API Threat Modeling Cheat SheetView the original Working Session content
A Cheat Sheet covering most common threats against APIs.
Synopsis and Takeaways
Cheat sheets are an important learning tool because they force us to distill threat models to their most simple, essential parts.
- What are the main Threats against an API?
- Can we find common Threats that apply to APIs?
- Are there generic Threats we could check for applicability?
- Could we organize the Threats in Risk Patterns for APIs?
- Can they be summarized on a Cheat Sheet form?
A list of threats from “Threat Modeling: Designing for Security” by Adam Shostack:
- Perform security checks inside the boundary
- Copy before validation-for-purpose
- Is http://evil.org/pwnme.html “valid”?
- Define the purpose for data, validate near that definition
- Manage error reporting
- Document what checks happen where
- Do crypto in constant time
- Address the security requirements of your API
A Generic Cheat Sheet for a Generic API
- Multiparameter API
- Server logs requests including I.P address
- GDPR is applicable (see 2)
- Data Flows 1 and 2
Out of Scope
- Provision of code
- Provision of server/hardware (Be explicit about what you are excluding ie server hardware and software)
- The wrong server responds
Client receives tampered data
Man in Middle
Server receives tampered data
Client repudiates request
Server repudiates sent
Confidential data is disclosed through the connection
Information is disclosed through error messages
Unauthorised access to API
- No state change
- Public Data
- No Authorisation
Session page : API Threat Modeling Cheat Sheet
Summit 2017 session page : 2017 Threat Model Sessions
Summit 2017 outcome page : Outcomes OWASP Projects: Cheat Sheets