Web_Hacking/Secure Coding - Unsafe Consumption of APIs.md

Unsafe Consumption of APIs (API10:2023)

Due to the above vulnerability, the attacker is able to send or receive information from the sources of the supply chain or implement her desired requests in a specific group.

• Example

GET request to receive weather information from a third-party service:

GET /api/weather?location=New+York

Non-compliant code (.NET)

[ApiController]
[Route("api/weather")]
public class WeatherController : ControllerBase
{
    private readonly IWeatherService weatherService;
    public WeatherController(IWeatherService weatherService)
    {
        this.weatherService = weatherService;
    }

    // GET /api/weather
    [HttpGet]
    public IActionResult GetWeather(string location)
    {
        // Make a direct call to the third-party weather API
        WeatherData weatherData =
        weatherService.GetWeatherData(location);

        return Ok(weatherData);
    }
    
    // Other methods...
}

Compliant code (.NET)

[ApiController]
[Route("api/weather")]
public class WeatherController : ControllerBase
{
    private readonly IWeatherService weatherService;
    public WeatherController(IWeatherService weatherService)
    {
        this.weatherService = weatherService;
    }

    // GET /api/weather
    [HttpGet]
    public IActionResult GetWeather(string location)
    {
        // Validate the location parameter and restrict access to trusted sources
        if (!IsValidLocation(location))
        {
         return BadRequest();
        }

        // Make a call to the third-party weather API through the weather service
        WeatherData weatherData = weatherService.GetWeatherData(location);

        if (weatherData == null)
        {
            return NotFound();
        }
        return Ok(weatherData);
    }
    private bool IsValidLocation(string location)
    {
        // Implement validation logic to ensure the location is safe and trusted

        // This could involve white-listing trusted sources or validating against a known set of safe locations

        // Return true if the location is valid, false otherwise
        // Example: return Regex.IsMatch(location, "^[a-zA-Z]+(,[a-zA-Z]+)*$");

        // Implement your validation logic here
        // For simplicity, assuming any location is valid
        return true;
    }

    // Other methods...
}

General prevention suggestions:

• Trust data received from external APIs with caution and rigorous validation.

• Check and verify the security and standards of the third-party service before connecting to it.

• Using encryption to communicate with external services and prevent sending sensitive information normally.

• Limiting access and levels allowed to third-party services and setting appropriate limits.

• Implementing protection mechanisms such as prototyping and generalization to ensure the security and reliability of data received from external services.

• Continuous monitoring and monitoring to detect and fix any defects in the security of external services.

• Training developers about security principles and correct use of external APIs.