Protect Against OWASP API Top 10 Security Risks Using Defender for APIs

OWASP API Risk

Defender for APIs Security Coverage

Broken Object Level Authorization (API1:2023)

(Security alert) Parameter enumeration on an API endpoint - A single IP was observed enumerating parameters when accessing one of the API endpoints

(Security alert) Distributed parameter enumeration on an API endpoint - The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.

Broken Authentication (API2:2023)

(Security recommendation) API endpoints in Azure API Management should be authenticated - API endpoints published within Azure API Management should enforce authentication to help minimize security risk.

(Security recommendation) API Management calls to API backends should be authenticated - Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.

Broken Object Property Level Authorization (API3:2023)

(Security alert) Previously unseen parameter used in an API call - A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.

(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint - A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.

Unrestricted Resource Consumption (API4:2023)

(Security alert) Suspicious population-level spike in API traffic to an API endpoint - A suspicious spike in API traffic was detected at one of the API endpoints.

(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint - A suspicious spike in API traffic was detected from a client IP to the API endpoint.

(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint - A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.

(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint - A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.

(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints - A single IP was observed making API calls to an unusually large number of distinct endpoints.

(Security recommendation) API Management direct management endpoint should not be enabled - The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.

Broken Function Level Authorization (API5:2023)

 No coverage

Unrestricted Access to Sensitive Business Flows (API6:2023)

(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data

(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint - A suspicious spike in API traffic was detected from a client IP to the API endpoint.

Server-Side Request Forgery (API7:2023)

No coverage

Security Misconfiguration (API8:2023)

(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service.

(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.

(Security recommendation) API Management secret named values should be stored in Azure Key Vault - Named values are a collection of name and value pairs in each API Management service.

(Security recommendation) API Management should disable public network access to the service configuration endpoints - To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.

(Security recommendation) API Management calls to API backends should be authenticated - Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.

Improper Inventory Management (API9:2023)

Inventory dashboard - Centralized inventory of all managed APIs and related API security findings.

External exposure - Classify which API endpoints are exposed externally.

Sensitive data classification - Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.

Unsafe Consumption of APIs (API10:2023)

No coverage