Using DAST to Tackle the OWASP Top 10 Posted in Security Matt Tanner December 14, 2023 As engineers, we find ourselves in a digital world where the security of our APIs is not just a priority but a necessity. With the widespread adoption of “everything-as-an-API,” APIs are no longer just facilitators of communication between various systems — they are now critical components of our architectures that demand robust security measures. The Open Web Application Security Project (OWASP) Top 10 API Security Risks stands as a beacon, guiding developers towards building more secure APIs. Essentially, it’s a checklist, a warning, and a roadmap all rolled into one, highlighting the most critical security risks we face as API developers. We must understand these risks, as they directly impact the integrity and success of our APIs, and also know how to keep them away from our code. As part of the toolkit to increase the security of our APIs, Dynamic Application Security Testing (DAST) is an essential piece of secure API development. But DAST isn’t just another tool — it’s part of a more extensive methodology that aligns perfectly with the agile, fast-paced environment we thrive in. As a critical component of the “shift left” security movement, it empowers developers to identify and mitigate vulnerabilities in real-time. This blog will examine the OWASP Top 10 API Security Risks and how we, as developers, should consider them in our everyday coding practices. We will explore how DAST can be critical in responding to and preemptively addressing these top security risks. What Are the OWASP Top 10 API Security Risks? For API developers, understanding the OWASP Top 10 is necessary to ensure the security of APIs as they move from the design phase to building them and finally out into the wild. Let’s take a quick look at each of the risks below. Broken Object Level Authorization: This vulnerability arises when APIs improperly handle access controls for objects the user identifies. Consequences include unauthorized access to data, leading to data breaches and privacy violations. Broken Authentication: Flaws in authentication mechanisms can let attackers steal authentication tokens or impersonate other users, compromising the security of the API and the systems behind it. This vulnerability can lead to unauthorized access and data theft. Broken Object Property Level Authorization: Inadequate authorization checks at the property level of objects can result in unauthorized information disclosure or alteration, posing risks to data integrity and confidentiality. Unrestricted Resource Consumption: Poor resource management in APIs can be exploited to cause service disruptions (Denial of Service) or incur high operational costs through resource overuse. Broken Function Level Authorization: Inadequate access controls for different API functions can allow unauthorized users to access or manipulate restricted resources, leading to data leaks or unauthorized actions. Unrestricted Access to Sensitive Business Flows: Exposing business processes without proper safeguards can lead to their abuse in automated attacks, potentially causing financial losses or business disruption. Server Side Request Forgery (SSRF): This vulnerability allows attackers to trick the API into making unexpected requests, potentially breaching network security boundaries and accessing or manipulating internal systems. Security Misconfiguration: Inadequate security settings in APIs and their environments, such as CORS misconfiguration or if TLS is missing, can lead to various attacks, resulting in data breaches, unauthorized access, or service disruptions. Improper Inventory Management: Failure to properly document and manage API endpoints can lead to the use of outdated or insecure API versions and the exposure of sensitive debug information. Unsafe Consumption of APIs: Trusting third-party API data without rigorous security checks can make an API vulnerable to indirect attacks, potentially compromising the data and functionality of the API. As an API developer, the OWASP Top 10 are vulnerabilities we should be aware of and actively work to mitigate. This list should act as a guide to help us prioritize our security efforts and understand where our APIs might be most vulnerable. Knowing these risks is the first step in defending against them — being able to detect and remedy them proactively is the next step. What is DAST? Dynamic Application Security Testing (DAST) is an indispensable tool in the modern API engineer’s toolkit. DAST is a “black-box” testing method that evaluates an application in its running state. With the application running, DAST effectively simulates real-world attack scenarios, making it particularly suited for automated API testing. DAST identifies vulnerabilities by interacting with the application, sending varied inputs, and observing outputs and behaviors, thus revealing security flaws evident only during active application use. Key to its functionality, DAST performs automated testing for a broad spectrum of common vulnerabilities, including those listed in the OWASP Top 10. Some of the most noteworthy include SQL Injection and Cross-Site Scripting (XSS) vulnerabilities. These tools are adept at pinpointing critical security threats that could compromise APIs. Integration of DAST into the software development lifecycle is streamlined, especially within DevOps frameworks and continuous integration/continuous deployment (CI/CD) environments. By embedding this testing method directly into the SDLC, developers can have a consistent and ongoing security assessment process that executes automatically. Beyond vulnerability detection, DAST tools also offer comprehensive reports and actionable insights. This feedback is real-time and crucial for API developers writing the code. The output from the tests provides the necessary information for developers to address identified security issues effectively. The insights from DAST reports help to guide immediate remediation efforts and assist in formulating long-term strategies to strengthen the security of a company’s APIs. Also read: Protecting GraphQL Against OWASP Top Ten API Risks How Does DAST Combat Against the OWASP Top 10? Dynamic Application Security Testing (DAST) is a crucial tool when identifying vulnerabilities in our code. By using the automated nature of DAST, identifying and mitigating the vulnerabilities outlined in the OWASP Top 10, especially those affecting API development, becomes much more manageable. Although DAST tools don’t directly assist in mitigating every vulnerability outlined in the list, they can be helpful for most. Let’s explore how DAST addresses each of these top API security risks outlined by OWASP. Broken Object Level Authorization: DAST effectively simulates unauthorized requests to endpoints, meticulously checking for weaknesses in object-level authorization. It helps to identify whether proper access controls are implemented, ensuring that users can only access data for which they are authorized. Broken Authentication: DAST rigorously tests authentication processes, identifying flaws that could compromise authentication tokens or unauthorized identity assumptions. It checks for weak spots in token handling and session management. Broken Object Property Level Authorization: By evaluating how APIs manage data at the object property level, DAST can spot instances of unauthorized data exposure or manipulation, ensuring strict authorization checks are in place. Unrestricted Resource Consumption: DAST can simulate high-load scenarios to test an API’s ability to handle resource stress, identifying potential vulnerabilities that could lead to Denial of Service (DoS) attacks or inefficient resource usage. Broken Function Level Authorization: DAST uncovers flaws in access control policies by attempting to access different API functions, ensuring that users can’t access functions beyond their permissions. Unrestricted Access to Sensitive Business Flows: DAST evaluates how APIs manage and protect business processes, detecting vulnerabilities that could be exploited through automation, thereby safeguarding sensitive business flows. Server Side Request Forgery (SSRF): DAST scrutinizes how APIs handle user-supplied URIs for fetching remote resources, effectively identifying SSRF vulnerabilities that could lead to unauthorized network access. Security Misconfiguration: Through exhaustive testing, DAST identifies misconfigurations in APIs and their supporting infrastructure, a critical step in preventing attacks from such oversights. Improper Inventory Management: While DAST primarily focuses on runtime testing, its insights can significantly aid inventory management by revealing undocumented or outdated API endpoints. Unsafe Consumption of APIs: DAST thoroughly evaluates the security measures when an API interacts with third-party data, highlighting vulnerabilities and ensuring robust defenses against indirect attacks through integrated services. As we can see, DAST platforms are a dynamic and essential tool in the API engineer’s toolkit. This is especially true when dealing with APIs and the prevalent threats highlighted by the OWASP Top 10. It provides a practical, real-world testing approach, allowing engineers to identify and remedy vulnerabilities within their APIs before they hit production. As we continue to evolve and refine our security practices, DAST is a must-have for every company creating and publishing APIs. Conclusion To conclude, using Dynamic Application Security Testing (DAST) is an indispensable strategy for API engineers. It offers a proactive approach to tackle the vulnerabilities highlighted in the OWASP Top 10 before they get the chance to hit production. It’s not just about identifying security weaknesses — DAST equips us with the means to understand and rectify these issues in real-time by testing and giving developers reports on where their API security is flawed. With the automation and real-time aspects of DAST, it perfectly aligns with the agile nature of modern API development.