Register for our Dec 19th Webinar: Beyond the Perimeter: Achieving Comprehensive API Security

Blog Post

OWASP API Security Top 10 2023 Explained

Stephanie Best
Jun 6, 2023

What is OWASP?

The Open Web Application Security Project (OWASP) is a non-profit foundation devoted to web application security.  One of OWASP's guiding principles is that all of their resources should be freely available and simple to find on their website, enabling anyone to increase the security of their own web applications. They provide forums, tools, videos, and documentation among other things. The OWASP Top 10, a report outlining security concerns for web application security, and the OWASP API Security Top 10, which lists the most prevalent API security risks, are two key projects the OWASP is known for.

Check out the changes in the 2023 OWASP API Security Top 10

Into the OWASP API Security Top 10

With API-related security incidents and breaches increasing at a fast pace in recent years, it’s no surprise that application programming interfaces security — commonly known as API security — has become top of mind for organizations and media outlets alike.

At the end of 2019, OWASP released the first-ever API Security Top 10 to raise awareness about the most common API security risks plaguing organizations. The list served as a point of reference for the industry for the past four years, but the speed at which the API security landscape has evolved made the need for some key changes to the OWASP API Security Top 10 abundantly clear. The updated list was published in June 2023.

In March 2023, the Salt Labs research team unveiled a 400% increase in unique API attackers targeting Salt customers within just six months in its State of API Q1 2023 report. But API attacks have not only grown in number, they have also changed in nature. Bad actors are now targeting the business logic behind APIs and often take a low and slow approach and employ sophisticated methods to perpetrate attacks throughout long periods of time. In fact, today’s API attacks can last days, weeks or even months.

With that in mind, OWASP has released a new OWASP API Security Top 10 in 2023. The 2023 list compiles and explains the most recent and pressing security threats facing today’s complex API ecosystem.

In this blog series, we will dig into each of the OWASP API Security Top 10 vulnerabilities in detail and provide real-life examples and industry insights to help you understand how to protect your organization from the threats targeting APIs and API-based applications.

API1:2023 Broken Object Level Authorization (BOLA)

Broken object level authorization stems from a lack of proper access controls on API endpoints allowing unauthorized users to access and modify sensitive data. BOLA is represented in about 40% of all API attacks and is the most common API security threat. Broken object level authorization API vulnerabilities have been number one on the OWASP list since 2019 and have kept their top spot in the 2023 version.

API2:2023 Broken Authentication

Broken authentication enables attackers to use stolen authentication tokens, credential stuffing, and brute-force attacks to gain unauthorized access to applications. This API authentication security vulnerability has kept its number two spot on the OWASP list since 2019.

API3:2023 Broken Object Property Level Authorization

Broken Object Property Level Authorization merges attacks that happen by gaining unauthorized access to sensitive information by way of Excessive Data Exposure (previously listed as number 3 in the 2019 OWASP API Security Top 10) or Mass Assignment (previously in sixth place in the 2019 list). Both techniques are based on API endpoint manipulation to gain access to sensitive data.  

API4:2023 Unrestricted Resource Consumption

This vulnerability originates in APIs that improperly implement or neglect to implement limits on resource consumption, leaving them highly susceptible to brute-force attacks. Unrestricted Resource Consumption has replaced the previous number 4 in the OWASP API Security Top 10, Lack of Resources and Rate Limiting. However, while the name changed, this vulnerability remains the same overall.

API5:2023 Broken Function Level Authorization (BFLA)

This threat takes shape when authorization is not properly implemented, leading to unauthorized users being able to execute API functions such as adding, updating, or deleting a customer record or a user role. BFLA has kept its fifth spot on the list since 2019.

API6:2023 Unrestricted Access to Sensitive Business Flows

This new threat, which has replaced Mass Assignment as number 6 on the OWASP API Security Top 10, manifests when an API exposes a business flow without compensating for how the functionality could cause harm if used excessively through automation. To exploit this vulnerability, an attacker will need to understand the business logic behind the API in question, find sensitive business flows and automate access to them in order to cause harm to the business.

API7:2023 Server Side Request Forgery (SSRF)

Server Side Request Forgery can occur when a user-controlled URL is passed over an API and is honored and processed by the back-end server. The API security risks materialize if the back-end server tries to connect to the user-supplied URL, which opens the door for SSRF. This threat has replaced Mass Assignment as number 6 on the OWASP API Security Top 10 list.

API8:2023 Security Misconfiguration

Security misconfiguration is a catch-all for a wide range of security misconfigurations that often negatively impact API security as a whole and introduce API vulnerabilities inadvertently. This threat has been number 7 on the OWASP API Security Top 10 list released in 2019 and it has remained in the same position in 2023.

API9:2023 Improper Inventory Management

This threat is the result of an outdated or incomplete inventory which can create unknown gaps in the API attack surface, making it difficult to identify older versions of APIs that should be decommissioned. Improper Inventory Management has replaced Improper Assets Management as number 9 in the OWASP API Security Top 10 and, while the name has been changed to emphasize the importance of an accurate and up-to-date API inventory, the threat remains the same.

API10:2023 Unsafe Consumption of APIs

The Unsafe Consumption of APIs vulnerability stems from the improper usage of APIs by API clients, such as bypassing API authentication security controls or manipulating API responses, which can lead to unauthorized access and data exposure. This API vulnerability can be exploited via the consumption of API data itself or by abusing third-party integration issues. Unsafe Consumption of APIs has replaced Insufficient Logging and Monitoring as number 10 in the OWASP API Security Top 10.

Why you need to understand the OWASP API Security Top 10

APIs connect today’s modern applications, power business innovation and allow companies to meet their customers’ increasingly high expectations for digitalization and speed. But, by becoming an invaluable asset to organizations, they have also become a primary target for attackers.

Understanding the main issues that threaten your APIs means you’ll be better equipped to put a robust and mature API security strategy in place. If you’d like to know how the Salt Security API Protection Platform can help you build that strategy, contact us or schedule a customized demo today.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

December 13, 2024

Michael Callahan
Chief Marketing Officer

Industry

API Security is Not a Problem You Can Solve at the Edge

Edge security is a crucial component of an organization’s defense, but it’s just one piece of the puzzle. Learn why API security requires a broader view.

Read more

November 27, 2024

Eric Schwake
Head of Product Marketing

Industry

Beyond Traditional Security: Addressing the API Security Gap

To safeguard your business from API-specific threats, you need a dedicated solution that offers comprehensive visibility, in-depth contextual analysis, automated governance, robust data protection, and AI-driven threat prevention.

Read more

November 21, 2024

Eric Schwake
Head of Product Marketing

Industry

API (In)security: The Hidden Risk of Black Friday

Learn how, for online retailers, Black Friday represents both a lucrative opportunity and a significant cybersecurity challenge.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back