WAF features against OWASP Top 10 API security risks
The OWASP API Security Top 10 is a list of the most critical security risks specific to Application Programming Interfaces (APIs). As APIs become increasingly integral to modern applications, they have also become a prime target for attackers. The OWASP API Security Top 10 provides guidance on the most common vulnerabilities that can affect APIs, helping organizations better secure their API endpoints.
FortiWeb provides a robust set of features to protect APIs against the OWASP API Security Top 10 risks. Its advanced security mechanisms, AI-driven behavioral analysis, and integration with Fortinet's security fabric, allow for comprehensive protection of APIs.
Here’s a breakdown of the specific features provided by FortiWeb that can help mitigate each of the OWASP API Security Top 10 risks.
JSON Protection
|
FortiWeb's JSON Protection allows you to configure detailed validation rules for JSON data, helping to secure your application against malicious input. You can control the size of the JSON document, key, and value sizes, as well as the number of keys, values, and array elements, and the depth of nested objects. These settings help prevent attacks such as buffer overflows and DoS by restricting oversized or malformed JSON requests. Additionally, FortiWeb supports JSON schema validation, ensuring that incoming requests conform to predefined structures, enhancing the security and reliability of your API. FortiWeb’s signature scan is also available in JSON protection, providing an additional layer of security by detecting and blocking known attack patterns and vulnerabilities in JSON payloads. Watch the video on JSON Protection by clicking this link or accessing it via the right sidebar. |
XML Protection
|
FortiWeb’s XML protection feature secures web applications by enforcing limits on XML content, blocking malicious entities like XML External Entities (XXE) and Schema Location injections, and validating messages against schemas (XSD, WSDL, DTD). It also provides WS-Security rules for encrypting, decrypting, and digitally signing parts of SOAP messages, ensuring message integrity. Additionally, FortiWeb detects XML Signature Wrapping (XSW) attacks by verifying signed nodes using XPath and certificates. You can configure exemptions for trusted URLs while maintaining protection for the rest of the application, making it ideal for safeguarding e-commerce platforms handling XML data. Watch the video on XML Protection by clicking this link or accessing it via the right sidebar. |
GraphQL Protection
|
FortiWeb's GraphQL protection safeguards APIs by limiting query size, complexity, and resource consumption to defend against malicious queries, signature attacks, and performance bottlenecks. Key features include restrictions on payload size, value length, object depth, and the number of fields or queries in alias or array batches. It also offers controls over introspection queries and fragments to minimize schema exposure. Watch the video on GraphQL Protection by clicking this link or accessing it via the right sidebar. |
OpenAPI Validation
|
FortiWeb’s OpenAPI validation feature allows you to upload an OpenAPI description file (also known as a Swagger file) that defines your API’s structure, endpoints, and data types. Once uploaded, FortiWeb parses this file and uses it as a baseline to validate incoming requests. It blocks any requests that do not conform to the API specifications defined in the OpenAPI file, such as requests with unexpected endpoints, invalid parameters, or mismatched data types. This ensures that only legitimate requests that match the predefined API schema are allowed, improving security by preventing attacks like parameter tampering and malformed requests. Watch the video on OpenAPI Validation by clicking this link or accessing it via the right sidebar. |
Mobile API Protection
|
FortiWeb’s Mobile API protection feature validates JSON Web Tokens (JWTs) in requests from mobile applications. It checks if a request contains a JWT, whether the token is valid, and flags the request accordingly (no token, valid token, or invalid token). Based on these flags, actions are enforced ensuring only authorized mobile traffic is allowed and enhancing security for mobile API interactions. Watch the video on Mobile API Protection by clicking this link or accessing it via the right sidebar. |
API Gateway
|
FortiWeb’s API gateway provides robust API management by enforcing access control through API key verification, ensuring only authorized users from defined user groups can access the API. It manages rate limits, user grouping, and sub-URL settings, and executes specified actions if any API call violates these rules, providing secure and controlled API access. Sub-URL Settings allow you to create additional rules for more granular control over specific API subpaths. When a user’s API call matches a predefined frontend URL prefix, you can apply sub-URL rules to control access or actions based on specific subpaths under that prefix. Watch the video on API Gateway by clicking this link or accessing it via the right sidebar. |
Machine Learning (ML) Based API Protection
|
The machine learning based API Protection learns the REST API data structure from user traffic samples and then build mathematical models to screen out malicious API requests, and prevent sensitive data leakage in API responses. Multi-Layer Protection for API Requests
Continuous Learning FortiWeb supports Continuous Learning, enabling the model to automatically adapt to changes in the API schema. This includes handling scenarios such as:
Watch the video on Machine Learning (ML) Based API Protection by clicking this link or accessing it via the right sidebar. |
