Search
K
5
Critical Vulnerabilities
Demo from OWASP API Top 10
12
API Endpoints
Vulnerable & Secure
100%
Kong Gateway
Traffic Proxied
6+
Security Controls
Implemented by Kong Plugins

API Security Demonstration

This page details the importances of securing your API and making you aware of some of the top 10 OWASP vulnerabilities that you can encounter while using APIs with some integrated tooling solutions like an API Gateway that can offer options to secure them

Grafana

Understanding OWASP Vulnerabilities

OWASP Top 10 Web Application Security Risks is a public standard of the most commonly used vulnerabilities attackers use to compromise your API data

$ curl /api/user/22/settings
{"ssn": "123-45-6789", "credit_card": "4532-..."}
✅ AUTHORIZED: User 22 accessed their own data
$ curl /api/user/98/settings
{"ssn": "987-65-4321", "credit_card": "5425-..."} ❌
⚠️ CRITICAL EXPOSURE: Accessed another user's data!

API1:2023 - Broken Object Level Authorization (BOLA)

This is a vulnerability that happens when there is not verification made to do an operation on your API therefore revealing data the consumer shouldn't have access to

More information
$ curl "/api/db/search?query=RAM"
{"results": [{"name": "2x32GB RAM", "price": 10000.50}]}
✅ EXPECTED: intended use of SQL search, though not secure
$ curl "/api/db/search?query=' OR '1'='1"
{"results": [ALL PRODUCTS + USERS TABLE]}
⚠️ SQL Injection: entire database exposed

API8:2023 - SQL Injection

This is vulnerability is presented when there is a user input on a SQL syntax that is passed directly to the operation without any verification allowing the consumer to manipulate all actions

More information
$ curl "/api/db/search?query='"
{ "error": "unrecognized token: \"'\"", "sql": "syntax error" }
✅ EXPECTED: returned message does not reveal functionality of your back-end function
$ curl "/api/db/search?query='"
{ "error": "unrecognized token: \"'\"", "sql": "SELECT id, name, price, additional_info FROM products WHERE name LIKE '%'%'" }
⚠️ EXPOSURE: error message includes the search that the enpoint /api/db/search performs

API3:2023 - Excessive Data Exposure

This is a vulnerability that happens when the user input is passed directly to the operation without any verification thefore the user can manipulate the actions he wants to perform

More information
$ locust --headless -u 1000 -r 100
Request 1: 200 OK (12ms)
Request 2: 200 OK (15ms)
Request 500: 200 OK (18ms) ----> {"results": '429 Client Error: Too Many Requests for url: /api/'}
Request 1000: 200 OK (20ms) ----> {"results": '429 Client Error: Too Many Requests for url: /api/'}
✅ EXPECTED: request is rejected and not processed
$ locust --headless -u 1000 -r 100
Request 1: 200 OK (12ms)
Request 2: 200 OK (15ms)
Request 500: 200 OK (1200ms)
Request 1000: 200 OK (4500ms)
⚠️ NO LIMIT: Server overloaded and responses are delayed

API4:2023 - Unrestricted Resource Consumption

This is a vulnerability occurs when we don't set a rate limit to access the API, without this attackers can overwhelm APIs with requests, causing denial of service, resource exhaustion and brute force attacks that can be combined with BOLA

More information
Logged in as: regular_user (ID: 22)
$ curl /user/delete/48/
{"result": "you are not allowed to perform deletion actions"}
✅ EXPECTED: user is not allowed to delete users with normal level access user
Logged in as: regular_user (ID: 22)
$ curl /user/delete/48
{"result": "user with id: 48 was deleted with all associated atributes"} ❌
⚠️ CRITICAL ACTION: normal user was allowed to perform this action

API5:2023 - Broken Function Level Authorization (BFLA)

This is vulnerability happens when there is not least priviliged access set on the permissions to a consumer can do. Meaning that your normal user is equal to an admin type user and can perform actions it shouldn't be able to

More information

Explore APIs Playground

A section to link most popular APIs and have direct access to them.

Normal Simple API

1.0.0
Intentionally vulnerable API for OWASP demonstration purposes
View APIs

Secure Simple API

1.0.0
Secure version of the Simple API accessed through Kong Gateway
View APIs

OWASP API Top 10 Vulnerabilities Demo

Showcase real-world demonstrations of Broken Object Level Authorization (BOLA), Excessive Data Exposure, Lack of Rate Limiting, SQL Injection, and Broken Function Level Authorization (BFLA)

Kong Gateway Integration

Adoption of an industry grade solution to help secure and remediate our API endpoints using rate limiting, authentication, injection protection, caching and other plugins Kong API Gateway offers

Secure API Comparison

Comparison between vulnerable vs a more secured endpoint demonstrating security best practices that can be implemented

Real-Time Metrics

Live traffic analysis with Prometheus and Grafana showing attack patterns and API behavior anomalies. Only available for internal use