OWASP API Security Top 10
10 February 2023
Introduction
APIs expose application functionality as well as sensitive data such as Personally Identifiable Information (PII), making them a target for attackers. APIs provide a contract, but they lack the necessary safeguards to ensure that the contract is followed, providing a significant security risk to the backend services to which they connect.
The increase of API-related security threats in recent years has prompted the Open Web Application Security Project (OWASP) to release the API Security Top 10, which helps raise awareness of the most serious API security issues affecting organizations.
API1: BROKEN OBJECT-LEVEL AUTHORIZATION
APIs often provide endpoints that involve object identifiers, thereby exposing a large attack surface. Any function that receives user input and utilizes it to access a data source might cause an Access Control problem, exposing the system to further attacks. For all such functions, you should do object-level authorisation checks to avoid infiltration.
API2: BROKEN AUTHENTICATION
API authentication is a difficult and complex subject. Attackers often take advantage of incorrectly applied authentication mechanisms. Authentication mechanisms make easy targets for attackers, especially if they are fully open or publicly accessible. Attackers could compromise an authentication token or use implementation defects to impersonate another user, either temporarily or permanently. If the system’s ability to identify the client/user is compromised, so is the overall API’s security.
API3: EXCESSIVE DATA EXPOSURE
Before showing data to the user, developers frequently utilize client-side filters. This technique can lead to major security risks by exposing too much data, which can be readily abused by sniffing traffic and analyzing API responses for sensitive information that should not be transmitted to the user. As a result, data must constantly be filtered on the server side, with only relevant data being sent to the client.
API4: LACK OF RESOURCES & RATE LIMITING
The amount and size of resources that a client/user can request is frequently unrestricted by APIs. API queries use network, CPU, memory, and storage resources, which can degrade API server performance, resulting in DoS attacks, exposing authentication weaknesses, and allowing brute force attacks.
API5: BROKEN FUNCTION-LEVEL AUTHORIZATION
Overly complicated access control policies or a lack of clear demarcation between normal and administrative operations are common causes of authorization issues. Non-privileged users may be able to see some API endpoints, making them more vulnerable to attackers. Attackers can utilize these flaws to get access to a user’s resources or to carry out administrative tasks.
API6: MASS ASSIGNMENT
Client-provided data (i.e., JSON) is frequently bound to a data model based on an allowlist without sufficient property filtering, resulting in mass assignment. Attackers can change object attributes using a variety of methods, including exploring API endpoints, reading documentation, guessing object values, and providing extra properties through request payloads.
API7: SECURITY MISCONFIGURATION
Inadequate default configurations, ad-hoc or incomplete configurations, misconfigured HTTP headers or inappropriate HTTP methods, insufficiently restrictive Cross-Origin Resource Sharing (CORS), open cloud storage, or error messages containing sensitive information are all common causes of security misconfiguration.
API8: INJECTION
Online APIs are vulnerable to injection issues, which are frequent in web applications. Injection issues (such as SQL injection, NoSQL injection, and command injection) affect data provided to an interpreter by a command or query from an untrusted source. Attackers can submit malicious data to fool the interpreter into running harmful instructions or obtain unauthorized access to data.
API9: IMPROPER ASSET MANAGEMENT
Understanding possible exposure and risk requires keeping an up-to-date API inventory with proper documentation. APIs often expose more endpoints than standard web apps, necessitating thorough, up-to-date documentation. The attack surface might be widened by issues like exposed debug endpoints and outdated API versions. It’s critical to keep track of the API versions that have been delivered and the hosts that have been correctly configured.
API10: INSUFFICIENT LOGGING & MONITORING
Inadequate logging and monitoring, as well as poor or inadequate incident response integration, can be exploited by attackers. These gaps allow them to stay active on a system longer, strengthen their grip, and extract or delete more data. A persistent attack can take up to 200 days to identify, and most breaches are detected by a third party, underlining the crucial need of proper API monitoring.
