|
| 1 | +API10:2019 Insufficient Logging & Monitoring |
| 2 | +============================================ |
| 3 | + |
| 4 | +| Threat agents/Attack vectors | Security Weakness | Impacts | |
| 5 | +| - | - | - | |
| 6 | +| API Specific : Exploitability **2** | Prevalence **3** : Detectability **1** | Technical **2** : Business Specific | |
| 7 | +| Attackers take advantage of lack of logging and monitoring to abuse systems without being noticed. | Without logging and monitoring, or with insufficient logging and monitoring, it is almost impossible to track suspicious activities and respond to them in a timely fashion. | Without visibility over on-going malicious activities, attackers have plenty of time to fully compromise systems. | |
| 8 | + |
| 9 | +## Is the API Vulnerable? |
| 10 | + |
| 11 | +The API is vulnerable if: |
| 12 | + |
| 13 | +* It does not produce any logs, the logging level is not set correctly, or log |
| 14 | + messages do not include enough detail. |
| 15 | +* Log integrity is not guaranteed (e.g., [Log Injection][1]). |
| 16 | +* Logs are not continuously monitored. |
| 17 | +* API infrastructure is not continuously monitored. |
| 18 | + |
| 19 | +## Example Attack Scenarios |
| 20 | + |
| 21 | +### Scenario #1 |
| 22 | + |
| 23 | +Access keys of an administrative API were leaked on a public repository. The |
| 24 | +repository owner was notified by email about the potential leak, but took more |
| 25 | +than 48 hours to act upon the incident, and access keys exposure may have |
| 26 | +allowed access to sensitive data. Due to insufficient logging, the company is |
| 27 | +not able to assess what data was accessed by malicious actors. |
| 28 | + |
| 29 | +### Scenario #2 |
| 30 | + |
| 31 | +A video-sharing platform was hit by a “large-scale” credential stuffing attack. |
| 32 | +Despite failed logins being logged, no alerts were triggered during the timespan |
| 33 | +of the attack. As a reaction to user complaints, API logs were analyzed and the |
| 34 | +attack was detected. The company had to make a public announcement asking users |
| 35 | +to reset their passwords, and report the incident to regulatory authorities. |
| 36 | + |
| 37 | +## How To Prevent |
| 38 | + |
| 39 | +* Log all failed authentication attempts, denied access, and input validation |
| 40 | + errors. |
| 41 | +* Logs should be written using a format suited to be consumed by a log |
| 42 | + management solution, and should include enough detail to identify the |
| 43 | + malicious actor. |
| 44 | +* Logs should be handled as sensitive data, and their integrity should be |
| 45 | + guaranteed at rest and transit. |
| 46 | +* Configure a monitoring system to continuously monitor the infrastructure, |
| 47 | + network, and the API functioning. |
| 48 | +* Use a Security Information and Event Management (SIEM) system to aggregate and |
| 49 | + manage logs from all components of the API stack and hosts. |
| 50 | +* Configure custom dashboards and alerts, enabling suspicious activities to be |
| 51 | + detected and responded to earlier. |
| 52 | + |
| 53 | +## References |
| 54 | + |
| 55 | +### OWASP |
| 56 | + |
| 57 | +* [OWASP Logging Cheat Sheet][2] |
| 58 | +* [OWASP Proactive Controls: Implement Logging and Intrusion Detection][3] |
| 59 | +* [OWASP Application Security Verification Standard: V7: Error Handling and |
| 60 | + Logging Verification Requirements][4] |
| 61 | + |
| 62 | +### External |
| 63 | + |
| 64 | +* [CWE-223: Omission of Security-relevant Information][5] |
| 65 | +* [CWE-778: Insufficient Logging][6] |
| 66 | + |
| 67 | +[1]: https://www.owasp.org/index.php/Log_Injection |
| 68 | +[2]: https://www.owasp.org/index.php/Logging_Cheat_Sheet |
| 69 | +[3]: https://www.owasp.org/index.php/OWASP_Proactive_Controls |
| 70 | +[4]: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x15-V7-Error-Logging.md |
| 71 | +[5]: https://cwe.mitre.org/data/definitions/223.html |
| 72 | +[6]: https://cwe.mitre.org/data/definitions/778.html |
0 commit comments