refactor(2023): Automated threats

"Lack of Protection from Automated Threats" was renamed "Unrestricted Access to
Sensitive Business Flows". The category was rewritten to make it more clear. It
was moved from 8th to 6th since it should required a lot more effort to create
awareness about the risk.

Author: PauloASilva

2023/en/src/0x00-toc.md

@@ -13,9 +13,9 @@ Table of Contents
 * [API3:2023 Broken Object Property Level Authorization](0xa3-broken-object-property-level-authorization.md)
 * [API4:2023 Unrestricted Resource Consumption](0xa4-unrestricted-resource-consumption.md)
 * [API5:2023 Broken Function Level Authorization](0xa5-broken-function-level-authorization.md)
-* [API6:2023 Server Side Request Forgery](0xa6-server-side-request-forgery.md)
-* [API7:2023 Security Misconfiguration](0xa7-security-misconfiguration.md)
-* [API8:2023 Lack of Protection from Automated Threats](0xa8-lack-of-protection-from-automated-threats.md)
+* [API6:2023 Unrestricted Access to Sensitive Business Flows](0xa6-unrestricted-access-to-sensitive-business-flows.md)
+* [API7:2023 Server Side Request Forgery](0xa7-server-side-request-forgery.md)
+* [API8:2023 Security Misconfiguration](0xa8-security-misconfiguration.md)
 * [API9:2023 Improper Inventory Management](0xa9-improper-inventory-management.md)
 * [API10:2023 Unsafe Consumption of APIs](0xaa-unsafe-consumption-of-apis.md)
 * [What's Next For Developers](0xb0-next-devs.md)

2023/en/src/0x04-release-notes.md

@@ -24,9 +24,9 @@ a fast pace industry. It does not replace other TOP 10's. In this edition:
   common root cause: object property level authorization validation failures.
 * We've put more emphasis on resource consumption, over focusing on the pace
   they are exhausted.
-* We've created a new category "Lack of Protection from Automated Threats" to
-  address new threats, including most of those that can be mitigated using rate
-  limiting.
+* We've created a new category "Unrestricted Access to Sensitive Business Flows"
+  to address new threats, including most of those that can be mitigated using
+  rate limiting.
 * We added "Unsafe Consumption of APIs" to address something we've started
   seeing: attackers have started looking for a target's integrated services to
   compromise those, instead of hitting the APIs of their target directly. This

2023/en/src/0x11-t10.md

@@ -8,9 +8,9 @@ OWASP Top 10 API Security Risks – 2023
 | API3:2023 - Broken Object Property Level Authorization | This category combines [API3:2019 Excessive Data Exposure][1] and [API6:2019 - Mass Assignment][2], focusing on the root cause: the lack of or improper authorization validation at the object property level. This leads to information exposure or manipulation by unauthorized parties. |
 | API4:2023 - Unrestricted Resource Consumption | Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs. |
 | API5:2023 - Broken Function Level Authorization | Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers can gain access to other users’ resources and/or administrative functions. |
-| API6:2023 - Server Side Request Forgery | Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN. |
-| API7:2023 - Security Misconfiguration | APIs and the systems supporting them typically contain complex configurations, meant to make the APIs more customizable. Software and DevOps engineers can miss these configurations, or don't follow security best practices when it comes to configuration, opening the door for different types of attacks.  |
-| API8:2023 - Lack of Protection from Automated Threats | APIs vulnerable to this risk expose a business flow - such as buying a ticket, or posting a comment - without compensating for how the functionality could harm the business if used excessively in an automated manner. This doesn't necessarily come from implementation bugs. |
+| API6:2023 - Unrestricted Access to Sensitive Business Flows | APIs vulnerable to this risk expose a business flow - such as buying a ticket, or posting a comment - without compensating for how the functionality could harm the business if used excessively in an automated manner. This doesn't necessarily come from implementation bugs. |
+| API7:2023 - Server Side Request Forgery | Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN. |
+| API8:2023 - Security Misconfiguration | APIs and the systems supporting them typically contain complex configurations, meant to make the APIs more customizable. Software and DevOps engineers can miss these configurations, or don't follow security best practices when it comes to configuration, opening the door for different types of attacks.  |
 | API9:2023 - Improper Inventory Management | APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. A proper inventory of hosts and deployed API versions also are important to mitigate issues such as deprecated API versions and exposed debug endpoints. |
 | API10:2023 - Unsafe Consumption of APIs | Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards. In order to compromise APIs, attackers go after integrated third-party services instead of trying to compromise the target API directly. |
 

…-of-protection-from-automated-threats.md …ed-access-to-sensitive-business-flows.md2023/en/src/0xa8-lack-of-protection-from-automated-threats.md renamed to 2023/en/src/0xa6-unrestricted-access-to-sensitive-business-flows.md 2023/en/src/0xa8-lack-of-protection-from-automated-threats.md renamed to 2023/en/src/0xa6-unrestricted-access-to-sensitive-business-flows.md

@@ -1,5 +1,5 @@
-API8:2023 Lack of Protection from Automated Threats
-===================================================
+API6:2023 Unrestricted Access to Sensitive Business Flows
+=========================================================
 
 | Threat agents/Attack vectors | Security Weakness | Impacts |
 | - | - | - |
@@ -8,51 +8,60 @@ API8:2023 Lack of Protection from Automated Threats
 
 ## Is the API Vulnerable?
 
-Automated threats have become more profitable, smarter and harder to protect
-from, and APIs are often used as an easy target for them. Traditional
-protections, such as rate limiting and captchas become less effective over time.
-For example, an attacker who operates bot-nets (for scalping) gets around rate
-limiting because they can easily access the API from thousands of location/IP
-addresses around the world, in a matter of seconds.
+When creating an API Endpoint, it is important to understand which business flow
+it exposes. Some business flows are more sensitive than others, in the sense
+that excessive access to them may harm the business.
 
-Vulnerable APIs don't necessarily have implementation bugs. They simply expose
-a business flow - such as buying a ticket, or posting a comment - without
-considering how the functionality could harm the business if used excessively
-in an automated manner.
+Common examples of sensitive business flows and risk of excessive access
+associated with them:
 
-Each industry might have its own specific risks when it comes to automated
-threats.
+* Purchasing a product flow - an attacker can buy all the stock of a high-demand
+  item at once and resell for a higher price (scalping)
+* Creating a comment/post flow - an attacker can spam the system
+* Making a reservation - an attacker can reserve all the available time slots
+  and prevent other users from using the system
 
-An API endpoint is vulnerable if it exposes a business-sensitive functionality,
-and allows an attacker to harm the business by accessing it in an excessive
-automated manner.
+The risk of excessive access might change between industries and businesses.
+For example - creation of posts by a script might be considered as a risk of
+spam by one social network, but encouraged by another social network.
 
-The [OWASP Automated Threats to Web Applications][1] covers different types of
-automated threats and their impact.
+An API Endpoint is vulnerable if it exposes a sensitive business flow, without
+appropriately restricting the access to it.
 
 ## Example Attack Scenarios
 
 ### Scenario #1
 
-A technology company announces they are going to release a new gaming console
-on Thanksgiving. The product has a very high demand and the stock is limited.
-An attacker, operator of a network of automated threats, writes code to
-automatically buy the new product and complete the transaction.
+A technology company announces they are going to release a new gaming console on
+Thanksgiving. The product has a very high demand and the stock is limited. An
+attacker writes code to automatically buy the new product and complete the
+transaction.
 
 On the release day, the attacker runs the code distributed across different IP
 addresses and locations. The API doesn't implement the appropriate protection
-and allows the attacker to buy the majority of the stock before other
-legitimate users.
+and allows the attacker to buy the majority of the stock before other legitimate
+users.
 
 Later on, the attacker sells the product on another platform for a much higher
 price.
 
-
 ### Scenario #2
 
+An airline company offers online ticket purchasing with no cancellation fee. A
+user with malicious intentions books 90% of the seats of a desired flight.
+
+A few days before the flight the malicious user canceled all the tickets at
+once, which forced the airline to discount the ticket prices in order to fill
+the flight.
+
+At this point, the user buys herself a single ticket that is much cheaper than
+the original one.
+
+### Scenario #3
+
 A ride-sharing app provides a referral program - users can invite their friends
-and gain credit for each friend who has joined the app. This credit can be
-later used as cash to book rides.
+and gain credit for each friend who has joined the app. This credit can be later
+used as cash to book rides.
 
 An attacker exploits this flow by writing a script to automate the registration
 process, with each new user adding credit to the attacker's wallet.
@@ -78,11 +87,12 @@ The mitigation planning should be done in two layers:
     solutions, thus more costly for them
   * Human detection: using either captcha or more advanced biometric solutions
     (e.g. typing patterns)
-  * Non-human patterns: analyze the user flow to detect non-human patterns
-    (e.g.  the user accessed the "add to cart" and "complete purchase"
-    functions in less than one second)
+  * Non-human patterns: analyze the user flow to detect non-human patterns (e.g.
+    the user accessed the "add to cart" and "complete purchase" functions in
+    less than one second)
   * Consider blocking IP addresses of Tor exit nodes and well-known proxies
-* Secure and limit access to APIs that are consumed directly by machines (such
+
+  Secure and limit access to APIs that are consumed directly by machines (such
   as developer and B2B APIs). They tend to be an easy target for attackers
   because they often don't implement all the required protection mechanisms.
 

…/src/0xa6-server-side-request-forgery.md …/src/0xa7-server-side-request-forgery.md2023/en/src/0xa6-server-side-request-forgery.md renamed to 2023/en/src/0xa7-server-side-request-forgery.md 2023/en/src/0xa6-server-side-request-forgery.md renamed to 2023/en/src/0xa7-server-side-request-forgery.md

@@ -1,4 +1,4 @@
-API6:2023 Server Side Request Forgery
+API7:2023 Server Side Request Forgery
 =====================================
 
 | Threat agents/Attack vectors | Security Weakness | Impacts |

…en/src/0xa7-security-misconfiguration.md …en/src/0xa8-security-misconfiguration.md2023/en/src/0xa7-security-misconfiguration.md renamed to 2023/en/src/0xa8-security-misconfiguration.md 2023/en/src/0xa7-security-misconfiguration.md renamed to 2023/en/src/0xa8-security-misconfiguration.md

@@ -1,4 +1,4 @@
-API7:2023 Security Misconfiguration
+API8:2023 Security Misconfiguration
 ===================================
 
 | Threat agents/Attack vectors | Security Weakness | Impacts |