As per Rapid’s 4th annual State of APIs Report, 70% of developers indicate they will increase API usage this year, while 63% note that they utilized APIs more in 2022 than they did the previous year. With growing API adaption, there has been an increase in vulnerabilities seen with the production APIs.Â
APIs have become a popular target for attackers. Designing and building secure APIs by following security best practices is critical to protect your customer data and applications. Â This article highlights common mistakes that are seen with API Services.
Â
Improper Authorization and access control
While developers barely miss authentication, the same is not true about authorization and access control. Often, it's seen that the authorization checks and access control are either completely missing or not properly implemented.
Example: An adversary while analyzing the browser requests on an online library management website observes that the HTTP request includes a header X-Borrower-ID set as 73851. On tampering with the X-Borrower-ID value to 73852 in the request, the adversary gets a 200 OK response and can see and modify the data of other library users.
Recommendations:
Before performing any action, determine if the authenticated user has ownership over the specific object to perform that action.
Implement authorization checks that take the following aspects into consideration:
- access control at....