This page details more information about the OWASP Top 10 vulnerabilities. Please note that not all vulnerabilities from the OWASP Top 10 are included in this guide, only those intentionally implemented in the API solution shown on this page. Additional information on how to remediate these vulnerabilities and how to prevent them is also included.
For starters, there are multiple ways in today's date, to remediate a lot this vulnerabilities due to the information we have about them. During this demo we have remediated them or created ways to prevent them without modifying anything on the back-end.
Most of the changes we have performed were done at the API Gateway level, this means we still have vulnerable code that because we gave it a layer that it needs to commnunicate first before it reaches our solution it acts as a filter/barrier/protection that has a set of rules that it needs to bypass first and if it doesn't it can't reach our service.
Access other resources by manipulating parameters in the request without authorization checks
Insert malicious SQL queries through no verified and direct input to seach allowing exposure or manipulation of database data
API requests return sensitive information like passwords, SSNs, or return functionality of back-end that consumers should never have access to
Overwhelm APIs with unlimited requests causing denial of service and resource exhaustion
Regular users execute admin type actions by directly calling privileged endpoints