This second Part covers the remaining critical API vulnerabilities from the OWASP API Security Top 10 (2023), focusing on Server-Side Request Forgery (SSRF), Security Misconfiguration, Improper Inventory Management, and Unsafe Consumption of APIs. Building on Part 1’s foundation, these risks highlight systemic issues in API ecosystems that demand proactive mitigation.
API7:2023 Server-Side Request Forgery (SSRF)
Server-Side Request Forgery tricks servers into making unauthorized requests to internal or external resources, often bypassing firewalls. APIs become vectors when they process user-supplied URLs without validation.
Attack Mechanics
Attackers submit malicious URLs like http://localhost/admin or http://169.254.169.254/metadata (AWS IMDS). Servers fetch these, exposing sensitive data or triggering actions.
In cloud environments, SSRF accesses metadata services, stealing credentials. Protocols like file://, gopher://, or dict:// amplify reach.
Exploitation Example
A document conversion API /convert?url=http://evil.com/malicious.pdf proxies requests. Attacker crafts url=http://169.254.169.254/latest/meta-data/iam/security-credentials/role, extracting AWS keys.
Real-world: Capital One’s 2019 breach involved SSRF chaining to exfiltrate data from an AWS-hosted API, compromising 100 million records.
Burp Suite’s Collaborator detects blind SSRF by tracking DNS interactions.
Prevention Measures
- Whitelist allowed domains and block private IPs (RFC 1918, loopback).
- Use URL validation libraries; disable redirects.
- Network segmentation isolates internal services; API gateways enforce URL policies.
Example (Node.js):
javascriptapp.post('/fetch', (req, res) => {
const url = new URL(req.body.url);
if (!ALLOWED_DOMAINS.includes(url.hostname) || url.protocol !== 'https:') {
return res.status(400).json({error: 'Invalid URL'});
}
// Proxy request
});
Implement response size limits and timeouts to curb DoS.
API8:2023 Security Misconfiguration
Security Misconfiguration arises from improper API setups, such as exposed debug endpoints, verbose errors, or default credentials, creating easy entry points for attackers.
Common Pitfalls
APIs ship with trace/debug enabled (/debug/pprof), stack traces in production, or CORS * wildcards. Missing HTTPS enforcement or weak TLS ciphers invites interception.
GraphQL introspection queries ({__schema{types{name}}}) leak schemas if unprotected.
Practical Exploitation
An API returns {"error": "SQL syntax error near '1=1--'"}, revealing database details. Or /api/.env exposes configs due to directory listing.
In a fintech app, misconfigured CORS allowed Origin: evil.com to read responses, enabling XSS-to-API attacks. Attackers scraped unprotected /healthz for version fingerprinting.
Mitigation Strategies
- Harden defaults: Disable debug, enforce HTTPS (HSTS), rotate secrets.
- Least privilege: API keys per environment, no shared credentials.
- Automated checks: Use tools like
lycheefor dead links ortrivyfor misconfigs.
| Misconfiguration Type | Risk Example | Fix |
|---|---|---|
| Verbose Errors | SQL leaks | Generic messages [owasp] |
| CORS Wildcards | Unauthorized origins | Explicit allowlist |
| Debug Endpoints | Code exposure | Environment-gated |
Regular audits and Infrastructure-as-Code scanning prevent regressions.
API9:2023 Improper Inventory Management
Organizations lose control when APIs lack discovery, versioning, deprecation, or documentation, leading to shadow APIs and unpatched exposures.
The Inventory Challenge
Undocumented endpoints persist post-migration; zombie APIs run outdated code. Without catalogs, teams can’t assess attack surfaces or apply patches.
Third-party APIs compound risks if inventories omit dependencies.
Attack Scenarios
Attackers fuzz /v1/users to /v3/users, hitting deprecated but live endpoints with known vulns. A retailer’s forgotten /beta/admin exposed PII.
In microservices, service meshes without observability hide rogue APIs. 2023 Salt Security report found 80% of orgs had unmanaged APIs.
Best Practices
- API gateways centralize routing (Kong, Ambassador).
- Automated discovery: Tools like API Cataloger or Postman’s API Lighthouse.
- Lifecycle management: Semantic versioning, sunset headers (
Deprecation: date).
Example governance flow:
- Register APIs in a central repo.
- Tag with owners, sensitivity.
- Quarterly audits retire orphans.
| Inventory Tool | Key Feature | Use Case |
|---|---|---|
| API Gateway | Traffic proxy | Enforcement |
| OpenAPI Spec | Documentation | Client gen |
| WAF Logs | Discovery | Shadow APIs |
API10:2023 Unsafe Consumption of APIs
Clients blindly trust upstream APIs without validation, inheriting risks like data poisoning or injection via tainted responses.
Vulnerability Dynamics
No schema enforcement lets malformed JSON trigger XXE or prototype pollution. Clients forward untrusted data to databases, enabling second-order attacks.
GraphQL clients without query validation amplify denial via costly aggregations.
Example Exploits
A mobile app consumes /weather?city=San Francisco<svg/onload=alert(1)>, injecting XSS if rendered unsanitized. Or prototype pollution: {__proto__: {admin: true}} escalates privileges downstream.
In supply chain attacks, compromised vendor APIs inject malware payloads. Uber’s 2022 breach traced to unsafe OAuth token handling from a partner API.
Defenses for Safe Consumption
- Strict schema validation (JSON Schema, GraphQL SDL).
- Sanitize/escape all inputs; use prepared statements.
- Trust boundaries: Verify signatures, implement circuit breakers.
Client-side example (JavaScript/fetch):
javascriptfetch(upstreamApi)
.then(res => res.json())
.then(data => {
const validated = ajv.compile(schema)(data); // JSON Schema
if (!validated) throw new Error('Invalid data');
// Process
});
Monitor with API observability for anomalies.
Advanced Testing Techniques
Combine Burp Suite extensions (OAuth4Burp, GraphQL Raider) for SSRF fuzzing and auth tests. OWASP ZAP’s API scanning templates cover misconfigs.
For inventory: Script API discovery via Swagger/OpenAPI crawling.
Your HTB Academy path aligns perfectly—practice these in API-focused modules.