威胁来自内部：认证用户的API滥用.pdf

1、THE CALL IS COMING FROM THE CALL IS COMING FROM INSIDE THE HOUSEINSIDE THE HOUSEAPI ABUSE BY AUTHENTICATED USERSAPI ABUSE BY AUTHENTICATED USERSAMIR SHARIFAMIR SHARIFSECURE SOFTWARE BY DESIGNSECURE SOFTWARE BY DESIGNAUGUST 7 2024AUGUST 7 20242BSRDISCUSSION DISCUSSION OUTLINEOUTLINE1.1.DefinitionsDef

2、initions2.2.Concrete examplesConcrete examples3.3.Spectrum of severitySpectrum of severity4.4.Hacker howHacker how-toto5.5.New challengesNew challenges6.6.MitigationsMitigationsSometimes an authenticated user can be malicious“APIs tend to expose endpoints that handle object identifiers,creating a wi

3、de attack surface of Object Level Access Control issues.Object level authorization checks should be considered in every function that accesses a data source using an ID from the user.”3BSR1 DEFINITIONS1 DEFINITIONSBroken Object Level Broken Object Level AuthorizationAuthorization(BOLA,OWASP API1:202

4、3)“Complex access control policies with different hierarchies,groups,and roles,and an unclear separation between administrative and regular functions,tend to lead to authorization flaws.By exploiting these issues,attackers can gain access to other users resources and/or administrative functions.”Bro

5、ken Function Level Broken Function Level AuthorizationAuthorization(BFLA,OWASP API5:2023)API3:2023-Broken Object Property Level AuthorizationAPI4:2023-Unrestricted Resource ConsumptionAPI6:2023-Unrestricted Access to Sensitive Business FlowsAPI10:2023-Unsafe Consumption of APIsAnd several associated

6、 And several associated vulnerabilitiesvulnerabilitiesModern web apps are reliant on frontend APIs that developers often assume are only called via valid client interactions4BSR1 DEFINITIONS1 DEFINITIONScurl https:/ BOLA:An EHR that allows practice managers to generate printable claims can be manipu