>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

API10Unsafe Consumption of APIs

>Control Description

Developers tend to trust data received from third-party APIs more than user input. This is especially true for APIs offered by well-known companies. Because of that, developers tend to adopt weaker security standards, for instance in regard to input validation and sanitization. The API might be vulnerable if it interacts with other APIs over an unencrypted channel, does not properly validate and sanitize data gathered from other APIs prior to processing it or passing it to downstream components, blindly follows redirections, does not limit the number of resources available to process third-party services responses, or does not implement timeouts for interactions with third-party services.

>Prevention & Mitigation Strategies

  1. 1.When evaluating service providers, assess their API security posture.
  2. 2.Ensure all API interactions happen over a secure communication channel (TLS).
  3. 3.Always validate and properly sanitize data received from integrated APIs before using it.
  4. 4.Maintain an allowlist of well-known locations integrated APIs may redirect yours to: do not blindly follow redirects.

>Attack Scenarios

#1SQL injection via third-party enrichment service

An API integrates with a third-party service provider to enrich user-provided business addresses. When an address is supplied by the end user, it is sent to the third-party service and the returned data is then stored in a local SQL-enabled database. An attacker uses the third-party service to store an SQL injection payload associated with a business they created. The malicious payload is later retrieved by the vulnerable API, which trusts the third-party data and stores it without validation, leading to SQL injection.

#2Sensitive data exfiltration via redirect following

An API integrates with a third-party service provider to store sensitive user medical information. Data is sent over a secure connection using an HTTP request like: POST /user/store_genome_data. An attacker compromises the third-party server and makes it respond with a 308 Permanent Redirect to an attacker-controlled server. Because the API blindly follows the third-party redirect, it repeats the exact same request including the user's sensitive data to the attacker's server.

#3Repository name SQL injection

An attacker creates a source code repository named '; drop db;--. When an integration application fetches data from the malicious repository, it uses the repository name in an SQL query without proper sanitization, treating it as trusted input from the well-known source code hosting provider. The SQL injection payload executes, dropping the database.

>Related CWEs

CWE-20
CWE-200
CWE-319

>References

Ask AI

Configure your API key to use AI features.