The Open Web Application Security Project (OWASP) is a non-profit organization committed to improving the security of software. One of its well-known contributions is the OWASP API Security Top 10, a regularly updated, standard awareness document for developers and web application security that represents a broad consensus about the most critical security risks to APIs. Let’s dive into the changes introduced in the new 2023 list.
Changes in the OWASP API Security Top 10 2023
Before we dive into the details, let’s look at the changes in the OWASP API Security Top 10 list from 2019 to 2023:
|API1:2019 – Broken Object Level Authorization||API1:2023 – Broken Object Level Authorization|
|API2:2019 – Broken User Authentication||API2:2023 – Broken Authentication|
|API3:2019 – Excessive Data Exposure||API3:2023 – Broken Object Property Level Authorization|
|API4:2019 – Lack of Resources & Rate Limiting||API4:2023 – Unrestricted Resource Consumption|
|API5:2019 – Broken Function Level Authorization||API5:2023 – Broken Function Level Authorization|
|API6:2019 – Mass Assignment||API6:2023 – Unrestricted Access to Sensitive Business Flows|
|API7:2019 – Security Misconfiguration||API7:2023 – Server Side Request Forgery|
|API8:2019 – Injection||API8:2023 – Security Misconfiguration|
|API9:2019 – Improper Assets Management||API9:2023 – Improper Inventory Management|
|API10:2019 -. Insufficient Logging & Monitoring||API10:2023 – Unsafe Consumption of APIs|
From the table, we can see that there are 5 changes in the 2023 list. Let’s delve into each of these changes and how Wib can help protect against these threats.
API3:2023 – Broken Object Property Level Authorization
The “Broken Object Property Level Authorization” (API3:2023) is a new risk. It is a combination of excessive data exposure and mass assignment issues, where lack of proper validation at the object property level leads to unauthorized information access or manipulation. For instance, if a user can modify a read-only property like ‘isAdmin’ in the request payload and elevate their privileges, it reflects broken object property level authorization.
Wib’s Fusion Analysis provides a comprehensive risk scorecard that includes evaluation of authorization mechanisms. In the event of a Broken Object Property Level Authorization, this scorecard would indicate a heightened risk, signaling the need for immediate action. Additionally, Wib’s Fusion Defense provides immediate response mitigation, including the creation of recommended blocking rules. These can prevent unauthorized access to object properties, thereby preventing data exposure and ensuring API security.
API4:2023 – Unrestricted Resource Consumption
“Unrestricted Resource Consumption” (API4:2023) is another new risk that has been added. It refers to the potential for API requests to consume significant resources, which, if not properly managed, could lead to a Denial of Service (DoS) attack. An example of this is when an attacker sends numerous requests to the API, consuming all available bandwidth or system resources, causing the service to become unavailable to legitimate users.
The Wib Fusion Platform incorporates proactive testing with its API Testing Engine. This engine simulates API attacks, and checks for vulnerabilities such as unrestricted resource consumption. It can detect potential exploitation and validate the effectiveness of remediation measures. Moreover, the Fusion Analysis component of the platform keeps track of API snapshots, monitoring changes in parameters that could suggest potential resource consumption risks.
API6:2023 – Unrestricted Access to Sensitive Business Flows
“Unrestricted Access to Sensitive Business Flows” (API6:2023) has been added to the list to highlight the risk of APIs exposing business flows without adequate protection against abuse. An example of this is if an API allows unlimited purchase requests and an attacker automates the purchase process leading to stock depletion.
Wib’s Fusion Analysis evaluates the risk scorecard, which includes evaluation of sensitive data and potential business impact. This evaluation helps to identify risks to sensitive business flows, allowing for proactive action to be taken. If unrestricted access to sensitive business flows is detected, Wib’s Fusion Defense detects the incident and suggests blocking rules to prevent further unauthorized access, thereby protecting the sensitive business flows.
API7:2023 – Server Side Request Forgery (SSRF)
“Server Side Request Forgery (SSRF)” (API7:2023) has been introduced to the list. SSRF flaws can occur when an API fetches a remote resource without validating the user-supplied URI. For example, if an API fetches an image from a URL provided by the user without validation, an attacker could supply a URL to an internal resource, gaining unauthorized access.
The Wib Fusion Platform addresses Server-Side Request Forgery risks with its comprehensive vulnerability detection feature, part of the Fusion Defense. This detection works on two levels: path and vulnerability type. This means it can identify SSRF vulnerabilities and suggest immediate remediation efforts. Fusion Defense also provides response mitigation, suggesting blocking rules to prevent the exploitation of SSRF vulnerabilities. The API Testing Engine further validates these vulnerabilities and ensures that the remediation measures are effective.
API9:2023 – Improper Inventory Management
“Improper Inventory Management” (API9:2023) is a new addition to the list. APIs often expose more endpoints than traditional web applications. Without proper documentation or inventory management, deprecated API versions or exposed debug endpoints could be exploited. For example, a deprecated API version without updated security patches could be exploited by an attacker.
Wib’s Fusion Discovery provides a detailed API Inventory, shedding light on all the APIs present in an organization’s landscape. This API inventory gives visibility on hostnames, repositories, and endpoints, which are crucial for maintaining proper inventory management. By monitoring API active and inactive states, last code changes, and usage by daily calls, Wib helps in securely phasing out deprecated versions and exposed debug endpoints, specifically zombie & shadow APIs hence addressing the risk of improper inventory management.
API10:2023 Unsafe Consumption of APIs
“Unsafe Consumption of APIs” (API10:2023) is a fresh risk highlighted in this list. Developers sometimes trust data received from third-party APIs more than user input and may adopt weaker security standards for the data. If an attacker compromises a trusted third-party API, the data from that API could be used to attack the consuming application.
For risks related to the unsafe consumption of APIs, Wib’s Fusion Platform offers several lines of defense. Firstly, Fusion Analysis and Fusion Defense work together to identify potential vulnerabilities and threats. The API Testing Engine then tests these vulnerabilities in a simulated environment to ensure accuracy. After testing concluded, Fusion Defense helps in managing incidents related to unsafe API consumption, creating blocking rules to prevent further incidents, and continuously monitoring vulnerabilities to ensure they are properly patched and not being exploited.
In conclusion, the updates to the OWASP API Security Top 10 for 2023 reflect the evolving landscape of API security threats. The inclusion of risks like Unrestricted Resource Consumption, Broken Object Property Level Authorization, and Unsafe Consumption of APIs highlight the growing complexity and diversity of API threats that developers and security professionals must grapple with.
This is where Wib holistic approach to API Security is so beneficial for both prevention and protection against those complex and evolving challenges. Wib Fusion Platform ensures continuous monitoring and proactive response to potential threats. This comprehensive approach aids in mitigating risks, detecting vulnerabilities, and providing prompt remediation. From managing authorization mechanisms and limiting resource consumption, to safeguarding sensitive business flows and ensuring secure consumption of APIs, Wib addresses the challenges head-on.
As the landscape of API security continues to evolve, it’s crucial to rely on a platform that is flexible, robust, and comprehensive. With Wib Fusion platform, organizations can be confident in their ability to respond quickly and effectively to the dynamic world of API security.