Outcomes
A Cheat Sheet covering most common threats against APIs.
Synopsis and Takeaways
Cheat sheets are an important learning tool because they force us to distill threat models to their most simple, essential parts.
Identified Questions
- What are the main Threats against an API?
- Can we find common Threats that apply to APIs?
- Are there generic Threats we could check for applicability?
- Could we organize the Threats in Risk Patterns for APIs?
- Can they be summarized on a Cheat Sheet form?
Reference
A list of threats from “Threat Modeling: Designing for Security” by Adam Shostack:
- Perform security checks inside the boundary
- Copy before validation-for-purpose
- Is http://evil.org/pwnme.html “valid”?
- Define the purpose for data, validate near that definition
- Manage error reporting
- Document what checks happen where
- Do crypto in constant time
- Address the security requirements of your API
A Generic Cheat Sheet for a Generic API
Controls
TLS
Assumptions
- Multiparameter API
- Server logs requests including I.P address
- GDPR is applicable (see 2)
Scope
- API
- Server
- Data Flows 1 and 2
Out of Scope
- Provision of code
- Provision of server/hardware (Be explicit about what you are excluding ie server hardware and software)
Model A
S
- The wrong server responds
T
Client receives tampered data
Compromised Server
Man in Middle
Server receives tampered data
R
Client repudiates request
Server repudiates sent
I
Server Logs
Confidential data is disclosed through the connection
Information is disclosed through error messages
D
DoS through:
API overload
Network overload
Budget overload
FINDOS
E
Unauthorised access to API
Code Execution
Model B
- No state change
- Public Data
- No Authorisation
References
Session page : API Threat Modeling Cheat Sheet
Summit 2017 session page : 2017 Threat Model Sessions
Summit 2017 outcome page : Outcomes OWASP Projects: Cheat Sheets