OWASP Top 10 API Security Assessment #23

nandhued · 2024-10-18T03:38:25Z

Part of #9

nandhued · 2024-10-18T03:38:33Z

Doc WIP

PrimalPimmy · 2024-10-21T02:59:28Z

PrimalPimmy · 2024-10-22T03:08:09Z

Action items for analysis:

Checkout other api security projects like Akto and Astra and see their logic for API testing.
Check how the sentryflow logs can be used to detect attacks

PrimalPimmy · 2024-10-28T18:29:29Z

Broken Object Level Authorization
- Check the authorization/JWT header token and see if the user is accessing another user's resources.
Broken Authentication
- Check JWT's alg header, if this is empty, the token is not valid.
Broken Object Property Level Authorization
- Could check if the IP where this request originates from is outside the enviroment.
Unrestricted Resource Consumption
- Rate limit detection through observability API. Check the timestamp and number of events.
Broken Function Level Authorization
- This usually means someone accessing a privileged endpoint. How would be check what's a privileged endpoint and what's not?
Unrestricted Access to Sensitive Business Flows
- N/A
Server Side Request Forgery
- Check for client-supplied input data sanitization. Not too tough to check for sanitization. This could also work for XSS and SQLi
Security Misconfiguration
- Internal error revealing internal code. Not something we can check everywhere.
Improper Inventory Management
- Old APIs get exploited if not depricated by newer APIs. Can't check for this using sentryflow
Unsafe Consumption of APIs
- Santization of Data to be checked to prevent SQLi, XSS, SSRF, etc. Can be done by sanitizing Request body.

PrimalPimmy added this to SentryFlow Oct 14, 2024

nandhued assigned PrimalPimmy Oct 18, 2024

nandhued converted this from a draft issue Oct 18, 2024

nandhued moved this from 🏗 In progress to 👀 In review in SentryFlow Nov 4, 2024

nandhued moved this from 👀 In review to ✅ Done in SentryFlow Nov 4, 2024

Provide feedback