As API-related security incidents and breaches increased in recent years, the Open Web Application Security Project (OWASP) released the first-ever API Security Top 10 at the end of 2019 to raise awareness about the most common API security problems plaguing organizations.
In this blog series, I dig into each of the OWASP API Security Top 10 vulnerabilities in detail. I will also provide examples and insight to help you understand how to protect your organization from the threats targeting APIs and API-based applications.
API1:2019 Broken Object Level Authorization
Broken object level authorization is the most common API threat, represented in about 40% of all API attacks.
API2:2019 Broken User Authentication
Broken user authentication enables attackers to use stolen authentication tokens, credential stuffing, and brute-force attacks to gain unauthorized access to applications.
API3:2019 Excessive Data Exposure
When generic APIs provide more data than is needed, an attacker can exploit an app by using redundant data to further extract sensitive data.
API4:2019 Lack of Resources & Rate Limiting
APIs that improperly implement rate limiting or neglect to implement it at all are highly susceptible to brute-force attacks.
API5:2019 Broken Function Level Authorization
When authorization is not properly implemented, unauthorized users can execute API functions such as adding, updating, or deleting a customer record or a user role.
APIs that directly consume input requests and assign/write them to the business logic data stores are vulnerable to mass assignment, allowing an attacker to change critical data properties and exploit privilege escalation.
API7:2019 Security Misconfiguration
Security misconfiguration is a catch-all for a wide range of security misconfigurations that often negatively impact API security as a whole and introduce vulnerabilities inadvertently.
This attack is the one hold-over from the original OWASP Top 10 list – the other 90% are new and focused just on APIs. Attackers exploit injection vulnerabilities by sending malicious data to an API that is in turn processed by an interpreter or parsed by the application server and passed to some integrated service.
API9:2019 Improper Assets Management
An outdated or incomplete inventory results in unknown gaps in the API attack surface and makes it difficult to identify older versions of APIs that should be decommissioned.
API10:2019 Insufficient Logging & Monitoring
Insufficient logging and monitoring, combined with missing or ineffective integration with incident response, allows attackers to perform reconnaissance, exploit or abuse APIs, compromise systems, maintain persistence, advance attacks, and move laterally across environments without being detected.
Understanding the sophistication of each of these attacks in more detail will prove valuable in developing the tools and processes you need to keep your organization’s API-based data and services safe. We hope you find the entire series helpful.