@@ -10,8 +10,9 @@ We respect the `Open Web Application Security Project (OWASP) <https://owasp.org
1010and follow their recommendations as much as possible.
1111
1212The following comes from
13- `OWASP Top Ten <https://owasp.org/www-project-top-ten/ >`_,
14- identifying the top vulnerabilities for web applications.
13+ `OWASP Top Ten <https://owasp.org/www-project-top-ten/ >`_ and
14+ `OWASP API Security Top 10 <https://owasp.org/API-Security/editions/2023/en/0x11-t10/ >`_
15+ identifying the top vulnerabilities for web applications and apis.
1516For each, we provide a brief description, the OWASP recommendations, and then
1617the CodeIgniter provisions to address the problem.
1718
@@ -576,3 +577,356 @@ CodeIgniter provisions
576577- :doc: `../libraries/validation ` library
577578- :doc: `HTTP library <../incoming/incomingrequest >` provides for
578579 :ref: `input field filtering <incomingrequest-filtering-input-data >`
580+
581+ ******************************
582+ OWASP API Security Top 10 2023
583+ ******************************
584+
585+ API1:2023 Broken Object Level Authorization
586+ ===========================================
587+
588+ APIs tend to expose endpoints that handle object identifiers, creating a wide
589+ attack surface of Object Level Access Control issues. Object level authorization
590+ checks should be considered in every function that accesses a data source using
591+ an ID from the user.
592+
593+ OWASP recommendations
594+ ---------------------
595+
596+ - Implement a proper authorization mechanism that relies on the user policies and
597+ hierarchy.
598+ - Use the authorization mechanism to check if the logged-in user has access to
599+ perform the requested action on the record in every function that uses an input
600+ from the client to access a record in the database.
601+ - Prefer the use of random and unpredictable values as GUIDs for records' IDs.
602+ - Write tests to evaluate the vulnerability of the authorization mechanism. Do
603+ not deploy changes that make the tests fail.
604+
605+ CodeIgniter provisions
606+ ----------------------
607+
608+ - An official authentication and authorization framework
609+ :ref: `CodeIgniter Shield <shield >`
610+
611+ API2:2023 Broken Authentication
612+ ===============================
613+
614+ Authentication mechanisms are often implemented incorrectly, allowing attackers
615+ to compromise authentication tokens or to exploit implementation flaws to assume
616+ other user's identities temporarily or permanently. Compromising a system's
617+ ability to identify the client/user, compromises API security overall.
618+
619+ OWASP recommendations
620+ ---------------------
621+
622+ - Make sure you know all the possible flows to authenticate to the API (mobile/
623+ web/deep links that implement one-click authentication/etc.). Ask your engineers
624+ what flows you missed.
625+ - Read about your authentication mechanisms. Make sure you understand what and
626+ how they are used. OAuth is not authentication, and neither are API keys.
627+ - Don't reinvent the wheel in authentication, token generation, or password storage.
628+ Use the standards.
629+ - Credential recovery/forgot password endpoints should be treated as login
630+ endpoints in terms of brute force, rate limiting, and lockout protections.
631+ - Require re-authentication for sensitive operations (e.g. changing the account
632+ owner email address/2FA phone number).
633+ - Use the OWASP Authentication Cheatsheet.
634+ - Where possible, implement multi-factor authentication.
635+ - Implement anti-brute force mechanisms to mitigate credential stuffing, dictionary
636+ attacks, and brute force attacks on your authentication endpoints. This mechanism
637+ should be stricter than the regular rate limiting mechanisms on your APIs.
638+ - Implement account lockout/captcha mechanisms to prevent brute force attacks
639+ against specific users. Implement weak-password checks.
640+ - API keys should not be used for user authentication. They should only be used
641+ for API clients authentication.
642+
643+ CodeIgniter provisions
644+ ----------------------
645+
646+ - An official authentication and authorization framework
647+ :ref: `CodeIgniter Shield <shield >`
648+
649+ API3:2023 Broken Object Property Level Authorization
650+ ====================================================
651+
652+ This category combines API3:2019 Excessive Data Exposure and API6:2019 - Mass
653+ Assignment, focusing on the root cause: the lack of or improper authorization
654+ validation at the object property level. This leads to information exposure or
655+ manipulation by unauthorized parties.
656+
657+ OWASP recommendations
658+ ---------------------
659+
660+ - When exposing an object using an API endpoint, always make sure that the user
661+ should have access to the object's properties you expose.
662+ - Avoid using generic methods such as to_json() and to_string(). Instead,
663+ cherry-pick specific object properties you specifically want to return.
664+ - If possible, avoid using functions that automatically bind a client's input
665+ into code variables, internal objects, or object properties ("Mass Assignment").
666+ - Allow changes only to the object's properties that should be updated by the
667+ client.
668+ - Implement a schema-based response validation mechanism as an extra layer of
669+ security. As part of this mechanism, define and enforce data returned by all
670+ API methods.
671+ - Keep returned data structures to the bare minimum, according to the
672+ business/functional requirements for the endpoint.
673+
674+ CodeIgniter provisions
675+ ----------------------
676+
677+ - Model's :ref: `model-allowed-fields `
678+ - An official authentication and authorization framework
679+ :ref: `CodeIgniter Shield <shield >`
680+
681+ API4:2023 Unrestricted Resource Consumption
682+ ===========================================
683+
684+ Satisfying API requests requires resources such as network bandwidth, CPU, memory,
685+ and storage. Other resources such as emails/SMS/phone calls or biometrics validation
686+ are made available by service providers via API integrations, and paid for per
687+ request. Successful attacks can lead to Denial of Service or an increase of
688+ operational costs.
689+
690+ OWASP recommendations
691+ ---------------------
692+
693+ - Use a solution that makes it easy to limit memory, CPU, number of restarts,
694+ file descriptors, and processes such as Containers / Serverless code (e.g. Lambdas).
695+ - Define and enforce a maximum size of data on all incoming parameters and payloads,
696+ such as maximum length for strings, maximum number of elements in arrays, and
697+ maximum upload file size (regardless of whether it is stored locally or in
698+ cloud storage).
699+ - Implement a limit on how often a client can interact with the API within a
700+ defined timeframe (rate limiting).
701+ - Rate limiting should be fine tuned based on the business needs. Some API Endpoints
702+ might require stricter policies.
703+ - Limit/throttle how many times or how often a single API client/user can execute
704+ a single operation (e.g. validate an OTP, or request password recovery without
705+ visiting the one-time URL).
706+ - Add proper server-side validation for query string and request body parameters,
707+ specifically the one that controls the number of records to be returned in the
708+ response.
709+ - Configure spending limits for all service providers/API integrations. When setting
710+ spending limits is not possible, billing alerts should be configured instead.
711+
712+ CodeIgniter provisions
713+ ----------------------
714+
715+ - :doc: `../libraries/validation ` library
716+ - :doc: `../libraries/throttler ` for rate limit
717+
718+ API5:2023 Broken Function Level Authorization
719+ =============================================
720+
721+ Complex access control policies with different hierarchies, groups, and roles,
722+ and an unclear separation between administrative and regular functions, tend to
723+ lead to authorization flaws. By exploiting these issues, attackers can gain
724+ access to other users’ resources and/or administrative functions.
725+
726+ OWASP recommendations
727+ ---------------------
728+
729+ Your application should have a consistent and easy-to-analyze authorization module
730+ that is invoked from all your business functions. Frequently, such protection is
731+ provided by one or more components external to the application code.
732+
733+ - The enforcement mechanism(s) should deny all access by default, requiring explicit
734+ grants to specific roles for access to every function.
735+ - Review your API endpoints against function level authorization flaws, while
736+ keeping in mind the business logic of the application and groups hierarchy.
737+ - Make sure that all of your administrative controllers inherit from an
738+ administrative abstract controller that implements authorization checks based
739+ on the user's group/role.
740+ - Make sure that administrative functions inside a regular controller implement
741+ authorization checks based on the user's group and role.
742+
743+ CodeIgniter provisions
744+ ----------------------
745+
746+ - An official authentication and authorization framework
747+ :ref: `CodeIgniter Shield <shield >`
748+
749+ API6:2023 Unrestricted Access to Sensitive Business Flows
750+ =========================================================
751+
752+ APIs vulnerable to this risk expose a business flow - such as buying a ticket,
753+ or posting a comment - without compensating for how the functionality could harm
754+ the business if used excessively in an automated manner. This doesn't necessarily
755+ come from implementation bugs.
756+
757+ OWASP recommendations
758+ ---------------------
759+
760+ The mitigation planning should be done in two layers:
761+
762+ - Business - identify the business flows that might harm the business if they
763+ are excessively used.
764+ - Engineering - choose the right protection mechanisms to mitigate the business
765+ risk.
766+
767+ Some of the protection mechanisms are more simple while others are more difficult
768+ to implement. The following methods are used to slow down automated threats:
769+
770+ - Device fingerprinting: denying service to unexpected client devices (e.g
771+ headless browsers) tends to make threat actors use more sophisticated solutions,
772+ thus more costly for them
773+ - Human detection: using either captcha or more advanced biometric solutions
774+ (e.g. typing patterns)
775+ - Non-human patterns: analyze the user flow to detect non-human patterns
776+ (e.g. the user accessed the "add to cart" and "complete purchase" functions in
777+ less than one second)
778+ - Consider blocking IP addresses of Tor exit nodes and well-known proxies
779+
780+ Secure and limit access to APIs that are consumed directly by machines (such as
781+ developer and B2B APIs). They tend to be an easy target for attackers because
782+ they often don't implement all the required protection mechanisms.
783+
784+ CodeIgniter provisions
785+ ----------------------
786+
787+ - n/a
788+
789+ API7:2023 Server Side Request Forgery
790+ =====================================
791+
792+ Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a
793+ remote resource without validating the user-supplied URI. This enables an attacker
794+ to coerce the application to send a crafted request to an unexpected destination,
795+ even when protected by a firewall or a VPN.
796+
797+ OWASP recommendations
798+ ---------------------
799+
800+ - Isolate the resource fetching mechanism in your network: usually these features
801+ are aimed to retrieve remote resources and not internal ones.
802+ - Whenever possible, use allow lists of:
803+
804+ - Remote origins users are expected to download resources from (e.g. Google Drive,
805+ Gravatar, etc.)
806+ - URL schemes and ports
807+ - Accepted media types for a given functionality
808+ - Disable HTTP redirections.
809+ - Use a well-tested and maintained URL parser to avoid issues caused by URL parsing inconsistencies.
810+ - Validate and sanitize all client-supplied input data.
811+ - Do not send raw responses to clients.
812+
813+ CodeIgniter provisions
814+ ----------------------
815+
816+ - :doc: `../libraries/validation ` library
817+ - :doc: `HTTP library <../incoming/incomingrequest >` provides for
818+ :ref: `input field filtering <incomingrequest-filtering-input-data >`
819+ - :doc: `CURLRequest <../libraries/curlrequest >` class
820+ - :doc: `URI <../libraries/uri >` class
821+
822+ API8:2023 Security Misconfiguration
823+ ===================================
824+
825+ APIs and the systems supporting them typically contain complex configurations,
826+ meant to make the APIs more customizable. Software and DevOps engineers can miss
827+ these configurations, or don't follow security best practices when it comes to
828+ configuration, opening the door for different types of attacks.
829+
830+ OWASP recommendations
831+ ---------------------
832+
833+ The API life cycle should include:
834+
835+ - A repeatable hardening process leading to fast and easy deployment of a properly
836+ locked down environment
837+ - A task to review and update configurations across the entire API stack. The
838+ review should include: orchestration files, API components, and cloud services
839+ (e.g. S3 bucket permissions)
840+ - An automated process to continuously assess the effectiveness of the configuration
841+ and settings in all environments
842+
843+ Furthermore:
844+
845+ - Ensure that all API communications from the client to the API server and any
846+ downstream/upstream components happen over an encrypted communication channel
847+ (TLS), regardless of whether it is an internal or public-facing API.
848+ - Be specific about which HTTP verbs each API can be accessed by: all other HTTP
849+ verbs should be disabled (e.g. HEAD).
850+ - APIs expecting to be accessed from browser-based clients (e.g., WebApp front-end)
851+ should, at least:
852+
853+ - implement a proper Cross-Origin Resource Sharing (CORS) policy
854+ - include applicable Security Headers
855+ - Restrict incoming content types/data formats to those that meet the business/
856+ functional requirements.
857+ - Ensure all servers in the HTTP server chain (e.g. load balancers, reverse and
858+ forward proxies, and back-end servers) process incoming requests in a uniform
859+ manner to avoid desync issues.
860+ - Where applicable, define and enforce all API response payload schemas, including
861+ error responses, to prevent exception traces and other valuable information from
862+ being sent back to attackers.
863+
864+ CodeIgniter provisions
865+ ----------------------
866+
867+ - The config for global secure access (``Config\App::$forceGlobalSecureRequests ``)
868+ - :php:func: `force_https() ` function
869+ - :ref: `Defined Route Routing <defined-route-routing >`
870+ - :ref: `auto-routing-improved `
871+
872+ API9:2023 Improper Inventory Management
873+ =======================================
874+
875+ APIs tend to expose more endpoints than traditional web applications, making
876+ proper and updated documentation highly important. A proper inventory of hosts
877+ and deployed API versions also are important to mitigate issues such as deprecated
878+ API versions and exposed debug endpoints.
879+
880+ OWASP recommendations
881+ ---------------------
882+
883+ - Inventory all API hosts and document important aspects of each one of them,
884+ focusing on the API environment (e.g. production, staging, test, development),
885+ who should have network access to the host (e.g. public, internal, partners)
886+ and the API version.
887+ - Inventory integrated services and document important aspects such as their
888+ role in the system, what data is exchanged (data flow), and their sensitivity.
889+ - Document all aspects of your API such as authentication, errors, redirects,
890+ rate limiting, cross-origin resource sharing (CORS) policy, and endpoints,
891+ including their parameters, requests, and responses.
892+ - Generate documentation automatically by adopting open standards. Include the
893+ documentation build in your CI/CD pipeline.
894+ - Make API documentation available only to those authorized to use the API.
895+ - Use external protection measures such as API security specific solutions for
896+ all exposed versions of your APIs, not just for the current production version.
897+ - Avoid using production data with non-production API deployments. If this is
898+ unavoidable, these endpoints should get the same security treatment as the
899+ production ones.
900+ - When newer versions of APIs include security improvements, perform a risk
901+ analysis to inform the mitigation actions required for the older versions. For
902+ example, whether it is possible to backport the improvements without breaking
903+ API compatibility or if you need to take the older version out quickly and
904+ force all clients to move to the latest version.
905+
906+ CodeIgniter provisions
907+ ----------------------
908+
909+ - :ref: `routing-spark-routes ` command
910+
911+ API10:2023 Unsafe Consumption of APIs
912+ =====================================
913+
914+ Developers tend to trust data received from third-party APIs more than user input,
915+ and so tend to adopt weaker security standards. In order to compromise APIs,
916+ attackers go after integrated third-party services instead of trying to compromise
917+ the target API directly.
918+
919+ OWASP recommendations
920+ ---------------------
921+
922+ - When evaluating service providers, assess their API security posture.
923+ - Ensure all API interactions happen over a secure communication channel (TLS).
924+ - Always validate and properly sanitize data received from integrated APIs before
925+ using it.
926+ - Maintain an allowlist of well-known locations integrated APIs may redirect yours
927+ to: do not blindly follow redirects.
928+
929+ CodeIgniter provisions
930+ ----------------------
931+
932+ - :doc: `../libraries/validation ` library
0 commit comments