@@ -10,8 +10,9 @@ We respect the `Open Web Application Security Project (OWASP) <https://owasp.org
1010and follow their recommendations as much as possible.
1111
1212The following comes from
13- `OWASP Top Ten <https://owasp.org/www-project-top-ten/ >`_,
14- identifying the top vulnerabilities for web applications.
13+ `OWASP Top Ten <https://owasp.org/www-project-top-ten/ >`_ and
14+ `OWASP API Security Top 10 <https://owasp.org/API-Security/editions/2023/en/0x11-t10/ >`_
15+ identifying the top vulnerabilities for web applications and apis.
1516For each, we provide a brief description, the OWASP recommendations, and then
1617the CodeIgniter provisions to address the problem.
1718
@@ -577,3 +578,356 @@ CodeIgniter provisions
577578- :doc: `../libraries/validation ` library
578579- :doc: `HTTP library <../incoming/incomingrequest >` provides for
579580 :ref: `input field filtering <incomingrequest-filtering-input-data >`
581+
582+ ******************************
583+ OWASP API Security Top 10 2023
584+ ******************************
585+
586+ API1:2023 Broken Object Level Authorization
587+ ===========================================
588+
589+ APIs tend to expose endpoints that handle object identifiers, creating a wide
590+ attack surface of Object Level Access Control issues. Object level authorization
591+ checks should be considered in every function that accesses a data source using
592+ an ID from the user.
593+
594+ OWASP recommendations
595+ ---------------------
596+
597+ - Implement a proper authorization mechanism that relies on the user policies and
598+ hierarchy.
599+ - Use the authorization mechanism to check if the logged-in user has access to
600+ perform the requested action on the record in every function that uses an input
601+ from the client to access a record in the database.
602+ - Prefer the use of random and unpredictable values as GUIDs for records' IDs.
603+ - Write tests to evaluate the vulnerability of the authorization mechanism. Do
604+ not deploy changes that make the tests fail.
605+
606+ CodeIgniter provisions
607+ ----------------------
608+
609+ - An official authentication and authorization framework
610+ :ref: `CodeIgniter Shield <shield >`
611+
612+ API2:2023 Broken Authentication
613+ ===============================
614+
615+ Authentication mechanisms are often implemented incorrectly, allowing attackers
616+ to compromise authentication tokens or to exploit implementation flaws to assume
617+ other user's identities temporarily or permanently. Compromising a system's
618+ ability to identify the client/user, compromises API security overall.
619+
620+ OWASP recommendations
621+ ---------------------
622+
623+ - Make sure you know all the possible flows to authenticate to the API (mobile/
624+ web/deep links that implement one-click authentication/etc.). Ask your engineers
625+ what flows you missed.
626+ - Read about your authentication mechanisms. Make sure you understand what and
627+ how they are used. OAuth is not authentication, and neither are API keys.
628+ - Don't reinvent the wheel in authentication, token generation, or password storage.
629+ Use the standards.
630+ - Credential recovery/forgot password endpoints should be treated as login
631+ endpoints in terms of brute force, rate limiting, and lockout protections.
632+ - Require re-authentication for sensitive operations (e.g. changing the account
633+ owner email address/2FA phone number).
634+ - Use the OWASP Authentication Cheatsheet.
635+ - Where possible, implement multi-factor authentication.
636+ - Implement anti-brute force mechanisms to mitigate credential stuffing, dictionary
637+ attacks, and brute force attacks on your authentication endpoints. This mechanism
638+ should be stricter than the regular rate limiting mechanisms on your APIs.
639+ - Implement account lockout/captcha mechanisms to prevent brute force attacks
640+ against specific users. Implement weak-password checks.
641+ - API keys should not be used for user authentication. They should only be used
642+ for API clients authentication.
643+
644+ CodeIgniter provisions
645+ ----------------------
646+
647+ - An official authentication and authorization framework
648+ :ref: `CodeIgniter Shield <shield >`
649+
650+ API3:2023 Broken Object Property Level Authorization
651+ ====================================================
652+
653+ This category combines API3:2019 Excessive Data Exposure and API6:2019 - Mass
654+ Assignment, focusing on the root cause: the lack of or improper authorization
655+ validation at the object property level. This leads to information exposure or
656+ manipulation by unauthorized parties.
657+
658+ OWASP recommendations
659+ ---------------------
660+
661+ - When exposing an object using an API endpoint, always make sure that the user
662+ should have access to the object's properties you expose.
663+ - Avoid using generic methods such as to_json() and to_string(). Instead,
664+ cherry-pick specific object properties you specifically want to return.
665+ - If possible, avoid using functions that automatically bind a client's input
666+ into code variables, internal objects, or object properties ("Mass Assignment").
667+ - Allow changes only to the object's properties that should be updated by the
668+ client.
669+ - Implement a schema-based response validation mechanism as an extra layer of
670+ security. As part of this mechanism, define and enforce data returned by all
671+ API methods.
672+ - Keep returned data structures to the bare minimum, according to the
673+ business/functional requirements for the endpoint.
674+
675+ CodeIgniter provisions
676+ ----------------------
677+
678+ - Model's :ref: `model-allowed-fields `
679+ - An official authentication and authorization framework
680+ :ref: `CodeIgniter Shield <shield >`
681+
682+ API4:2023 Unrestricted Resource Consumption
683+ ===========================================
684+
685+ Satisfying API requests requires resources such as network bandwidth, CPU, memory,
686+ and storage. Other resources such as emails/SMS/phone calls or biometrics validation
687+ are made available by service providers via API integrations, and paid for per
688+ request. Successful attacks can lead to Denial of Service or an increase of
689+ operational costs.
690+
691+ OWASP recommendations
692+ ---------------------
693+
694+ - Use a solution that makes it easy to limit memory, CPU, number of restarts,
695+ file descriptors, and processes such as Containers / Serverless code (e.g. Lambdas).
696+ - Define and enforce a maximum size of data on all incoming parameters and payloads,
697+ such as maximum length for strings, maximum number of elements in arrays, and
698+ maximum upload file size (regardless of whether it is stored locally or in
699+ cloud storage).
700+ - Implement a limit on how often a client can interact with the API within a
701+ defined timeframe (rate limiting).
702+ - Rate limiting should be fine tuned based on the business needs. Some API Endpoints
703+ might require stricter policies.
704+ - Limit/throttle how many times or how often a single API client/user can execute
705+ a single operation (e.g. validate an OTP, or request password recovery without
706+ visiting the one-time URL).
707+ - Add proper server-side validation for query string and request body parameters,
708+ specifically the one that controls the number of records to be returned in the
709+ response.
710+ - Configure spending limits for all service providers/API integrations. When setting
711+ spending limits is not possible, billing alerts should be configured instead.
712+
713+ CodeIgniter provisions
714+ ----------------------
715+
716+ - :doc: `../libraries/validation ` library
717+ - :doc: `../libraries/throttler ` for rate limit
718+
719+ API5:2023 Broken Function Level Authorization
720+ =============================================
721+
722+ Complex access control policies with different hierarchies, groups, and roles,
723+ and an unclear separation between administrative and regular functions, tend to
724+ lead to authorization flaws. By exploiting these issues, attackers can gain
725+ access to other users’ resources and/or administrative functions.
726+
727+ OWASP recommendations
728+ ---------------------
729+
730+ Your application should have a consistent and easy-to-analyze authorization module
731+ that is invoked from all your business functions. Frequently, such protection is
732+ provided by one or more components external to the application code.
733+
734+ - The enforcement mechanism(s) should deny all access by default, requiring explicit
735+ grants to specific roles for access to every function.
736+ - Review your API endpoints against function level authorization flaws, while
737+ keeping in mind the business logic of the application and groups hierarchy.
738+ - Make sure that all of your administrative controllers inherit from an
739+ administrative abstract controller that implements authorization checks based
740+ on the user's group/role.
741+ - Make sure that administrative functions inside a regular controller implement
742+ authorization checks based on the user's group and role.
743+
744+ CodeIgniter provisions
745+ ----------------------
746+
747+ - An official authentication and authorization framework
748+ :ref: `CodeIgniter Shield <shield >`
749+
750+ API6:2023 Unrestricted Access to Sensitive Business Flows
751+ =========================================================
752+
753+ APIs vulnerable to this risk expose a business flow - such as buying a ticket,
754+ or posting a comment - without compensating for how the functionality could harm
755+ the business if used excessively in an automated manner. This doesn't necessarily
756+ come from implementation bugs.
757+
758+ OWASP recommendations
759+ ---------------------
760+
761+ The mitigation planning should be done in two layers:
762+
763+ - Business - identify the business flows that might harm the business if they
764+ are excessively used.
765+ - Engineering - choose the right protection mechanisms to mitigate the business
766+ risk.
767+
768+ Some of the protection mechanisms are more simple while others are more difficult
769+ to implement. The following methods are used to slow down automated threats:
770+
771+ - Device fingerprinting: denying service to unexpected client devices (e.g
772+ headless browsers) tends to make threat actors use more sophisticated solutions,
773+ thus more costly for them
774+ - Human detection: using either captcha or more advanced biometric solutions
775+ (e.g. typing patterns)
776+ - Non-human patterns: analyze the user flow to detect non-human patterns
777+ (e.g. the user accessed the "add to cart" and "complete purchase" functions in
778+ less than one second)
779+ - Consider blocking IP addresses of Tor exit nodes and well-known proxies
780+
781+ Secure and limit access to APIs that are consumed directly by machines (such as
782+ developer and B2B APIs). They tend to be an easy target for attackers because
783+ they often don't implement all the required protection mechanisms.
784+
785+ CodeIgniter provisions
786+ ----------------------
787+
788+ - n/a
789+
790+ API7:2023 Server Side Request Forgery
791+ =====================================
792+
793+ Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a
794+ remote resource without validating the user-supplied URI. This enables an attacker
795+ to coerce the application to send a crafted request to an unexpected destination,
796+ even when protected by a firewall or a VPN.
797+
798+ OWASP recommendations
799+ ---------------------
800+
801+ - Isolate the resource fetching mechanism in your network: usually these features
802+ are aimed to retrieve remote resources and not internal ones.
803+ - Whenever possible, use allow lists of:
804+
805+ - Remote origins users are expected to download resources from (e.g. Google Drive,
806+ Gravatar, etc.)
807+ - URL schemes and ports
808+ - Accepted media types for a given functionality
809+ - Disable HTTP redirections.
810+ - Use a well-tested and maintained URL parser to avoid issues caused by URL parsing inconsistencies.
811+ - Validate and sanitize all client-supplied input data.
812+ - Do not send raw responses to clients.
813+
814+ CodeIgniter provisions
815+ ----------------------
816+
817+ - :doc: `../libraries/validation ` library
818+ - :doc: `HTTP library <../incoming/incomingrequest >` provides for
819+ :ref: `input field filtering <incomingrequest-filtering-input-data >`
820+ - :doc: `CURLRequest <../libraries/curlrequest >` class
821+ - :doc: `URI <../libraries/uri >` class
822+
823+ API8:2023 Security Misconfiguration
824+ ===================================
825+
826+ APIs and the systems supporting them typically contain complex configurations,
827+ meant to make the APIs more customizable. Software and DevOps engineers can miss
828+ these configurations, or don't follow security best practices when it comes to
829+ configuration, opening the door for different types of attacks.
830+
831+ OWASP recommendations
832+ ---------------------
833+
834+ The API life cycle should include:
835+
836+ - A repeatable hardening process leading to fast and easy deployment of a properly
837+ locked down environment
838+ - A task to review and update configurations across the entire API stack. The
839+ review should include: orchestration files, API components, and cloud services
840+ (e.g. S3 bucket permissions)
841+ - An automated process to continuously assess the effectiveness of the configuration
842+ and settings in all environments
843+
844+ Furthermore:
845+
846+ - Ensure that all API communications from the client to the API server and any
847+ downstream/upstream components happen over an encrypted communication channel
848+ (TLS), regardless of whether it is an internal or public-facing API.
849+ - Be specific about which HTTP verbs each API can be accessed by: all other HTTP
850+ verbs should be disabled (e.g. HEAD).
851+ - APIs expecting to be accessed from browser-based clients (e.g., WebApp front-end)
852+ should, at least:
853+
854+ - implement a proper Cross-Origin Resource Sharing (CORS) policy
855+ - include applicable Security Headers
856+ - Restrict incoming content types/data formats to those that meet the business/
857+ functional requirements.
858+ - Ensure all servers in the HTTP server chain (e.g. load balancers, reverse and
859+ forward proxies, and back-end servers) process incoming requests in a uniform
860+ manner to avoid desync issues.
861+ - Where applicable, define and enforce all API response payload schemas, including
862+ error responses, to prevent exception traces and other valuable information from
863+ being sent back to attackers.
864+
865+ CodeIgniter provisions
866+ ----------------------
867+
868+ - The config for global secure access (``Config\App::$forceGlobalSecureRequests ``)
869+ - :php:func: `force_https() ` function
870+ - :ref: `Defined Route Routing <defined-route-routing >`
871+ - :ref: `auto-routing-improved `
872+
873+ API9:2023 Improper Inventory Management
874+ =======================================
875+
876+ APIs tend to expose more endpoints than traditional web applications, making
877+ proper and updated documentation highly important. A proper inventory of hosts
878+ and deployed API versions also are important to mitigate issues such as deprecated
879+ API versions and exposed debug endpoints.
880+
881+ OWASP recommendations
882+ ---------------------
883+
884+ - Inventory all API hosts and document important aspects of each one of them,
885+ focusing on the API environment (e.g. production, staging, test, development),
886+ who should have network access to the host (e.g. public, internal, partners)
887+ and the API version.
888+ - Inventory integrated services and document important aspects such as their
889+ role in the system, what data is exchanged (data flow), and their sensitivity.
890+ - Document all aspects of your API such as authentication, errors, redirects,
891+ rate limiting, cross-origin resource sharing (CORS) policy, and endpoints,
892+ including their parameters, requests, and responses.
893+ - Generate documentation automatically by adopting open standards. Include the
894+ documentation build in your CI/CD pipeline.
895+ - Make API documentation available only to those authorized to use the API.
896+ - Use external protection measures such as API security specific solutions for
897+ all exposed versions of your APIs, not just for the current production version.
898+ - Avoid using production data with non-production API deployments. If this is
899+ unavoidable, these endpoints should get the same security treatment as the
900+ production ones.
901+ - When newer versions of APIs include security improvements, perform a risk
902+ analysis to inform the mitigation actions required for the older versions. For
903+ example, whether it is possible to backport the improvements without breaking
904+ API compatibility or if you need to take the older version out quickly and
905+ force all clients to move to the latest version.
906+
907+ CodeIgniter provisions
908+ ----------------------
909+
910+ - :ref: `routing-spark-routes ` command
911+
912+ API10:2023 Unsafe Consumption of APIs
913+ =====================================
914+
915+ Developers tend to trust data received from third-party APIs more than user input,
916+ and so tend to adopt weaker security standards. In order to compromise APIs,
917+ attackers go after integrated third-party services instead of trying to compromise
918+ the target API directly.
919+
920+ OWASP recommendations
921+ ---------------------
922+
923+ - When evaluating service providers, assess their API security posture.
924+ - Ensure all API interactions happen over a secure communication channel (TLS).
925+ - Always validate and properly sanitize data received from integrated APIs before
926+ using it.
927+ - Maintain an allowlist of well-known locations integrated APIs may redirect yours
928+ to: do not blindly follow redirects.
929+
930+ CodeIgniter provisions
931+ ----------------------
932+
933+ - :doc: `../libraries/validation ` library
0 commit comments