As API-related security incidents and breaches increased in recent years, the Open Web Application Security Project (OWASP) released the first-ever API Security Top 10 at the end of 2019 to raise awareness about the most common API security problems plaguing organizations.
In this blog series, I dig into each of the OWASP API Security Top 10 vulnerabilities in detail. I will also provide examples and insight to help you understand how to protect your organization from the threats targeting APIs and API-based applications.
Broken object level authorization is the most common API threat, represented in about 40% of all API attacks.
Broken user authentication enables attackers to use stolen authentication tokens, credential stuffing, and brute-force attacks to gain unauthorized access to applications.
When generic APIs provide more data than is needed, an attacker can exploit an app by using redundant data to further extract sensitive data.
APIs that improperly implement rate limiting or neglect to implement it at all are highly susceptible to brute-force attacks.
When authorization is not properly implemented, unauthorized users can execute API functions such as adding, updating, or deleting a customer record or a user role.
APIs that directly consume input requests and assign/write them to the business logic data stores are vulnerable to mass assignment, allowing an attacker to change critical data properties and exploit privilege escalation.
Security misconfiguration is a catch-all for a wide range of security misconfigurations that often negatively impact API security as a whole and introduce vulnerabilities inadvertently.
This attack is the one hold-over from the original OWASP Top 10 list – the other 90% are new and focused just on APIs. Attackers exploit injection vulnerabilities by sending malicious data to an API that is in turn processed by an interpreter or parsed by the application server and passed to some integrated service.
An outdated or incomplete inventory results in unknown gaps in the API attack surface and makes it difficult to identify older versions of APIs that should be decommissioned.
Insufficient logging and monitoring, combined with missing or ineffective integration with incident response, allows attackers to perform reconnaissance, exploit or abuse APIs, compromise systems, maintain persistence, advance attacks, and move laterally across environments without being detected.
Understanding the sophistication of each of these attacks in more detail will prove valuable in developing the tools and processes you need to keep your organization’s API-based data and services safe. We hope you find the entire series helpful.
Like many other API breaches, the Optus security incident highlights the importance of dedicated API security.
Salt Security's Roey Eliyahu and TAG Cyber's Ed Amoroso sat down together for a joint webinar on API security and zero trust. Check out the takeaways.