:
Wallarm End-to-End API Security solution provides comprehensive protection against the OWASP API Security Top-10 threats. And in 2023, we’ve made it even easier for you!
The Wallarm 2023 OWASP API Security Top-10 Dashboard provides you with complete visibility into the security state of your APIs, easy identification of your most critical security risks, and ability to immediately apply protective measures.
If you are interested in learning more about how we can help you protect your APIs, please schedule a demo with one of our security experts today!
The post 2023 OWASP Top-10 Series: Spotlight on Injection appeared first on Wallarm.
*** This is a Security Bloggers Network syndicated blog from Wallarm authored by wlrmblog. Read the original post at: https://lab.wallarm.com/spotlight-on-injection/